Managing an attestation campaign

 

Applies To: Forefront Identity Manager

When you finish defining an attestation campaign the Microsoft BHOLD Attestation module immediately schedules the first instance for the campaign. One week prior to the start of a campaign, BHOLD Attestation sends a notification email message to the campaign owner, which is followed by a notification email messages to stewards at the start of the attestation campaign instance. BHOLD Attestation also sends other reminders automatically, as needed, until the campaign instance reaches its end date. The default email templates include placeholders that BHOLD Attestation replaces with the URLs that direct campaign owners and stewards to the portals that allow them to carry out their tasks in the attestation campaign. The stewards’ portals give them the ability to accept or reject attestation responsibility for users and, for those that are accepted, to approve or deny specific accounts or permissions for each user. The campaign owner’s portal (which is the same portal used to define attestation campaigns) allows the campaign owner to monitor the progress of the campaign instance and to assign stewards to unassigned users, as necessary. The campaign owner can also use the portal to view the campaign log, change a limited set of campaign attributes, and deactivate a campaign.

This topic presents you with information about the tasks you can perform to manage an attestation campaign. It consists of the following sections:

  • Viewing an attestation campaign instance

  • Assigning a steward to a user without a steward

  • Dealing with denied permissions

  • Changing attestation campaign attributes

  • Deactivating an attestation campaign

Viewing an attestation campaign instance

Viewing a campaign instance allows you to analyze the progress that stewards are making in carrying out their responsibilities in the attestation campaign as well as problems with steward assignments that have occurred in the instance. For more information about assigning stewards after an instance has started, see Assigning a steward to a user without a steward.

To view an attestation campaign instance

  1. In the BHOLD Attestation Campaign portal, in the left pane, click Definition.

  2. On the Campaigns page, click the attestation campaign with the instance that you want to view, and then click Edit.

  3. On the Campaign/<campaign> page, under Instances, click the campaign instance you want to view, and then click View instance.

Assigning a steward to a user without a steward

A user can be listed as not having a steward because the steward selection method that was specified when the attestation campaign was designed failed to match a steward to the user or because a steward refused responsibility for the user. In either case, you can modify an active instance to assign a steward to a user without a steward.

To assign a steward to a user without a steward

  1. In the BHOLD Attestation Campaign portal, in the left pane, click Definition.

  2. On the Campaigns page, click the attestation campaign with the instance that you want to modify, and then click Edit.

  3. On the Campaign/<campaign> page, under Instances, click the campaign instance you want to modify, and then click View instance.

  4. On the Campaigns/Instances/<instance> page, click the User without steward tab, click the user you want to assign a steward to, and then click Select Steward.

    Tip

    You can use the Shift and Ctrl keys to select more than one user.

  5. In the Select Steward dialog box, in the Attestor Type list, click the type of steward you want to select, click Find Steward, click the steward you want to assign to the user, and then click Select.

Dealing with denied permissions

When a steward denies an attested user a permission, that permission is immediately and automatically revoked by the BHOLD Core module. Other stewards will not be able to approve a denied permission. If the permission was denied in error, however, the BHOLD Core administrator can override the revocation.

To override a denied permission

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user for which you want to override the denied permission.

  3. On the User/<user> page, expand Denied permissions, and then click Modify.

  4. On the Denied Permissions/<user> page, next to the permission you want to restore, click Remove, and then click Done.

Changing attestation campaign attributes

You can change the name, description, owner, and remark attributes of an attestation campaign. You cannot change its schedule or scope.

To change attestation campaign attributes

  1. In the BHOLD Attestation Campaign portal, in the left pane, click Definition.

  2. On the Campaigns page, click the attestation campaign that you want to change, and then click Edit.

  3. On the Campaign/<campaign> page, modify the attributes that you want to change, and then click OK.

    Warning

    Do not attempt to change attestation campaign attributes other than name, description, owner, and remark. Although the changes might appear to be saved, they will not affect how active or future instances function.

Deactivating an attestation campaign

When you deactivate an attestation campaign, you prevent any future instances from being created, although active instances are allowed to finish. In addition, you cannot change any attributes of a deactivated attestation campaign.

To deactivate an attestation campaign

  1. In the BHOLD Attestation Campaign portal, in the left pane, click Definition.

  2. On the Campaigns page, click the attestation campaign that you want to deactivate, and then click Edit.

  3. On the Campaign/<campaign> page, select the Deactivated check box, in the warning message box, click Yes, and then click OK.

    Warning

    Deactivation is permanent. Although you can clear the Deactivated check box and the change might appear to be saved, no more instances of a recurring attestation campaign will be created.

See also