19-6 Oracle Fusion Middleware Users Guide for Oracle Identity Manager Figure 19–2 Creating an Attestation Task: Workflow When the attestation process is run, it first creates a corresponding attestation process instance. It then identifies the reviewers for this run of the process. In most cases, there is only one reviewer. There can even be a set of reviewers. Whenever an invalid reviewer is found, a new reviewer is fetched from the process owner group. Oracle Identity Manager will select, if possible, a member of the process owner group who has not yet been used as a reviewer for this attestation request. If this is not possible, then Oracle Identity Manager will select a member of the process owner group who has already been selected to act as a reviewer. If Oracle Identity Manager cannot find a member of the process owner group, then it will assign XELSYSADM as the reviewer for the attestation task. For each valid reviewer, the process calculates all the user entitlements that the reviewer must attest to as part of that task, as determined by the attestation scope defined in the process. The process then adds a reference and any related information regarding those user entitlements to the attestation data of the task. It also adds the number of entitlements covered by that task to the statistical field for the total number of entitlements identified for attestation in the process instance. The process then sends an e-mail message to the reviewer. It also sends e-mail to process owners about the reviewers with no e-mail address defined. Schedule Task Ad-Hoc Attestation Process Initiated Send E-mail to Reviewer Update Statistics in the Process Instance Define and Save data for Attestation Task Create Attestation Task for Reviewer Calculate who the Reviewers are Create The Attestation Process Instance Any Reviewers with no E-mail Defined Check Reviewer Validity Add to Reviewers with no E-mails List is E-mail address not Defined Send E-mail to Process Owners Valid Yes For Each Reviewer A reviewer is invalid if the reviewer is deleted or is disabled or has an active proxy The reviewer is selected from the Process Owner group. Not Valid End No Managing Attestation Processes 19-7 At the end of this stage, all the attestation tasks are in the attestation inboxes of the reviewers.

19.1.5.2 Stage 2: Acting on an Attestation Task

When an attestation task is assigned to a reviewer, the reviewer receives an e-mail, and the task is displayed in the reviewers attestation inbox. The reviewer views task details in this inbox. From the task details page, the reviewer provides a response and, if required, a comment for each entitlement. This marks the attestation entitlement detail in the task as Response Provided. If the reviewers response includes delegating the attestation activity for a specific entitlement, then the reviewer must provide a delegated user. Optionally, the reviewer can provide comments explaining why the reviewer is delegating the attestation activity to that user. After the reviewer provides responses to all entitlements, the reviewer can commit their action for the attestation task by submitting all responses. Figure 19–3 Flow of Events When Reviewer Responds to Entitlement At this point, the next stage of the Attestation Business Process begins.

19.1.5.3 Stage 3: Processing a Submitted Attestation Task

The Attestation Task is marked as Submitted. At this point the attestation task is frozen, and cannot be acted on further. For each entitlement in the attestation task, the response is examined by the system. If the response is to either certify or reject, then the provisioned resource instance corresponding to that entitlement is updated accordingly. At the provisioned resource instance level, the last attestation result, the Has response been provided for all entitlements in the task Is the response “Delegate” Reviewer provides a response for an entitlement Save any comments provided as part of the task entitlement detail Enable the “Submit Response” button in the task Mark the task entitlement detail as “Response Provided” Record the response for the task entitlement detail Gather delegate information and comments Save delegate information and comments No Yes Yes