test

Oracle Waveset 8.1.1 Deployment Reference

Attestor Rule

Every user entitlement that is created in a pending state must be attested by someone. During an access review, Identity Auditor passes each User view to the Attestor rule to determine who gets the initial attestation requests.

The idmManager attribute on the WSUser object contains the Waveset account name and ID of the user’s manager.

You can use alternate implementations to designate both IdmManager and any Resource owners as attestors (for Resources included in the view). This rule takes the current User view and a LighthouseContext object as inputs, so you can use any data known to Waveset.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Attestor rule:

AuthType 

AccessScanRule

SubType 

ATTESTORS_RULE

Called 

During access scan; after evaluating all audit policies, but before dispatching the user entitlement 

Returns 

A list of zero or more Waveset attestor names (users responsible for attesting a particular user entitlement) or NamedValue pairs.

  • If the result is a string, it must resolve to an Waveset account ID. If delegation is enabled for the access scan, the access scan will use the delegation settings of the Waveset user returned by the code.

  • If the result is a NamedValue, it assumed to be a bound delegation pair [Delegator, Delegatee], and the access scan will not resolve any further.

    Note –

    If the rule returns NamedValue pair elements, they are passed on without validation.

  • If the result is not a valid Waveset user name, the rule appends errors to the scan task results, but the scan thread continues.

  • If the result is a zero-length list, the attestation request remains in pending state because nobody will process the request.

  • If the result is neither a string or a NamedValue, an exception results and the scan thread aborts.

Predefined Rules 

Default Attestor 

Location 

Compliance > Manage Policies > Access Scan > Attestor Rule