Designing an attestation campaign

 

Applies To: Forefront Identity Manager

In BHOLD Attestation, you design and run an attestation campaign to periodically assess the access that your organization’s users have to applications by means of accounts and BHOLD permissions. You can design a campaign to perform this assessment a single time, or you can schedule it to run at intervals according to a recurrence pattern that you specify. You can choose to attest users in organizational units, or users that have accounts in applications registered in BHOLD. Stewards can be required to attest whether the users for which they are responsible have appropriate permissions or should have accounts to access specific applications. Stewards can be selected and paired with users by being linked to steward roles in organizational units (orgunits), by being assigned as a steward in an application, by being identified in a user attribute as a steward for the user, or by being assigned to users in a data file. For more information about steward selection, see Configuring steward selection in Preparing BHOLD for attestation elsewhere in this guide.

This topic presents you with information about decisions you will need to make when defining a attestation campaign and steps you through the definition of a single-occurrence attestation campaign (that is, a campaign with only one instance) and a recurring attestation campaign (a campaign with multiple instances). It consists of the following sections:

  • General attestation campaign considerations

  • Defining a single-occurrence attestation campaign

  • Defining a recurring attestation campaign

General attestation campaign considerations

Prior to defining an attestation campaign, there are a number of decisions that you must make that will ensure that the attestation campaign will meet your organization’s goals. You must determine whether the attestation campaign will be a one-time event or will recur periodically, how often, and for how long. You must also decide how often stewards will be reminded of their responsibilities in the course of the campaign. Finally, you must decide the scope of the campaign, that is the context of the attestation (organizational units or applications), the granularity of the attestation (accounts or permissions), and the method for assigning stewards (model, application, user attribute, or file). When you have made these decisions, you will be ready to define an attestation campaign.

This section covers the following topics:

  • Planning the attestation campaign schedule

  • Planning notification

  • Planning the attestation campaign scope

Planning the attestation campaign schedule

A fundamental question you must answer when planning an attestation campaign is when it will take place, that is, when it will begin and end, and whether it will take place once or repeat over time.

A single-occurrence attestation campaign is particularly suitable for when you need to attest a new deployment of BHOLD, the addition of an application to BHOLD, or to assess the impact of a major reorganization. A single-occurrence attestation campaign can provide a baseline that you can analyze to determine which areas need to be attested more regularly.

A recurring attestation campaign is commonly used to determine whether recent changes to the BHOLD role model (such as the addition of new users or a restructuring of organizational units) has resulted in users having inappropriate access to applications and data. When you plan a recurring attestation campaign, you must decide how long each instance will take, how frequently a new instance of the attestation campaign will be created (in monthly or yearly increments), and whether the attestation campaign will continue indefinitely or end after a predetermined number of occurrences or on a specific date. You should consider the length of each instance, the relative stability of the access being attested (a user’s accounts change less often than permissions), the stability of the organization itself, and the effect of frequent campaigns on steward compliance.

Planning notification

BHOLD Attestation uses email to notify attestation campaign participants when a campaign instance is about to start and to let them know the status of the campaign instance at various stages. When you define an attestation campaign, you can set how often stewards will be reminded of their participation, sending reminders daily, weekly, or monthly, or you can choose not to send reminders at all.

In addition to the notification setting for attestation campaigns, you can modify the email templates that BHOLD Attestation uses to send notifications to attestation campaign owners and stewards. For more information about changing these templates, see Configuring notification email templates in Preparing BHOLD for attestation elsewhere in this guide.

Planning the attestation campaign scope

The scope of an attestation campaign defines how the users to be attested are selected, the type of their access (accounts or permissions) that will be attested, and how they are assigned to stewards. The scope is specified by selecting values for three factors:

  • Context—You can set the context to all or selected organizational units (orgunits) or to all or selected applications. When you use orgunits as the context, all users in the orgunits are attested. Using applications as the context attests only those users who have accounts (aliases) in those applications. Note, however, that the context does not affect whether the attestation campaign will attest users’ accounts or permissions.

  • Granularity—You can set the granularity to attest permissions or to attest accounts.

  • Define Stewards—The methods available for selecting stewards depend on the chosen context and whether you have specified one or more user attributes for steward selection:

    • Model based—Selects stewards based on their links to orgunits whose members are being attested. Although this option is available whenever the context is set to attest all or selected orgunits, you can use it only if you have configured the steward relationship between the orgunits and stewards. For more information, see Configuring model-based steward selection in Preparing BHOLD for attestation elsewhere in this guide.

    • Applications based—Selects stewards based on attributes set on the application in BHOLD Core. Although this option is available whenever the context is set to attest all or selected applications, you can use it only if you have specified stewards for the applications being attested. For more information, see Configuring application-based steward selection in Preparing BHOLD for attestation elsewhere in this guide.

    • File Upload based—Selects stewards and pairs them with users by reading steward/user pairs from a data file that you upload when defining the attestation campaign. This option is available for all context settings. For more information, see Configuring file upload–based steward selection in Preparing BHOLD for attestation elsewhere in this guide.

    • User Attribute based—Selects stewards based on specific user attributes. This option is available only if at least one user attribute has been selected in the BHOLD Attestation settings, and it can be used for any context type. For more information, see Configuring user attribute–based steward selection in Preparing BHOLD for attestation elsewhere in this guide.

Defining a single-occurrence attestation campaign

A single-occurrence attestation campaign has only one instance. Typically a single-occurrence attestation campaign is performed to assess the impact of a recent event, such as the deployment of a new application or a corporate reorganization, or it can be performed as part of a security audit. When you define a single-occurrence attestation campaign, you must specify the start date for the attestation campaign instance and the duration (in days) of the instance. The end date is optional and, if it is not set, the BHOLD Attestation module sets it to 365 days following the start date.

To define a single-occurrence attestation campaign

  1. In the BHOLD Attestation Campaign portal, in the left pane, click Definition.

  2. On the Campaigns page, click Add.

  3. On the Campaign/New Campaign page, in Name, type the name used to identify the attestation campaign.

  4. In Description, type a phrase that describes the purpose for the attestation campaign

  5. Next to Start Date, click the Calendar button, and then select the date on which the attestation campaign instance is to start. The date must be the current date or later.

  6. In Duration (days), type the number of days stewards will be allowed to complete the attestation campaign instance.

  7. In the Reminder frequency list, select how often you want reminder messages to be sent to stewards.

  8. To change the attestation campaign owner from the currently logged-on user, click the Search button, in the Select Campaign Owner dialog box, click the new campaign owner, and then click Select.

    Note

    A user must be assigned the BHOLD Attestation Campaign Owner permission in BHOLD Core to be listed in the Select Campaign Owner dialog box.

  9. To provide optional additional information about the attestation campaign, type the information in Remark.

  10. In Context, click the method that will be used to determine which users will be attested, and then, if you clicked Selected Units or Selected Applications, select the organizational units (orgunits) or applications. For more information, see Planning the attestation campaign scope earlier in this topic.

  11. In Granularity, click Attest accounts or Attest permissions.

  12. In Define Stewards, click the method that will be used to determine how stewards are selected and paired with users, and then do one of the following, as needed:

    For more information, see Planning the attestation campaign scope earlier in this topic.

  13. Click OK.

For information about viewing and managing a campaign instance, see Managing an attestation campaign elsewhere in this guide.

Defining a recurring attestation campaign

A recurring attestation campaign has multiple instances that start and end on a predetermined monthly or annual schedule. As such, it is suitable to provide ongoing verification that users have been granted appropriate accounts or permissions in the applications that are registered with BHOLD Core. When you define a recurring attestation campaign, you specify the date that the first instance will start, the number of days each instance will require to complete, the amount of time (that is, the number of months or years) between instances, and whether the campaign will end after a set number of occurrences or on an end date. Apart from setting the recurrence pattern, defining a recurring attestation campaign is identical to defining a single-occurrence attestation campaign.

To define a recurring attestation campaign

  1. In the BHOLD Attestation Campaign portal, in the left pane, click Definition.

  2. On the Campaigns page, click Add.

  3. On the Campaign/New Campaign page, in Name, type the name used to identify the attestation campaign.

  4. In Description, type a phrase that describes the purpose for the attestation campaign

  5. Select the Recurrent check box.

  6. In Duration (days), type the number of days stewards will be allowed to complete each attestation campaign instance.

  7. In the Reminder frequency list, select how often you want reminder messages to be sent to stewards.

  8. To change the attestation campaign owner from the currently logged-on user, click the Search button, in the Select Campaign Owner dialog box, click the new campaign owner, and then click Select.

    Note

    A user must be assigned the BHOLD Attestation Campaign Owner permission in BHOLD Core to be listed in the Select Campaign Owner dialog box.

  9. To provide optional additional information about the attestation campaign, type the information in Remark.

  10. Under Recurrence Pattern, click Monthly or Yearly to specify how frequent the attestation campaign will be repeated, and then next to Every, type the number of months or years between each instance of the campaign.

  11. Under Range, next to Start Date, click the Calendar button, and then select the start date for the first instance of the attestation campaign. The date must be the current date or later.

  12. Do one of the following:

    • To allow the attestation campaign to continue indefinitely, click No End Date.

    • To specify limit on the total number of instances of the attestation campaign, click Ends after and then in Occurrences, type the total number of instances for the campaign.

    • To specify a time limit for the attestation campaign, click Ends by, click the Calendar button, and then select the date following which no more instances of the campaign will be created.

  13. In Context, click the method that will be used to determine which users will be attested, and then, if you clicked Selected Units or Selected Applications, select the organizational units (orgunits) or applications. For more information, see Planning the attestation campaign scope earlier in this topic.

  14. In Granularity, click Attest accounts or Attest permissions.

  15. In Define Stewards, click the method that will be used to determine how stewards are selected and paired with users, and then do one of the following, as needed:

    For more information, see Planning the attestation campaign scope earlier in this topic.

  16. Click OK.

For information about viewing and managing a campaign instance, see Managing an attestation campaign elsewhere in this guide.

See also