Monday, January 28, 2013 11:30 PMHi,
I have couple of questions regarding the BHOLD [RTM/SP1] Attestations, hope BHOLD Experts can help me on this!
#1 We have AD Special Accounts that are owned/managed by employees. As part of SOX requirements, Owner of these accounts need to re-certify the accounts annually. I'm evaluating BHOLD Attestation to meet our requirements. However i don't see options in BHOLD to do self-attestations.
On the Attestation Campaign Context, i see only Application Specific or OU specific. And the stewards [who will be doing the re-certification] are fetched from Application or OU stewards. Basically user who owns [Supervisors/Stewards] the OU or applications can do the re-certification. I'm able to setup Attestation for OU specific and Application specific, and it worked well.
But In my requirement, A user can have few AD Special user accounts and LDAP special accounts, and he/she needs to approve/reject the account as part of re-certifications to retain the accounts. Please let me know whether BHOLD can do this self-attestation and pls. explain how?
#2 Also, i had no luck in sending Email notifications via Attestation. BHOLD Experts, please advise how and when the notifications will be triggered for Stewards from the Attestation. I don't see any events for Attestation failures.
Appreciate your help!
- Edited by Prakaaz Monday, January 28, 2013 11:32 PM additional info
Thursday, January 31, 2013 11:46 AM
1. I don't see how you could do this unless each user was in their own OU and then made steward of that OU. I had a customer ask me this the other day too so I will try and escalate it with the product team.
2. I never got this working in the previous version either. I'm currently installing SP1 in my lab and will update my blog if and when I get it working.
Dave Nesbitt | Architect | Oxford Computer Group
Thursday, January 31, 2013 6:08 PM
Thanks. I tried SP1 with the attestation campaigns. I see a steward file upload option in the campaign creation. but i have no clue about file format. I didn't see that anywhere.Have you tried that option? Moreover, after the campaign is created, we have option to change/select the steward if someone is rejected. so i'm guessing there may be a way to map the user/accounts/permissions vs steward. we have multiple attestation requirements for various type of permissions and Stewards/Approvers also will be different per attestation. so just Application specific or OU specific steward wont help.
Basically we need to have controls on assigning the stewards per Application/account/permission basis. I'm already working with MS to get the clarity on the self-attestation/Custom Steward Assignment scenario.
Friday, February 01, 2013 12:09 AM
Actually i see the below in BHOLD Solution guide. So it does support dynamic steward allocation or manual mapping of steward. But i dont see any documentation for how to do this.
"Typically, the steward for a campaign will be a manager who will attest the access rights of users belonging to one or more organizational units for which the manager is responsible. Stewards can be automatically selected for the users being attested in a campaign based on user attributes, or the stewards for a campaign can be defined by listing them in a file that maps every user being attested in the campaign to a steward."
If MS can add some help related to above topic, that would be great!