Use the following approval procedure if you want to determine the manager of the request recipient to be approver.
Table 34: Approval procedures for determining approvers for request recipients
|
The request recipient is assigned a manager. |
|
CM |
Request recipient's manager |
|
The request recipient is assigned to a department.
The department is assigned a manager or a deputy manager. |
|
DM |
Manager and deputy manager of the request recipient's department. |
|
The request recipient is assigned a cost center.
The cost center is assigned a manager or a deputy manager. |
|
PM |
Manager and deputy manager of the request recipient's cost center. |
If members of a specific role are to be determined as approvers, use the OR or OM approval procedure. In the approval step, also specify the role to be used to find the approver. The approval procedures determine the following approvers. If a deputy IT Shop has been entered in the main data of these employees, they are also authorized as approver.
Table 35: Approval procedures for determining approvers for a specific role
|
OM |
|
Departments (Department)
Cost centers (ProfitCenter)
Locations (Locality)
Business roles (Org) |
Manager and deputy manager of the hierarchical role specified in the approval step. |
|
OR |
|
Departments (Department)
Cost centers (ProfitCenter)
Locations (Locality)
Business roles (Org)
Application roles (AERole) |
All secondary members of the hierarchical role specified in the approval step. |
If the owner of the requested product is to be determined as an approver, use the following approval procedures:
OA - product owner
Assign an application role to the product’s service item in the Product owner input field to make it possible to find owners of a product as approvers. In this case, all the employees assigned to the application role through secondary assignment are recognized as approvers.
OT - Attestor of assigned service item
Assign an application role to the product’s service item in the Attestor field to make it possible to identify the attestors of the requested product as approvers. In this case, all the employees assigned to the application role through secondary assignment are recognized as approvers.
PA - Additional owner of the Active Directory group
|
Installed modules: |
Active Roles Module |
If an Active Directory group is requested, the approvers can be found through the additional owner of this Active Directory group. All employees are found that are:
NOTE: Only use this approval procedure if the TargetSystem | ADS | ARS_SSM configuration parameter is set.
The column Additional owners is only available in this case.
KA - Product owner and additional owner of the Active Directory Group
|
Installed modules: |
Active Roles Module |
If an Active Directory group is requested, the approvers are found through the product owner of this Active Directory group. If the groups were added automatically to the IT Shop, the account managers are identified as product owners. For more information about these functions, see the One Identity Manager Administration Guide for One Identity Active Roles Integration.
NOTE: If the TargetSystem | ADS | ARS_SSM configuration parameter is set, additional owners of the Active Directory group are also determined.
The column Additional owners is only available in this case.
PG - owners of the requested privileged access request
|
Installed modules: |
Privileged Account Governance Module |
If an access request is made for a privileged object within a Privileged Account Management system, such as PAM assets, PAM asset accounts and PAM directory accounts, then the owner of the privileged objects is determined as the approver in the approval process for these. The owners of the privileged objects must have the Privileged Account Governance | Asset and account owners application role or a child application role.
To make an access request, additional system prerequisites must be met by the Privileged Account Management system. For more information about PAM access requests, see the One Identity Manager Administration Guide for Privileged Account Governance.
TO - target system manager of the requested system entitlement
|
Installed modules: |
Target System Base Module
Other target system modules |
If a system entitlement is requested, the target system managers can be found as approvers using this approval procedure. Assign the synchronization base object of the target system to the target system manager (for example Active Directory domain, SAP client, target system type in the Unified Namespace). This finds, as approvers, all employees assigned to the application role assigned here and all members of the parent application roles.
This finds all target system managers of the system entitlement that are stored as the final product with the request (PersonWantsOrg.UID_ITShopOrgFinal column).
Use the following approval procedure if you want to establish the approver of a hierarchical role to be approver.
Table 36: Approval procedures to determine approvers through an approval role
|
RD |
The request recipient is assigned a primary department. The department is assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined to be approvers. |
|
RL |
The request recipient is assigned a primary location. The location is assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined to be approvers. |
|
RO |
Installed modules: Business Roles Module
The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined to be approvers. |
|
RP |
The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined to be approvers. |
Figure 6: Determining approvers through a department's role approver
|
ID |
The request recipient is assigned a primary department. The department is assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined to be approvers. |
|
IL |
The request recipient is assigned a primary location. The location is assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined to be approvers. |
|
IO |
Installed modules: Business Roles Module
The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined to be approvers. |
|
IP |
The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined to be approvers. |
Determining the approver using the example of an approval role for the request's recipient primary department (approval procedure RD):
-
Determine the requester’s primary department (UID_Department).
-
The application role (UID_AERole) is determined through the department’s role approver (UID_RulerContainer).
-
Determine the secondary employees assigned to this application role. These can issue approval.
-
If there is no approval role given for the primary department or the approval role does not have any members, the approval role is determined for the parent department.
-
The request cannot be approved if no approval role with members is found by drilling up to the top department.
NOTE: When approvers are found using the approval procedures RO or IO, and inheritance for business roles is defined from the bottom up, note the following:
If no role approver is given for the primary business role, the role approver is determined from the child business role.
