立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Approving requests from an approver

By default, approvers can make approval decisions about requests in which they are themselves requester (UID_PersonInserted) or recipient (UID_PersonOrdered). To prevent this, you can specify the desired behavior in the following configuration parameter and in the approval step.

  • QER | ITShop | PersonOrderedNoDecide configuration parameter

  • QER | ITShop | PersonInsertedNoDecide configuration parameter

  • Approval by affected employee option in the approval step.

If the requester or approver is not allowed to make approval decisions, their main identity and all subidentities are removed from the group of approvers.

NOTE:

  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.

  • This configuration parameter does not affect the BS and BR approval procedures. These approval procedures also find the requester and the request recipient if the configuration parameter is not set. For more information, see Finding requesters.

Summary of configuration options

Requesters can approve their own requests if:

  • The PersonInsertedNoDecide configuration parameter is not set.

- OR -

  • The Approval by affected employee option is set.

Recipients can approve their own requests if:

  • The PersonOrderedNoDecide configuration parameter is not set.

- OR -

  • The Approval by affected employee option is set.

Requesters cannot approve if:

  • The PersonInsertedNoDecide configuration parameter is set.

    The Approval by affected employee option is not set.

Recipients cannot approve if:

  • The PersonOrderedNoDecide configuration parameter is set.

    The Approval by affected employee option is not set.

Example

A department manager places a request for an employee. Both of them are found to be approvers by the approval procedure. To prevent the department manager from approving the request, set the QER | ITShop | PersonInsertedNoDecide parameter. To prevent the employer from approving the request, set the QER | ITShop | PersonOrderedNoDecide parameter.

Approving requests from an exception approver

Similarly, you specify whether exception approvers are allowed to approve their own requests if compliance rules are violated by a request. For more information, see Restricting exception approvers.

Related topics

Setting up approver restrictions

To prevent recipients of requests becoming approvers

  • In the Designer, set the QER | ITShop | PersonOrderedNoDecide configuration parameter.

    This configuration parameter takes effect if the Approval by affected employee option is not set on the approval step.

To prevent requesters becoming approvers

  • In the Designer, set the QER | ITShop | PersonInsertedNoDecide configuration parameter.

    This configuration parameter takes effect if the Approval by affected employee option is not set on the approval step.

For individual approval workflows, you can allow exceptions to the general rule in the PersonInsertedNoDecide and PersonOrderedNoDecide configuration parameters. Use these options to allow the requester or recipient of requests to make approval decisions themselves in single approval steps.

To allow request recipients or requesters to become approvers in certain cases

  • On the approval step, enable the Approval by affected employee option.

Related topics

Automatically approving requests

Approvers may be involved in an approval procedure more than once, for example, if they are also requesters or determined as approvers in various approval steps. In such cases, the approval process can be speeded up with automatic approval.

NOTE: Automatic approvals apply to all fallback approvers but not for the chief approval team.

Use configuration parameters to specify when automatic approvals are used. You can specify exceptions from default behavior for individual approval steps. Specify the behavior you expect in the following configuration parameters and approval steps.

  • QER | ITShop | DecisionOnInsert configuration parameter

  • QER | ITShop | AutoDecision configuration parameter

  • QER | ITShop | ReuseDecision configuration parameter

  • No automatic approval option in the approval step

Summary of configuration options

Approval steps are automatically approved or denied if:

  • The QER | ITShop | DecisionOnInsert configuration parameter is set.

    The No automatic approval option is not set.

    - OR -

  • The QER | ITShop | AutoDecision configuration parameter is set.

    The No automatic approval option is not set.

    - OR -

  • The QER | ITShop | ReuseDecision configuration parameter is set.

    The No automatic approval option is not set.

Requests are manually approved or denied if:

  • The QER | ITShop | DecisionOnInsert configuration parameter is not set.

    - OR -

  • The QER | ITShop | AutoDecision configuration parameter is not set.

    - OR -

  • The QER | ITShop | ReuseDecision configuration parameter is not set.

    - OR -

  • The No automatic approval option is set.

Detailed information about this topic
Related topics

Configuring automatic approval

Scenario: An approver can grant or deny approval in several approval steps.

An approver may be authorized to approve several levels of an approval workflow. By default, the request is presented to the approver in each approval level. You can allow automatic approval so that the approver is not presented with a request more than once.

To allow an approver's decisions to be met automatically in several sequential approval levels

  • In the Designer, set the QER | ITShop | AutoDecision configuration parameter.

    The approval decision of the first approval levels is applied to subsequent approval levels for which the approver is authorized.

    The configuration parameter takes effect if the No automatic approval option is not enabled for the approval step.

To attain automatic acceptance for an approver's decisions for all non-sequential approval levels

  • In the Designer, set the QER | ITShop | ReuseDecision configuration parameter.

    If the approver granted approval to this request in an earlier approval step, the approval decision is transferred. If the approver did not grant approval in an earlier approval step, the request is presented for approval again.

    The configuration parameter takes effect if the No automatic approval option is not enabled for the approval step.

    Important: If the approver is also an exception approver for compliance rule violations, requests that violate compliance rules will also be automatically approved without being presented for exception approval.
Scenario: Requester is also approver

Approvers can execute requests for themselves. If a requester is determined to be approver for the request, their approval steps are immediately granted approval.

To prevent automatic approval for an approver's requests

  • In the Designer, disable the QER | ITShop | DecisionOnInsert configuration parameter.

    If a requester is determined to be the approver of an approval step, the request is presented to the requester to be approved.

The QER | ITShop | DecisionOnInsert configuration parameter is set by default and takes effect if the No automatic approval option is not enabled in the approval step.

If the QER | ITShop | PersonInsertedNoDecide configuration parameter is set, the requester does not become an approver and cannot approve the request. Also, the request cannot be decided automatically.

Preventing automatic approval in individual cases

For single approval steps, you can configure exceptions to the general rule in the configuration parameters.

To prevent automatic approvals for particular approval steps

  • Enable the No automatic approval option in the approval step.

    The QER | ITShop | DecisionOnInsert, QER | ITShop | ReuseDecision, and QER | ITShop | AutoDecision configuration parameters are not considered in this approval step. In each case, requests are to be presented to the approver of this approval step.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级