Managing an attestation campaign
Applies To: Forefront Identity Manager
When you finish defining an attestation campaign the Microsoft BHOLD Attestation module immediately schedules the first instance for the campaign. One week prior to the start of a campaign, BHOLD Attestation sends a notification email message to the campaign owner, which is followed by a notification email messages to stewards at the start of the attestation campaign instance. BHOLD Attestation also sends other reminders automatically, as needed, until the campaign instance reaches its end date. The default email templates include placeholders that BHOLD Attestation replaces with the URLs that direct campaign owners and stewards to the portals that allow them to carry out their tasks in the attestation campaign. The stewards’ portals give them the ability to accept or reject attestation responsibility for users and, for those that are accepted, to approve or deny specific accounts or permissions for each user. The campaign owner’s portal (which is the same portal used to define attestation campaigns) allows the campaign owner to monitor the progress of the campaign instance and to assign stewards to unassigned users, as necessary. The campaign owner can also use the portal to view the campaign log, change a limited set of campaign attributes, and deactivate a campaign.
This topic presents you with information about the tasks you can perform to manage an attestation campaign. It consists of the following sections:
Viewing an attestation campaign instance
Assigning a steward to a user without a steward
Dealing with denied permissions
Changing attestation campaign attributes
Deactivating an attestation campaign
Viewing an attestation campaign instance
Viewing a campaign instance allows you to analyze the progress that stewards are making in carrying out their responsibilities in the attestation campaign as well as problems with steward assignments that have occurred in the instance. For more information about assigning stewards after an instance has started, see Assigning a steward to a user without a steward.
To view an attestation campaign instance
In the BHOLD Attestation Campaign portal, in the left pane, click Definition.
On the Campaigns page, click the attestation campaign with the instance that you want to view, and then click Edit.
On the Campaign/<campaign> page, under Instances, click the campaign instance you want to view, and then click View instance.
Assigning a steward to a user without a steward
A user can be listed as not having a steward because the steward selection method that was specified when the attestation campaign was designed failed to match a steward to the user or because a steward refused responsibility for the user. In either case, you can modify an active instance to assign a steward to a user without a steward.
To assign a steward to a user without a steward
In the BHOLD Attestation Campaign portal, in the left pane, click Definition.
On the Campaigns page, click the attestation campaign with the instance that you want to modify, and then click Edit.
On the Campaign/<campaign> page, under Instances, click the campaign instance you want to modify, and then click View instance.
On the Campaigns/Instances/<instance> page, click the User without steward tab, click the user you want to assign a steward to, and then click Select Steward.
Tip
You can use the Shift and Ctrl keys to select more than one user.
In the Select Steward dialog box, in the Attestor Type list, click the type of steward you want to select, click Find Steward, click the steward you want to assign to the user, and then click Select.
Dealing with denied permissions
When a steward denies an attested user a permission, that permission is immediately and automatically revoked by the BHOLD Core module. Other stewards will not be able to approve a denied permission. If the permission was denied in error, however, the BHOLD Core administrator can override the revocation.
To override a denied permission
In the BHOLD Core portal, in the left pane, click Users.
On the Users page, click the user for which you want to override the denied permission.
On the User/<user> page, expand Denied permissions, and then click Modify.
On the Denied Permissions/<user> page, next to the permission you want to restore, click Remove, and then click Done.
Changing attestation campaign attributes
You can change the name, description, owner, and remark attributes of an attestation campaign. You cannot change its schedule or scope.
To change attestation campaign attributes
In the BHOLD Attestation Campaign portal, in the left pane, click Definition.
On the Campaigns page, click the attestation campaign that you want to change, and then click Edit.
On the Campaign/<campaign> page, modify the attributes that you want to change, and then click OK.
Warning
Do not attempt to change attestation campaign attributes other than name, description, owner, and remark. Although the changes might appear to be saved, they will not affect how active or future instances function.
Deactivating an attestation campaign
When you deactivate an attestation campaign, you prevent any future instances from being created, although active instances are allowed to finish. In addition, you cannot change any attributes of a deactivated attestation campaign.
To deactivate an attestation campaign
In the BHOLD Attestation Campaign portal, in the left pane, click Definition.
On the Campaigns page, click the attestation campaign that you want to deactivate, and then click Edit.
On the Campaign/<campaign> page, select the Deactivated check box, in the warning message box, click Yes, and then click OK.
Warning
Deactivation is permanent. Although you can clear the Deactivated check box and the change might appear to be saved, no more instances of a recurring attestation campaign will be created.