Editing approval emails
The Processes IT Shop mail approvals schedule starts the VI_ITShop_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new approval decision mails and updates the request procedures in the One Identity Manager database. The contents of the approval decision mail are processed at the same time.
NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate script. You can customize this script to suit your security requirements. Take into account that this script is also used for attestations by email.
If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.
TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.
If this is not possible, enter the URL in the QER | ITShop | MailApproval | ExchangeURI configuration parameter.
Approval decision mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval, sets the Approved option if approval is granted, and stores the reason for the approval decision with the request procedures. The approver is found through the sender address. Then the approval decision mail is removed from the mailbox depending on the selected cleanup method.
NOTE: If you use a custom mail template for the approval decision mail, check the script and modify it as required. Take into account that this script is also used for attestations by email.
Allowing approval decisions using the Starling 2FA app
To provide approvers who are temporarily unable to access One Identity Manager tools with the option of making approval decisions on requests, you can set up approval by Starling 2FA app. In this case, approvers are prompted by the Starling 2FA app to grant or deny approval of a request. The Starling 2FA app can also be used for approvals that do not require multi-factor authentication, such as for requesting service items where the Approval by multi-factor authentication option is not set.
Prerequisites
For detailed information, see the One Identity Manager Authorization and Authentication Guide.
To use the Starling 2FA app for approval decisions
The approver must make the approval decision within 5 minutes. If this time is exceeded, the Web Portal must be used to approve the request.
To change the timeout
Related topics
Requests with limited validity period for changed role memberships
If an employee changes their primary department (business role, cost center, or location), they lose all company resources and system entitlements inherited through it. However, it may be necessary for the employee to retain these company resources and system entitlements for a certain period. Use temporary requests to retain the state of the employee's current memberships. Inherited assignments are not removed until after the validity period for this request has expired. The employee can renew the request with the validity period.
Prerequisites
To configure automatic requests for removal of role memberships
-
In the Designer, set the QER | ITShop | ChallengeRoleRemoval configuration parameter.
-
In the Designer, set the QER | ITShop | ChallengeRoleRemoval | DayOfValidity configuration parameter and enter a validity period for the request.
-
In the Designer, set the configuration parameters under QER | ITShop | ChallengeRoleRemoval for roles whose primary memberships need to remain intact when modified.
-
Commit the changes to the database.
NOTE: The configuration parameters are set by default. The validity period is set to seven days.
If employee main data is modified by importing, One Identity Manager checks if a primary role (for example Person.UID_Department) was modified or deleted on saving. If this is the case, VI_CreateRequestForLostRoleMembership is run. The script create a temporary assignment request for this role, which is granted approval automatically. Thus, the employee remains a members of the role and retains their company resources and system entitlements. The request is automatically canceled when the validity period expires.
The request can be renewed during the validity period. The request renewal must be approved by the role manager. The request becomes permanent if approval is granted. Role membership stays the same until the assignment is canceled.
TIP: The QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter specifies which product nodes to use for a limited validity period request of modified role memberships. The Challenge loss of role membership product is available by default in the Identity & Access Lifecycle | Identity Lifecycle shelf. You can also add this product to your own IT Shop solution.
To use the "Challenge loss of role membership" product in your own IT Shop
-
Assign the Challenge loss of role membership assignment resource to one of your own shelves.
-
In the Designer, edit the value of the QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter.
Related topics
Requests from permanently inactive employees
By default, permanently deactivated employees remain members in all the customer nodes. This ensures that all pending request and resulting assignments are retained. One Identity Manager can be configured such that employees are automatically removed from all custom nodes once they are permanently deactivated. This means that all pending requests are broken off and remaining assignments are removed.
To remove employees from all customer nodes if they are permanently deactivated
