Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager On Demand - Starling Edition Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Adaptive cards approval

To allow approvers who temporarily do not have access to the One Identity Manager tools to approve requests, you can send adaptive cards. Adaptive cards contain all the information about the product required for approving a request. These include:

  • Current and next approver

  • Approval history

  • Rule violations by the request

  • Option to select a default reason or enter a reason as free text

  • Option to adjust the request's validity period

  • Link to the request in the Web Portal

One Identity Starling Cloud Assistant uses a specified channel to post the adaptive cards to the approver, waits for a response, and send this to One Identity Manager. Currently Slack and Microsoft Teams can be used to post adaptive cards. In Starling Cloud Assistant, channels are configured and can be allocated to each recipient separately.

NOTE: In previous versions of One Identity Manager, the Starling 2FA app was available for approving requests. Starling Two-Factor Authentication and the Starling 2FA app are no longer supported. Instead, use the new functionality of adaptive cards with Starling Cloud Assistant to approve requests.

Prerequisites
Detailed information about this topic

Using adaptive cards for approvals

Approvers must be registered as recipients in Starling Cloud Assistant to be able to make approval decisions about requests. Each recipient must be allocated to a channel that will be used to post the adaptive card. One Identity Manager provides adaptive cards for requesting approval of IT Shop requests in German and English. These can be customized if necessary.

By default, an approval decision must be made within 1 day. If this deadline is exceeded, the Web Portal must be used to approve the request. You can configure the deadline.

To use adaptive cards for approvals

  1. In the Designer, set the QER | Person | Starling | UseApprovalAnywhere configuration parameter.

  2. Ensure that a default email address is stored in One Identity Manager for each identity that will use adaptive cards. This address must correspond to the email address that the identity uses to log in to Microsoft Teams or Slack.

    For detailed information about the default email address, see the One Identity Manager Identity Management Base Module Administration Guide.

  3. Ensure that a language can be identified for each identity that will use adaptive cards. This allows approvers to obtain adaptive cards in their own language.

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  4. Any service items that will be requested by sending adaptive cards must not have the Approval by multi-factor authentication option enabled.

    Adaptive cards are only sent if there is no multi-factor authorization is use for approving the request.

  5. Register all the identities, who are going to use adaptive cards for approving, as recipients in Starling Cloud Assistant and assign them to the channel to use.

  6. Install the Starling Cloud Assistant app that matches the channel.

    Every registered identity must install this app.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

  7. (Optional) Change the timeout for adaptive cards.

    • In the Designer, set the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter and adjust the value. Enter a timeout in seconds.

  8. (Optional) Provide a country-specific template for adaptive cards or make adjust the adaptive cards settings.

    If a language cannot be identified or there is no suitable template for the language found, en-US is used as fallback.

Detailed information about this topic

Adding and deleting recipients and channels

Approvers can be registered in Starling Cloud Assistant as recipients through an IT Shop request and allocated to a channel. By default, the requests are approved immediately by self-service. Then the recipients are registered and the requested channel is assigned to them. Once the approver has installed the Starling Cloud Assistant app, they can use adaptive cards to attest.

To add a recipient in Starling Cloud Assistant

  • In the Web Portal, request the New Starling Cloud Assistant recipient product.

To allocate Microsoft Teams as a channel in Starling Cloud Assistant

  1. In the Web Portal, request the Teams channel for Starling Cloud Assistant recipient product.

  2. Install the Starling Cloud Assistant app for Microsoft Teams.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

To allocate Slack as a channel in Starling Cloud Assistant

  1. In the Web Portal, request the Slack channel for Starling Cloud Assistant recipient product.

  2. Install the Starling Cloud Assistant app for Slack.

    For more information, see the One Identity Starling Cloud Assistant User Guide under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-documents.

To delete a recipient in Starling Cloud Assistant

  • Cancel the New Starling Cloud Assistant recipient product.

To remove a channel

  • Cancel the respective product.

For more information about requesting and unsubscribing products, see the One Identity Manager Web Portal User Guide.

Related topics

Creating, editing, and deleting adaptive cards for requests

One Identity Manager provides adaptive cards for requesting approval of IT Shop requests in German and English. These can be displayed in the Manager. You can create your own templates for adaptive cards, for example to make changes to the content or to provide adaptive cards in other languages. The recipient's language preferences are taken into account when an adaptive card is generated. If a language cannot be identified or there is no suitable template for the language found, en-US is used as fallback.

To use your own adaptive cards for approving requests, configure the QER_PWOHelperPWO approve anywhere process accordingly.

To display an adaptive card

  1. In the Manager, select the IT Shop > Basic configuration data > Adaptive cards category.

  2. Select the adaptive card in the result list.

  3. Select the Change main data task.

  4. In the Adaptive card templates menu, select a template.

    This displays the adaptive card's definition in the Template field.

    • To display the entire JSON code, click .

To create an adaptive card.

  1. In the Manager, select the IT Shop > Basic configuration data > Adaptive cards category.

  2. Click in the result list.

  3. Edit the adaptive card's main data.

  4. Create a new template for adaptive cards.

  5. Save the changes.
  6. Create additional language-specific templates for this adaptive card as required and save the changes.

To use your customized adaptive card

  1. In the Designer, edit the QER_PWOHelperPWO approve anywhere process.

    1. Select the Send Adaptive Card to Starling Cloud Assistant process step.

    2. Edit the value of the ParameterValue2 parameter and replace the name and UID with the values of your customized adaptive card.

  2. Save the changes.

To delete an adaptive card.

  1. In the Manager, select the IT Shop > Basic configuration data > Adaptive cards category.

  2. Select the adaptive card in the result list.

  3. Click in the result list.

    This deletes the adaptive card and all the templates belonging to it.

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation