Chatee ahora con Soporte
Chat con el soporte

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Removing customers from a shop

If a customer has requested assignments through a shop or has delegated role memberships and is removed from the shop at a later date, the assignment request is closed and the assignments revoked or delegation ended. In this case, however, assignments to roles should be retained if required.

To prevent the assignment from being revoked

  1. In the Designer, set the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter.

  2. (Optional) Enable the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter in the Designer.

    • In the Value field, enter the UID_Person of the person that should be used as the fallback if no other request recipient can be found.

      This person must be a customer in all shops in which which assignments can be requested.

  3. Save the changes.

  4. In the Manager, select the Entitlements | Assignment resource for IT Shop category.

  5. In the result list, select an assignment resource and select the Change master data task.

  6. Set the Keeps requested assignment resource option.

  7. Save the changes.

This option is enabled by default for the Role entitlement assignment default assignment resource. These configuration parameters are disabled by default.

If this option is enabled and the request recipient is removed from the customer node, then the request is updated according to the following rules:

  1. If the service item

    • Has the Retain service item assignment on relocation option set
    • The request recipient and service item are available in another shop

    The assignment request is transferred into this shop. The request recipient remains the same.

  2. If by doing this the request recipient does not remain the same, then a new request recipient is determined.

    1. The manager of the business role or organization that has been requested (PersonWantsOrg.ObjectKeyOrgUsedInAssign).

    2. A member of the business role or organization that has been requested.

    3. A member of the chief approval team.

    4. The employee given in the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter.

These rules are applied in the order given. The person who is found must be a customer in the shop.

If no authorized approver can be found or the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter is disabled, then the assignment request is converted into a direct assignment. If direct assignment for the assigned product is not permitted to the requested business role or organization, the request is canceled and the assignment is removed.

NOTE: This option does not influence membership requests in roles or delegation.

Membership assignments are not removed, if the requester is removed from the customer node. They are removed when the recipient of the assignment request is deleted from the customer node.

Delegation ends when the delegate is deleted from the customer node.

Related topics

Setting up assignment resources

To edit an assignment resource

  1. In the Manager, select the Entitlements | Assignment resource for IT Shop category.

  2. In the result list, select an assignment resource and run the Change master data task.

  3. Edit the assignment resource's master data.

  4. Save the changes.

To create an assignment resource

  1. In the Manager, select the Entitlements | Assignment resource for IT Shop category.

  2. Click in the result list.

  3. Edit the assignment resource's master data.

  4. Save the changes.
Detailed information about this topic

General master data for an assignment resource

Enter the following master data for an assignment resource.

Table 18: Master data for an assignment resource
Property Description

Assignment resource

Name for the assignment resource.

Resource type

Resource type for grouping assignment resources.

For detailed information, see One Identity Manager Identity Management Base Module Administration Guide.

IT Shop

Specifies whether the assignment resource can be requested through the IT Shop. The assignment resource can be ordered by an employee over the Web Portal and distributed using a defined approval process.

This option cannot be disabled.

Only for use in IT Shop

Specifies whether the assignment resource can only be requested through the IT Shop. The assignment resource can be ordered by an employee over the Web Portal and distributed using a defined approval process. This means, the assignment resource cannot be directly assigned to roles outside the IT Shop.

This option cannot be disabled.

Service item

Service item through which you can request the assignment resource in the IT Shop. Assign an existing service item or add a new one.

Table

Table where the assignment should be made.

Assignment requests can be limited to a specific hierarchical role. Choose the table from which the role should be selected.

Object

Specific hierarchical role that employees can request. Only one assignment resource can be created per role.

Description

Text field for additional explanation.

Risk index

Value for evaluating the risk of assignment resource assignments to employees. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For detailed information, see One Identity Manager Risk Assessment Administration Guide.

Requested assignments remain intact.

If this option is set, requested role assignments are converted into direct assignments if the request recipient is removed from the customer node of the associate shops.

The option can only be edited as long as there is a request has not been assigned with this assignment resource.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Detailed information about this topic
Related topics

Default assignment resources

One Identity Manager provides standard products for assignment requests and delegation. These are assigned to the Identity & Access Lifecycle shop as default assignment resources.

To edit default assignment resources

  • In the Manager, select the Entitlements | Assignment resource for IT Shop | Predefined category.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación