Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.0 LTS - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Displaying the approval sequence

For pending requests, see the current status of the approval process. The approval sequence is shown as soon as the DBQueue Processor has determined the approvers for the first approval step. In the approval workflow, you can view the approval sequence, the results of each approval step, and the approvers found. If the approval procedure could not find an approver, the request is canceled by the system.

To display the approval sequence of a pending request

  1. In the Manager, select the IT Shop > Requests > Pending requests > <filter> category.

  2. Select a request procedure in the result list.

  3. Select the Approval sequence task.

Each approval level of an approval workflow is represented by a special control. The approvers responsible for a particular approval step are shown in a tooltip. Pending attestation questions are also shown in tooltips. These elements are shown in color, the color code reflecting the current status of the approval level.

Table 52: Meaning of the colors in an approval sequence (in order of decreasing importance)

Color

Meaning

Blue

This approval level is currently being processed.

Green

This approval level has been granted approval.

Red

This approval level has been denied approval.

Yellow

This approval level has been deferred due to a question.

Gray

This approval level has not (yet) been reached.

Displaying the approval history

The approval history displays each step of the request process. Here you can follow all the approvals in the approval process in a chronological sequence. The approval history is displayed for both pending and closed requests.

To view the approval history for a request

  1. In the Manager, select the IT Shop | Requests | <filter> category.

  2. Select a request procedure in the result list.

  3. Select the Approval history task.

These elements are shown in color, the color code reflecting the status of the approval steps.

Table 53: Meaning of colors in the approval history

Color

Meaning

Yellow

Request triggered.

Green

Approver has granted approval.

Red

Approver has denied approval.

Request has been escalated.

Approver has recalled the approval decision.

Gray

Product has been canceled.

Request has been canceled.

Request has been assigned to an additional approver.

Additional attestor has withdrawn approval decision.

Approval has been delegated

New attestor has withdrawn the delegation.

Request has been transferred to another shop.

Request recipient has been changed.

Request has been converted into a direct assignment.

Purple

Request renewed.

Orange

Approver has a query.

The query has been answered.

Query was canceled due to change of approver.

Blue

Approver has rerouted approval.

The approval step was reset automatically.

Requesting products more than once

The IT Shop distinguishes between single or multiple requestable products. Single request products are, for example, software, system roles, or Active Directory groups. These products cannot be requested if they have already been be requested for the same time period.

Furthermore, an employee may need several of one type of company resources, for example, consumables. You can find company resources such as these mapped in One Identity Manager as Multi-request resource or Multi requestable/unsubscribable resources.

Request sequence of multi-request resources
  1. A customer requests a multi-request resource in the Web Portal.

  2. The request goes through the appropriate approval process and is approved.

    The request is only saved in the PersonWantsOrg table. No entry is created in the PersonInITShopOrg table.

  3. The resource can be canceled immediately. The request contains the Unsubscribed status (PersonWantsOrg.OrderState = 'Unsubscribed').

    The resource cannot be canceled by the customer.

Request sequence of multi requestable/unsubscribable resources
  1. A customer requests a multi requestable/unsubscribable resource in the Web Portal.

  2. The request goes through the appropriate approval process and is approved.

    The request is only saved in the PersonWantsOrg table. No entry is created in the PersonInITShopOrg table.

  3. The request contains the Assigned status (PersonWantsOrg.OrderState = 'Assigned').

    The resource can be unsubscribed by means of the Web Portal.

TIP: A customer-specific implementation of a process with the PersonWantsOrg root object for the OrderGranted result can be made in order to start a specified action when a multi-request resource is approved. For more information about defining processes, see One Identity Manager Configuration Guide.
Related topics

Requests with limited validity period

Customers keep their requested products on the shelf until they themselves unsubscribe from them. Sometimes, however, products are only required for a certain length of time and can be canceled automatically after this time. Products that are intended to have a limited shelf life need to be labeled with the validity period. For more information, see Products for requests with time restrictions.

When a product with a limited request period is requested, One Identity Manager calculates the date and time at which the product is automatically unsubscribed (Valid until/expiry date of the request) from the current date and validity period specified in the service item. This deadline can be adjusted when the request is made.

As soon as a request is approved by all approvers, the expiration date is recalculated from the actual date and the validity period. This ensures that the validity period is valid from the day of assignment.

A Valid from date can also be entered at the time of request. This specifies the date that an assignment starts to apply. If this date is given, the expiry date is calculated from the Valid from date and the validity period. If the validity period has already expired when approval is granted, the request can no longer be approved. The request is canceled and an error message is displayed.

Cancellations can include a validity period, which means a deadline for the cancellation is set for unlimited requests. Use this method to change the expiry date for requests with a validity period. Once the cancellation has been granted approval, the cancellation's validity period is taken as the new expiry date of the request. The request cannot be extended beyond the validity period.

Multiple requests for a product with limited validity period

If a customer has requested a product with a limited validity period, the validity period must be tested for validity in subsequent requests for this product for the same customer. If the validity period is not in effect, the request is not permitted. By default, new requests are permitted if they fall in a time period that is not covered by another pending request. However, the validity periods of different requests may not overlap. You can define the desired behavior for the validity period over configuration parameters. For more information, see Checking request validity periods.

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation