立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Using requested products to find approvers

If the owner of the requested product is to be determined as an approver, use the following approval procedures:

OA - product owner

Assign an application role to the product’s service item in the Product owner input field to make it possible to find owners of a product as approvers. In this case, all the employees assigned to the application role through secondary assignment are recognized as approvers.

PA - Additional owner of the Active Directory group

Installed modules:

Active Roles Module

If an Active Directory group is requested, the approvers can be found through the additional owner of this Active Directory group. All employees are found that are:

  • A member in the assigned Active Directory group through their Active Directory user account

  • Linked to the assigned Active Directory user account

NOTE: Only use this approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is set.

The column Additional owners is only available in this case.

PG - owners of the requested privileged access request

Installed modules:

Privileged Account Governance Module

If an access request is made for a privileged object within a Privileged Account Management system, such as PAM assets, PAM asset accounts and PAM directory accounts, then the owner of the privileged objects is determined as the approver in the approval process for these. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.

To make an access request, additional system prerequisites must be met by the Privileged Account Management system. For more detailed information about PAM access requests, see the One Identity Manager Administration Guide for Privileged Account Governance.

TO - target system manager of the requested system entitlement

Installed modules:

Target System Base Module

Other target system modules

If a system entitlement is requested, the target system managers can be found as approvers using this approval procedure. Assign the synchronization base object of the target system to the target system manager (for example Active Directory domain, SAP client, target system type in the Unified Namespace). This finds, as approvers, all employees assigned to the application role assigned here and all members of the parent application roles.

This finds all target system managers of the system entitlement that are stored as the final product with the request (PersonWantsOrg.UID_ITShopOrgFinal column).

Using approval roles to find approvers

Use the following approval procedure if you want to establish the approver of a hierarchical role to be approver.

Table 33: Approval procedures to determine approvers through an approval role

Approval procedure

Approver

RD

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver menu.

All secondarily assigned employees of this application role are determined to be approvers.

RL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver menu.

All secondarily assigned employees of this application role are determined to be approvers.

RO

Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver menu.

All secondarily assigned employees of this application role are determined to be approvers.

RP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver menu.

All secondarily assigned employees of this application role are determined to be approvers.

Figure 6: Determining approvers through a department's role approver

Approval procedure

Approver

ID

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver (IT) menu.

All secondarily assigned employees of this application role are determined to be approvers.

IL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver (IT) menu.

All secondarily assigned employees of this application role are determined to be approvers.

IO

Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver (IT) menu.

All secondarily assigned employees of this application role are determined to be approvers.

IP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver (IT) menu.

All secondarily assigned employees of this application role are determined to be approvers.

Determining the approver using the example of an approval role for the request's recipient primary department (approval procedure RD):

  1. Determine the requester’s primary department (UID_Department).

  2. The application role (UID_AERole) is determined through the department’s role approver (UID_RulerContainer).

  3. Determine the secondary employees assigned to this application role. These can issue approval.

  4. If there is no approval role given for the primary department or the approval role does not have any members, the approval role is determined for the parent department.

  5. The request cannot be approved if no approval role with members is found by drilling up to the top department.

NOTE: When approvers are found using the approval procedures RO or IO, and inheritance for business roles is defined from the bottom up, note the following:

If no role approver is given for the primary business role, the role approver is determined from the child business role.

Using cost centers to find approvers

Use the following procedure to determine the approver through a cost center given in the request.

Table 34: Approval procedures for determining approvers for a cost center

Approval procedure

Approver

PP

A cost center is entered in the request. The cost center is assigned a manager.

The manager of the given cost center is established as approver.

PR

A cost center is entered in the request. The cost center is assigned an application role in the Role approver menu.

All secondarily assigned employees of this application role are determined to be approvers.

Approvers are determined following the same method as described in Using approval roles to find approvers.

PI

A cost center is entered in the request. The cost center is assigned an application role in the Role approver (IT) menu.

All secondarily assigned employees of this application role are determined to be approvers.

Approvers are determined following the same method as described in Using approval roles to find approvers.

Using departments to find approvers

Use the following procedure to determine the approver through a department given in the request.

Table 35: Approval procedures for determining approvers for a department

Approval procedure

Approver

DP

A department is entered in the request. The department is assigned a manager.

The manager of the given department is established as approver.

DR

A department is entered in the request. The department is assigned an application role in the Role approver menu.

All secondarily assigned employees of this application role are determined to be approvers.

Approvers are determined following the same method as described in Using approval roles to find approvers.

DI

A department is entered in the request. The department is assigned an application role in the Role approver (IT) menu.

All secondarily assigned employees of this application role are determined to be approvers.

Approvers are determined following the same method as described in Using approval roles to find approvers.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级