The tab provides a convenient way to perform compliance-based actions.
The tab allows you to initiate attestation processes and check the status of these processes. You can use the tab to:
Initiate an attestation process to allow users to confirm that their user profiles contain accurate information
Initiate an attestation process to verify the violations and approved exceptions for a set of separation of duties (SoD) constraints
Initiate an attestation process to verify the assignments for a set of roles
Initiate an attestation process to verify the assignments for a set of users
View the status of your attestation requests to analyze the results for each process
NOTE:The tab is available only with Identity Manager 4.0.2 Advanced Edition. Standard Edition does not support this feature.
Proxy mode works only on the tab and is not supported on the tab. If you enter proxy mode on the tab, and then switch to the tab, proxy mode is turned off for both tabs.
Compliance is the process of ensuring that an organization conforms to relevant business laws and regulations. One of the key elements of compliance is attestation. Attestation gives an organization a method for verifying that personnel are fully aware of organizational policies and are taking steps to comply with these policies. By requesting that employees or administrators regularly attest to the accuracy of data, management ensures that personnel information such as user profiles, role assignments, and approved separation of duties (SoD) exceptions are up-to-date and in compliance.
To allow individuals within an organization to verify the accuracy of corporate data, a user makes an attestation request. This request in turn initiates one or more workflow processes. The workflow processes give the attesters an opportunity to attest to the correctness of the data. A separate workflow process is initiated for each attester. An attester is assigned a workflow task in the list on the tab. To complete the workflow process, the attester opens the task, reviews the data, and attests that it is correct or incorrect.
The Roles Based Provisioning Module supports four types of attestation:
User profile
SoD violations
Role assignment
User assignment
In the case of a user profile attestation process, each user must be the attester for his/her own profile; no other individual can be the attester. In the case of SoD violation, role assignment, and user assignment attestation, the attester may be any user, group, or role. The initiator for the attestation request specifies whether every member or only a single member must attest for a group or role. In the case of a user attestation process, every member must attest for a selected group or role.
To simplify the process of making attestation requests, the Roles Based Provisioning Module installs a set of default request definitions, one for each attestation type:
User Profile - Default
SoD Violation - Default
Role Assignment - Default
User Assignment - Default
You can use these request definitions as the basis for making your own requests. Once you’ve provided the details for a new request, you can save these details for future use.
Each workflow has an attestation form associated with it. The attester must review the form and fill it in to affirm the correctness of the data. The form is usually defined by the Compliance Administrator.
Each attestation form contains a required attestation question along with a set of optional survey questions. The attestation question is a yes or no question attesting to or denying the overall data. Survey questions can be set up to gather additional data or ask qualifying questions.
The user profile attestation form also include a set of user attributes with values that the attester must review. The attestation form for an SoD violation, role assignment, or user assignment process includes an attestation report.
The attestation report for an SoD violation, role assignment, or a user assignment process provides detailed information that the attester is expected to review. The report is generated at the time the attestation process is initiated to ensure that all users are reviewing the same information. The report may be generated in several languages, depending on the report languages settings specified for the attestation process.
Once an attestation request has been initiated, it can be easily tracked throughout its lifecycle. The User Application provides a convenient way to look at the status of the request as a whole, as well as the detailed status for each individual workflow process associated with the request. The high-level status for a request gives the user a way to see whether the request is running, completed, initializing, or in error. The detailed status provides information about the number of workflow processes, and the status for each workflow. In addition, it shows the attestation results, which indicate how many answers to the attestation question were affirmative and how many were negative. The attestation results also show which attesters have not taken any action on their assigned workflow tasks.
The Compliance tab recognizes a single administrator role called the Compliance Administrator. A Compliance Administrator is designated at installation time. After installation, additional users can be assigned to the Compliance Administrator role. To make additional assignments, you need to use the page in the User Application.
The Compliance Administrator role is described in detail below:
Table 21-1 System Role for Compliance Functions
|
Role |
Description |
|---|---|
|
Compliance Administrator |
An administrator who has the full range of capabilities within the Compliance domain. The Compliance Administrator can perform all possible actions for all objects within the Compliance domain. These actions include the ability to:
NOTE:Any user can be defined as an attester for an attestation process. An attester does not need to belong to either the Compliance Administrator role. |
The tab does not allow access by authenticated users that do not have membership in the Compliance Administrator role listed above.