Functional areas
To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to hierarchical roles and service items. You can enter criteria that provide information about risks from rule violations for functional areas and hierarchical roles. To do this, you specify how many rule violations are permitted in a functional area or a role. You can enter separate assessment criteria for each role, such as a risk index or transparency index.
Example for using functional areas are:
To assess the risk of rule violations for service items. Proceed as follows:
-
Set up functional areas.
-
Assign service items to the functional areas.
-
Specify the number of rule violations allowed for the functional area.
-
Assign compliance rules required for the analysis to the functional area.
-
Use the One Identity Manager report function to create a report that prepares the result of rule checking for the functional area by any criteria.
To edit functional areas
- In the Manager, select the IT Shop | Basic configuration data | Functional areas category.
-
In the result list, select a function area and run the Change master data task.
- OR -
Click 
in the result list.
-
Edit the function area master data.
- Save the changes.
Enter the following data for a functional area.
Table 67: Functional area properties
|
Functional area |
Description of the functional area |
|
Parent Functional area |
Parent functional area in a hierarchy.
Select a parent functional area from the list in order to organize your functional areas hierarchically. |
|
Max. number of rule violations |
List of rule violation valid for this functional area. This value can be evaluated during the rule check.
NOTE:This input field is available if theCompliance Rules Module exists. |
|
Description |
Text field for additional explanation. |
Chief approval team
Sometimes, approval decisions cannot be made for requests because the approver is not available or does not have access to One Identity Manager tools. To complete these requests, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.
There is a default application role in One Identity Manager for the chief approval team. Assign this application role to all employees who are authorized to approve, deny, abort requests in special cases, or to authorize other approvers. For detailed information about application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 68: Default application role for chief approval team
|
Chief approval team |
Chief approvers must be assigned to the Request & Fulfillment | IT Shop | Chief approval team application role.
Users with this application role:
- Approve through requests.
- Assign requests to other approvers.
|
To add members to the chief approval team
-
In the Manager, select the IT Shop | Basic configuration data | Chief approval team category.
-
Select the Assign employees task.
In Add assignments, assign the employees who are authorized to approve all requests.
TIP: In Remove assignments, you can remove the assignment of employees.
To remove an assignment
- Save the changes.
Detailed information about this topic
Product owners
Employees who are approvers in approval processes for requesting service items can be assigned to these service items. To do this, assign a service item or a service category to an application for Product owners. Assign this application role to employees who are authorized to approve requests in the IT Shop and to edit service item or service category data.
A default application role for product owners is available in One Identity Manager. You may create other application roles as required.
Table 69: Default application roles for product owners
|
Product owners |
Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.
Users with this application role:
- Approve through requests.
- Edit service items and service categories under their management.
|
To add employees to the default application role for product owners
-
In the Manager, select the IT Shop | Basic configuration data | Product owners category.
-
Select the Assign employees task.
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove employee assignments.
To remove an assignment
- Select the employee and double-click
.
- Save the changes.
To add another application role for product owners
-
In the Manager, select the IT Shop | Basic configuration data | Product owners category.
-
Click in the result list.
-
Enter the application role's name and assign the Request & Fulfillment | IT Shop | Product owners application role or a child application role.
- Save the changes.
-
Assign employees to the application role.
For more detailed information about editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Related topics
Attestors
| Installed modules: |
Attestation Module |
In One Identity Manager, you can assign employees, who are brought in as attestors to attest these objects, to IT Shop structures (shelves, shops, shopping centers, service categories, and shelf templates). To do this, assign the IT Shop structures to application roles for attestors. Assign these application roles to employees who are authorized to attest these objects. For detailed information about attestation, see the One Identity Manager Attestation Administration Guide.
A default application role for attestors is available in One Identity Manager. You may create other application roles as required. For detailed information about application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 70: Default application roles for attestors
|
Attestors for IT Shop |
Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.
Users with this application role:
- Attest correct assignment of company resource to IT Shop structures for which they are responsible.
- Can view master data for these IT Shop structures but not edit them.
NOTE: This application role is available if the module Attestation Module is installed. |
To add employees to default application roles for attestors
-
In the Manager, select the IT Shop | Basic configuration data | Attestors category.
-
Select the Assign employees task.
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove employee assignments.
To remove an assignment
- Select the employee and double-click .
- Save the changes.
To add another application role for attestors
-
In the Manager, select the IT Shop | Basic configuration data | Attestors category.
-
Click in the result list.
-
Enter the application role's name and assign the Request & Fulfillment | IT Shop | Attestors application role or a child application role.
- Save the changes.
-
Assign employees to the application role.
Related topics
