[MUSIC PLAYING] A little bit of information upfront. If you talk about attestation re-certification, attestation means that we attest specific entitlement assignments to users. That means decision makers gets notice about permission situation on their users side, and they have to decide if this is OK or not.
At the end, in the Identity Manager, we differ between the attestation policy, which is the calculation description. That means how to create an attestation campaign. The attestation campaign is to use these policies to create attestation cases. And each of these cases is then a single decision.
This means that we need some permissions to create such policies and later on to run such campaigns, therefore exists some application rules. And this is what we will show you at the end of this video.
To start with attestation, I am now assigned in as Audrey. As you remember from my previous videos, Audrey is our super user. She is as well the compliance officer. And because of that, she is able to create attestation policies.
As you can see, I am in the [INAUDIBLE] Web portal. I just switched to Attestations, select Governance Administration. And in Governance Administration, I can have a look on running attestation campaigns, or I can look here into the attestation policies, which are the templates where the attestation campaigns will be generated out of.
I click on the Settings. As you can see in this system, there are some privileged account related attestation policies configured. This is not the complete set of attestation policies as out of the box exists some more. I can include the deactivated policies and set a filter here, for example, to start with PAM.
And if I do so and set the filter, then you can see it easily. There are a lot of out-of-the-box of the box privilege account management related attestation policies. These things could be copied and you can then build your own attestation policies out of the existing standard policies.
And that is typically the way you should do it especially because these attestation policies are not modifiable. So you cannot really modify them, and-- and this is the main important thing-- the standard out-of-the-box policies always consider all objects. And this is normally not what you have.
What I like now to create, it's a very, very easy attestation policy. I like to create one from scratch just to show you the capabilities. And this attestation policy should be there to attest the members of the Safeguard Group OneIM we have seen in one of the previous [INAUDIBLE].
I just click on New Attestation Policy to get a new attestation policy. Here it is. And I name the whole thing here. I need here the attestation procedure. There are many attestation station procedures, and these attestation procedures are not only for privileged account management. Here is for privileged access, a complete PAM-related section.
But I'm not looking for privileged access right now. I'm looking for a membership attestation. And this is a system entitlement membership attestation. And because this is a group of Safeguard, it is a system entitlement of Safeguard. And so I have to look into the system entitlement membership attestation.
I just click on that. That means first I selected the procedure. That means what should be attested. It's a group membership. Now I'm just configuring who will be the approver.
I have some two choices. One is attestation by selected approvers. The other is attestation of group membership by the product owner. I select the product owner, [INAUDIBLE]. These product orders are configured for Safeguard. And the next thing I have to configure is in my calculation schedule. I set it to monthly.
As you can see, time requirements are seven days. This means during seven days after the attestation campaign started, all decisions have to be made. If not, decision makers gets in trouble.
So compliance framework should always be selected. Easy to do that. It's the only out-of-the-box compliance framework that exists. And we latch the obsolete tasks automatically checked. The reason for that is the following attestation always goes along with re-certification, and re-certification means that one month after the first attestation cases was calculated, the next attestation campaign gets calculated and the attestation campaign will as well create attestation cases.
It could now be that some of the decision makers not during the seven days was doing their work. And so there are some open attestation cases left from the last campaign. And now this checkbox says, please close them especially because you calculate new attestation cases for maybe the same object. So this is a good checkbox, and this is the reason why it's default checked to ensure that your system gets not filled and filled with obsolete attestation cases.
So last but not least, I have to select the object. I click here on the class. And I select here specific to select this specific ownership. And what I'd like to do here is I like to select the 1AM group.
It is a Safeguard group. Why it's a Safeguard group? Because here on the right side, you can see the target system. The target system is a SG something else. This is a Safeguard applied.
So I just select this specific group. Here we are and as description, it's whatever else. Nice comment. And that more or less it is. I have assigned the group. It is already commented. I just click on Create. And now I do have a new attestation somewhere.
To see my attestation I already created, I can see that. It's the member of OneIM group local. This is the one here. But maybe you use another name then starting with PAM. So I just want to say, please don't forget to delete the filters if you want to see all of them.
Here we are. This is my attestation policy. With this system attestation policy that is here in the list. The system will now create attestation cases. This works in a way that a schedule will just trigger this specific policy.
So the only thing I have to do in a production environment is to wait a little bit. After a short while, then the whole thing is calculated. That means the attestation cases are available. And now my attestation decision makers gets their notice that they have to do something in the system.
In our system-- oh wonder of wonder-- Audrey. It's the same person which is responsible for this attestation cases. Then it was the person responsible to creating the policy. So in our very specific scenario, Audrey was generating work for herself, which is not really nice but possible.
And I'm now stepping in attestation-- this time as decision maker, not as compliance officer-- and I am just stepping into my actions. And as you can see here, there are several so named pending actions. I can step into these pending actions. And I want to look into the section of system entitlements here.
As you can see, here is the OneIM group. And as you can see on the basis of the specific policy now, for each member of this Safeguard group, there is now a decision to perform. For example, I can have look into the list and figure out if I can find Randy. Randy was one of the users I assigned to that specific group in one of my last vidoes.
And as you can see, there is an entry for Randy Dottin. And as decision maker, I can now approve this and can say, yes, of course, it was pretty correct that this person has access to this specific Safeguard group. Last but not least, I have them to click Next, and I can save the whole thing.
And with that, I approved one of these attestation cases. OK. OK. There are other 40 left. And this is now my next task to do.
Last but not least, as well possible then for people who are allowed to run attestation campaigns and a wonder wonder, it's Audrey again. I can just look into attestation-- this time Governance Administration. And I can look into the attestation policy runs.
And here you will find our policy as well. Here there it is, a privileged account management user and local Safeguard groups. I can just select this. And here on the right side, then you can see the complete status of this specific policy, category bad-- this is because of the other 40 users we have not attested right now. But at the end, here you will then get a specific overview about things that already happened.
Always necessary to know which roles are able just to do something in the Identity Manager in case of attestation what we saw before. There are two important roles. The first role is the role of Identity and Access Governance attestation. As you can see in the description, this role is there just to allow to handle the attestation management.
Additionally to that, access the role compliance and security officers. This description is a little bit hard to read, so I just step into the master data page. And as you can see, this role is important, especially because it allows you to define attestation policies, so--
[MUSIC PLAYING]
10:18