• State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 4247 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attestation of Application Roles in case of an event

saba.naaz
over 5 years ago

 HI Experts,

 

I need to implement an attestation use case where attestation can be triggered on an event. For.e.g. Whenever an entitlement is assigned to a user in a connected endpoint ( like AD) and upon Reconciliation , the entitlement is updated in OneIM, this should trigger an attestation case to the Manager asking to attest the newly assigned role.

Looking for your suggestions on how this can be implemented.

Is there any way we can detect the change in Data ( like what happens in case of SOD violation which gets detected whenever there is a change in data )  and trigger an attestation  case.

 

Thanks in Advance !

 

Saba

  • 0 over 5 years ago

    For performance reasons, i wouldn't check this on a single event base but I would create a process chain that would be triggered by the PostSync event of your traget system that creates attestation cases for all newly created group (role) memberships by the Synchronization user.

    You will find more about the PostSync event here https://support.oneidentity.com/technical-documents/identity-manager/8.0/target-system-synchronization-reference-guide/37#TOPIC-863351

  • 0 over 5 years ago

    Thanks Markus,

    I started working on the suggested lines but i am not sure on what i should be choosing/supplying in my process step that can trigger attestation cases .

    I have created an attestation policy( along with procedure, workflow etc) to run attestation on AD group -user membership. I tested this working when triggering directly from manager tool.

    I have also created an a process chain on PostSync event for ADSAccountInADSGroup table and added a new process step but i am not sure on what to do in process step so that the attestation cases can be triggered using my attestation Policy.

     

    In addition, how would i identify if a record in ADSAccountInADSGroup is inserted by Synchronization user as all the records in this table seems to have inserted by QBM_DBQueueProcess

     

     

    Please suggest me the way forward.

    Thanks!

  • 0 over 5 years ago

    Suggestions

    • The PostSync event is fired on the base object of the synchronization according to the documentation. In your case, this is be the ADSDomain and not ADSAccountInADSGroup.
    • The memberships will be added by the user Synchronization which is not the case in your example because you are looking at primary group memberships (Domain Users) that will always be created internally by the DBQueueProcessor. Choose better sample data and you will see my point.