Chat now with support
Chat mit Support

Identity Manager On Demand Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Approval by mail

To provide approvers who are temporarily unable to access One Identity Manager tools with the option of making approval decisions on requests, you can set up approvals by email. In this process, approvers are notified by email when a request attestation case is pending their approval. Approvers can use the relevant links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which approvers can state the reasons for their approval decision. This email is sent to a central mailbox. One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the request procedures correspondingly.

IMPORTANT: An approval cannot be sent by email if multi-factor authentication is configured for the requested product. Approval mails for such requests produce an error message.
Prerequisites
  • If you use a Microsoft Exchange mailbox, configure the Microsoft Exchange with:

    • Microsoft Exchange Client Access Server version 2007, Service Pack 1 or higher

    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit

  • If you use an Exchange Online mailbox, register an application in your Azure Active Directory tenant in the Microsoft Azure Management Portal. For example, One Identity Manager <Approval by mail>.

    For detailed information about how to register an application, see https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.

  • The One Identity Manager Service user account used to log into Microsoft Exchange or Exchange Online requires full access to the mailbox given in the QER | ITShop | MailApproval | Inbox configuration parameter.

  • The QER | ITShop | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.

To set up approval by email

  1. In the Designer, set the QER | ITShop | MailApproval | Inbox configuration parameter and enter the mailbox to which the approval mails are to be sent.

  2. Set up mailbox access.

    • If you use a Microsoft Exchange mailbox:

      • By default, One Identity Manager uses the One Identity Manager Service user account to log in to the Microsoft Exchange Server and access the mailbox.

        - OR -

      • You enter a separate user account for logging in to theMicrosoft Exchange Server for mailbox access.

        • In the Designer, set the QER | ITShop | MailApproval | Account configuration parameter and enter the user account's name.

        • In the Designer, set the QER | ITShop | MailApproval | Domain configuration parameter and enter the user account's domain.

        • In the Designer, set the QER | ITShop | MailApproval | Password configuration parameter and enter the user account's password.

    • If you use an Exchange Online mailbox:

      • In the Designer, set the QER | ITShop | MailApproval | AppId configuration parameter and enter the application ID that was generated when the application was registered in the Azure Active Directory tenant.

      • In the Designer, set the QER | ITShop | MailApproval | Domain configuration parameter and enter the domain for logging into Azure Active Directory.

      • In the Designer, set the QER | ITShop | MailApproval | Password configuration parameter and enter the client secret (application password) for the application.

  3. In the Designer, set the QER | ITShop | MailTemplateIdents | ITShopApproval configuration parameter.

    The mail template used to create the approval decision mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: In this case, also change the VI_MailApproval_ProcessMail script.

  4. Assign the following mail templates to the approval steps.

    Table 61: Mail templates for approval by mail

    Property

    Mail template

    Mail template request

    IT Shop request - approval required (by mail)

    Mail template reminder

    IT Shop request - remind approver (by mail)

    Mail template delegation

    IT Shop request - delegated/additional approval (by mail)

    Mail template rejection

    IT Shop request - reject approval (by mail)

  5. In the Designer, configure and enable the Processes IT Shop mail approvals schedule.

    Based on this schedule, One Identity Manager regularly checks the mailbox for new approval mails. The mailbox is checked every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • In the Designer, set the QER | ITShop | MailApproval | DeleteMode configuration parameter and select one of the following values.

    • HardDelete: The processed email is immediately deleted.

    • MoveToDeletedItems: The processed email is moved to the Deleted objects mailbox folder.

    • SoftDelete: The processed email is moved to the Active Directory recycling bin and can be restored if necessary.

    NOTE: If you use the MoveToDeletedItems or SoftDelete cleanup method, you should empty the Deleted objects folder and the Active Directory recycling bin on a regular basis.

Related topics

Editing approval emails

The Processes IT Shop mail approvals schedule starts the VI_ITShop_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new approval decision mails and updates the request procedures in the One Identity Manager database. The contents of the approval decision mail are processed at the same time.

NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate script. You can customize this script to suit your security requirements. Take into account that this script is also used for attestations by email.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the QER | ITShop | MailApproval | ExchangeURI configuration parameter.

Approval decision mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval, sets the Approved option if approval is granted, and stores the reason for the approval decision with the request procedures. The approver is found through the sender address. Then the approval decision mail is removed from the mailbox depending on the selected cleanup method.

NOTE: If you use a custom mail template for the approval decision mail, check the script and modify it as required. Take into account that this script is also used for attestations by email.

Allowing approval decisions using the Starling 2FA app

To provide approvers who are temporarily unable to access One Identity Manager tools with the option of making approval decisions on requests, you can set up approval by Starling 2FA app. In this case, approvers are prompted by the Starling 2FA app to grant or deny approval of a request. The Starling 2FA app can also be used for approvals that do not require multi-factor authentication, such as for requesting service items where the Approval by multi-factor authentication option is not set.

Prerequisites
  • Multi-factor authentication with Starling Cloud is configured.

  • Approvers are registered with Starling Two-Factor Authentication.

For detailed information, see the One Identity Manager Authorization and Authentication Guide.

To use the Starling 2FA app for approval decisions

  • In the Designer, set the QER | Person | Starling | UseApprovalAnywhere configuration parameter.

The approver must make the approval decision within 5 minutes. If this time is exceeded, the Web Portal must be used to approve the request.

To change the timeout

  • In the Designer, set the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter and adjust the value. Enter a timeout in seconds.

Related topics

Requests with limited validity period for changed role memberships

If an employee changes their primary department (business role, cost center, or location), they lose all company resources and system entitlements inherited through it. However, it may be necessary for the employee to retain these company resources and system entitlements for a certain period. Use temporary requests to retain the state of the employee's current memberships. Inherited assignments are not removed until after the validity period for this request has expired. The employee can renew the request with the validity period.

Prerequisites

  • Employee main data is modified by import.

  • The import sets the session variable FullSync=TRUE.

To configure automatic requests for removal of role memberships

  1. In the Designer, set the QER | ITShop | ChallengeRoleRemoval configuration parameter.

  2. In the Designer, set the QER | ITShop | ChallengeRoleRemoval | DayOfValidity configuration parameter and enter a validity period for the request.

  3. In the Designer, set the configuration parameters under QER | ITShop | ChallengeRoleRemoval for roles whose primary memberships need to remain intact when modified.

  4. Commit the changes to the database.

NOTE: The configuration parameters are set by default. The validity period is set to seven days.

If employee main data is modified by importing, One Identity Manager checks if a primary role (for example Person.UID_Department) was modified or deleted on saving. If this is the case, VI_CreateRequestForLostRoleMembership is run. The script create a temporary assignment request for this role, which is granted approval automatically. Thus, the employee remains a members of the role and retains their company resources and system entitlements. The request is automatically canceled when the validity period expires.

The request can be renewed during the validity period. The request renewal must be approved by the role manager. The request becomes permanent if approval is granted. Role membership stays the same until the assignment is canceled.

TIP: The QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter specifies which product nodes to use for a limited validity period request of modified role memberships. The Challenge loss of role membership product is available by default in the Identity & Access Lifecycle | Identity Lifecycle shelf. You can also add this product to your own IT Shop solution.

To use the "Challenge loss of role membership" product in your own IT Shop

  1. Assign the Challenge loss of role membership assignment resource to one of your own shelves.

  2. In the Designer, edit the value of the QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter.

    • Enter the full name or the UID of the new product node.

Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen