立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Approval by peer group analysis

Using peer group analysis, approval for requests can be granted or denied automatically. This is based on the assumption that employees belonging to the same department, for example, require the same products. So, if a company resource has already been assigned to a majority of employees in a department, a new request for this company resource is automatically approved. This helps to accelerate approval processes.

Peer groups contain all employees with the same manager or belonging to the same primary or secondary department as the request's recipient. Configuration parameters specify which employee belong to the peer group. At least one of the following configuration parameters must be set.

  • QER | ITShop | PeerGroupAnalysis | IncludeManager: Employees that have the same manager as the request's recipient

  • QER | ITShop | PeerGroupAnalysis | IncludePrimaryDepartment: Employees that belong to the same primary department as the request's recipient

  • QER | ITShop | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the request's recipient

The proportion of employees of a peer group who must already own the company resource, is set in the QER | ITShop | PeerGroupAnalysis | ApprovalThreshold configuration parameter.

You can also specify that employees are not permitted to request products from mismatched functional areas, which means, if the requested product and the primary department of the request recipient are from different functional areas, the request should be denied. To include this check in peer group analysis, set the QER | ITShop | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

Requests are automatically approved for fully configured peer group analysis, if both:

  • The requested product is not mismatched

  • The number of employees in the peer group who already own this product equal or exceeds the given threshold.

If this is not the case, requests are automatically denied. The threshold specifies the ratio of the total number of employees in the peer group to the number of employees in the peer group who already own this product.

To use this functionality, One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.

Detailed information about this topic

Configuring peer group analysis

To configure peer groups

  1. In the Designer, set the QER | ITShop | PeerGroupAnalysis configuration parameter.

  2. Set at least on of the following subparameters:

    • QER | ITShop | PeerGroupAnalysis | IncludeManager: Employees who have the same manager as the request's recipient

    • QER | ITShop | PeerGroupAnalysis | IncludePrimaryDepartment: Employees who belong to the same primary department as the request's recipient

    • QER | ITShop | PeerGroupAnalysis | IncludeSecondaryDepartment: Employees whose secondary department corresponds to the primary or secondary department of the request's recipient

    Thus, you specify which employees belong to the peer group. You can also set two or all of the configuration parameters.

  3. To specify a threshold for the peer group, set the QER | ITShop | PeerGroupAnalysis | ApprovalThreshold configuration parameter and specify a value between 0 and 1.

    The default value is 0.9. That means, at least 90 percent of the peer group members must already have the requested product in order for the request to be approved.

  4. To test whether there is mismatch of functional areas for the requested product, set the QER | ITShop | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.

    1. Assign the service items and departments to functional areas.

      Only functional areas that are primary assigned service items are taken into account.

      For detailed information about functional areas, see the One Identity Manager Identity Management Base Module Administration Guide.

    2. Assign employees to primary departments.

  5. In the Manager, create an approval workflow with at least one approval level. For the approval step, enter at least the following data:

    • Single step: Name of the approval step.
    • Approval procedure: EX
    • Event: PeerGroupAnalysis

    The event starts the QER_PersonWantsOrg_Peer group analysis process, which runs the QER_PeerGroupAnalysis script.

    The script runs automatic approval and sets the approval step type to Grant or Deny.

Related topics

Gathering further information about a request

Approvers are able to gather additional information about a request. This ability does not, however, replace granting or denying approval for a request. There is no additional approval step required in the approval workflow to obtain the information.

Approvers can request information in form of a question from anybody. The request is placed on hold for the period of the inquiry. Once the queried employee has supplied the necessary information and the approver has made an approval decision, the request is taken off hold. The approver can recall a pending inquiry at any time. The request is taken off hold. The approver’s request and the employee's answer are recorded in the approval flow and are therefore available to the approver.

NOTE: If the approver who made the query is dropped, hold status is revoked. The queried employee must not answer. The request procedure continues.

For more detailed information, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic

Appointing other approvers

Once an approval level in the approval workflow has been reached, approvers at this level can appoint another employee to handle the approval. To do this, you have the options described below:

  • Rerouting approvals

    The approver appoints another approval level to carry out approvals. To do this, set up a connection to the approval level in the approval workflow to which an approval decision can be rerouted.

  • Appointing additional approvers

    The approver appoints another employee to carry out the approval. The other approver must make an approval decision in addition to the known approvers. To do this, enable the Additional approver possible option in the approval step.

    The additional approver can reject the approval and return the requests to the original approver. The original approver is informed about this by email. The original approver can appoint another additional approver.

  • Delegate approval

    The approver appoints another employee with approval. This employee is added to the current approval step as the approver. This employee then makes the approval decision instead of the approver who made the delegation. To do this, enable the Approval can be delegated option in the approval step.

    The current approver can reject the approval and return the requests to the original approver. The original approver can withdraw the delegation and delegate a different employee, for example, if the other approver is not available.

Email notifications can be sent to the original approvers and the others.

For more detailed information, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级