• State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 2016 views
  • Users 0 members are here
Options
Related

Does anyone know how to make an attestation for all permissions of a single person?

martin ehlert
over 3 years ago

Hi everyone,

I would like to create an attestation run for alle permissions of a single person/idenitty to validate their permissions. 

Currently I have no idea how to do so, because each attestation object/policy/run is strictly defined on one table.

In the end i need to create many diffrent attestation runs at once

- one for Group-Entitlements (UNSAccountInUnsGroup)

- one for Business Roles (PersonInOrg)

- one for System Roles (PersonHasEset)

- one for account definitions (PersonHasTSBAccountDef)

- one for Resources (PersonHasQERResource)

- one for ApplicationRoles (PersonInAERole)

and so on.

Has anyone an idea how this can be done without creating multiple attestation runs with diffrent polices.

Thank you in advance.

Best Regards

  • 0 over 3 years ago

    Hi Martin,

    You are correct that you will need an attestation policy per entitlement type as you have listed.

    We do something just like this at my customer.  All entitlements are attested when an employee transfers.

    There are multiple attestation policies .... one for each table.  This is needed so that you have the entries in the helper tables, otherwise you can't use the method to create the attestations.

    Then we have a complicated script that iterates across all the policies (they are all assigned to a particular compliance framework to 'group' them) ..... then for each policy we get the whereclause condition and programmatically add something like:  AND UID_Person = xxxx

    Then we get the collection of entries that are for that person for that table and use the method CreateAttestations (or CreateAttestation if there is only one object) to create the attestations.

    You will not be able to avoid having many attestation cases split across multiple policies split across multiple runs.

    But it works .... hope my explanation makes sense.

    Regards, Barry.

  • 0 over 3 years ago in reply to Barry Jackson

    It makes sense. It´s the solution I have in mind, but hesitate to implement, because I´m hoping there is something more convenient.

    Espacially in the context of reporting and managing the attestation runs for a single user this scenario is really complicated. (just think on the property attestation manager in the policy)

    Thank you for your suggestions.

    Regards, Martin.

  • 0 over 3 years ago in reply to martin ehlert

    The problem here is, that I assume, that you want to have some kind of Auto-Removal if a single entitlement is denied. That's why you need separate attestation policies (and objects). If it is just about the certificate (I have seen customers doing that), you just create a report attestation and the report contains the information you need. The ootb reports for a person should contain the information you need.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    That´s right. 

    My company is more likely a company group and consists about 80 companies, where employees switch really often between. 

    Therefore we have the request to start adhoc attestations on a switch between 2 companies.

    So it´s clear that the employee status of active is correct, but it´s not clear which permissions can/should be taken to the new company.