Hi all,

This blog is related to the options we have with SAP IdM Attestation functionality, coming from the standard IdM processes and implemented with the additional customizations.

1st we have to decide between the Attestation options we have in IdM – Get Attesters from:SAP IdM Attestation task

attest process setup

We can choose between:

• Task

The attesters are defined in the Attester field below (that is, on the attestation task itself).

Note: this will be one attester per attestation process set in the Attester field

• Role/Privilege

The attesters are defined on the role or privilege with the attribute MX_ATTESTER.

• Manager

The attester(s) will be the manager(s) defined on the user(s) with the attribute MX_MANAGER.

• User Defined

The attesters are set with context variables with the preprocessing task.

 

Before starting the implementation we have to review the existing structure (we use SQL queries to get the report needed in order to select the best case):

• Case 1 - if we have 1000 users assigned in 1 privilege and for those 1000 users we have 20 different managers, there will be 1 task per manager with around 50 users inside the task
  
  
  
  • but if each manager has 50 users under him/her and we execute attestation for all privileges in IdM and those 50 users have from 200 to 2000 different role/privs, then each manager will have from 200 to 2000 and more tasks
  
  
  
  


• Case 2 - if we have 1000 users assigned in 1 privilege and we have the attester attribute set for this privilege (taking the attester from the privilege itself), we will have 1 task with 1000 users inside
  
  
  
  • in case 2 we can use the privilege approvers as attesters, but we have to validate the number of tasks that will be created for each attester
  
  
  • if we have attesters with more than 600 privileges to attest we might have to think of a way to separate the tasks between more attesters
  
  
  
  

Next step is building the custom UI supporting the Attestation process (we recommend SAPUI5 consuming the standard IdM rest generated from the attestation process):

Attestation UI home page

UI overview

UI overview option 2

In addition we can have some nice functionalities:

• Additional user information


• Role/privilege description, as the technical name might not be enough


• In case of privileges – back-end system related to it

Additional user info

UI comment

Info on delegated tasks

 Note: delegated users from each task are no longer visible in the initial attester Inbox, but we can still get the number and display a warning in case of delegation

 

Here are most of the rest calls in use from the SAPUI5 (examples):SAP IdM Attestation REST options

• ToDo tab – attester overview (example):

• 
  
  
  
  • /idmrestapi/v2/service/TaskCollection - GET
  
  
  • /idmrestapi /v2/service/TaskCollection(SAP__Origin='IDM',InstanceID='NxNN')/Assignments/$count - GET
  
  
  
  

• Detail UI

• 
  
  
  
  • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/Assignments - GET
  
  
  • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/CustomAttributeData - GET
  
  
  
  

• Detail Delegate (example)
  
  
  
  • Get Users
    
    
    
    • /idmrestapi/v2/service/ET_MX_PERSON?filterBasic=USER_ID- GET
    
    
    
    
  
  
  • Delegate to User
    
    
    
    • /idmrestapi/v2/service/Decision?InstanceID='NxNN'&SAP__Origin='IDM'&DecisionKey='DELEGATE'&DelegateId='12312'&LinkId='31231232112'&Comments='test' - POST
    
    
    
    
  
  
  • Assignments refresh after action
    
    
    
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/Assignments - GET
    
    
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/CustomAttributeData - GET
    
    
    
    
  
  
  
  

• Detail REST calls (overview with examples)

• 
  
  
  
  • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN ')/Assignments - GET
  
  
  • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN ')/CustomAttributeData - GET
  
  
  • Detail Certify
    
    
    
    • /idmrestapi/v2/service/Decision?InstanceID=' NxNN '&SAP__Origin='IDM'&DecisionKey='ATTEST' &Action='CERTIFY'&LinkId='123123123'&Comments='test' - POST
    
    
    
    
  
  
  
  

 

Next step is to create and manage the process triggering the attestation in IdM:

IdM UI managing attestations

Important customization here are the notifications, as the standard functionality is sending notifications per task (and in 99% of the cases one attester has from 20 to 100 tasks even more). The additional customization is sending those notifications per attester, each attester receives only one initial/reminder notification.

 

Final step of this implementation will be the reports covering the Attestation processes:

1. report for active tasks - basic report


2. report for active tasks - detail report with users inside and delegation info


3. report for delegated tasks (admin report) - detail info with initial attester and delegated attester


4. report for delegated tasks (self service) - executed from the attesters for themselves


5. report of privilege/role attestation date


6. report for expired tasks

I hope that this blog will presend a few options and better understanding of the functionality provided within SAP IdM Attestation. SAP IdM provides a number of possible scenarios and a great flexibility in the way you decide to implement the process.

This is one possible solution related to audit observation, as the yearly access review is an important process in each company.

I hope, this blog is useful and any feedback/question will be welcomed 🙂

 

Kind Regards,

Simona Lincheva