Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.2.1 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Using specific roles to find approvers

If members of a specific role are to be determined as approvers, use the OR or OM approval procedure. In the approval step, also specify the role to be used to find the approver. The approval procedures determine the following approvers. If a deputy IT Shop has been entered in the main data of these identities, they are also authorized as approver.

Table 33: Approval procedures for determining approvers for a specific role

Selectable roles

Approver

OM

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the hierarchical role specified in the approval step.

OR

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the hierarchical role specified in the approval step.

Using requested products to find approvers

If the owner of the requested product is to be determined as an approver, use the following approval procedures:

ClosedOA - product owner
ClosedOT - Attestor of assigned service item
ClosedPA - Additional owner of the Active Directory group
ClosedKA - Product owner and additional owner of the Active Directory Group
ClosedPG - owners of the requested privileged access request
ClosedTO - target system manager of the requested system entitlement
ClosedBA - Owner of the application
ClosedBE - Approver of application entitlement

Using products requested by request parameter to find approvers

If a product is given as a request parameter in the request and the owners of the product are going to be determined as approvers, use the OX approval procedure.

The approval procedure determines the owner (application role) of an object specified in a request parameter to be the approver. The application role is assigned to the object through a foreign key column. The name of the request parameter is given on the approval step and the name of the table column that references the application role. The approval procedure can be used for all products that are assigned a request property that uses this request parameter.

To use the OX approval procedure

  1. Create a multi requestable/unsubscribable resource for use in the IT Shop.

  2. Create a service item for this resource and assign a request property to it.

  3. Define the request parameters for this request property. At least one parameter must have the following settings:

    • Parameter name: Name of the parameter

    • Data source: Table

    • Table column (value query): Object key (XObjectKey) of the table containing the requested objects.

  4. Create an approval workflow with an approval step that uses the OX approval procedure.

    • Parameter name: Parameter name of the previously defined request parameter.

    • Column name: Name of the column that refers to the application role from the table selected in the request parameter.

  5. Create an approval policy and assign it to the approval workflow.

  6. Assign this approval policy to the service item.

Example: Requesting Azure Active Directory role eligibilities

Managers can request Azure Active Directory role eligibilities for their employees. When making a request, the specific Azure Active Directory role is given as request parameter. Members of the application role assigned to this role as owners are determined as approvers.

One Identity Manager provides the following objects for such requests as default:

  • A multi requestable/unsubscribable resource: Azure Active Directory role eligibility

  • A service item for this resource to which the Azure Active Directory role eligibility request property is assigned

  • The AADRole request parameter (Azure Active Directory role) with the AADRole - XObjectKey column.

  • The Approval of Azure Active Directory role eligibility requests approval policy

  • The Approval of Azure Active Directory role eligibilities approval workflow with the Owner of Azure Active Directory role approval step

  • Approval step properties

    • Approval procedure: OX

    • Parameter name: AADRole

    • Column name: UID_AERoleOwner

The OX approval procedure determines all members of the application role entered in the UID_AERoleOwner column for the Azure Active Directory role given in the request.

Related topics

Using approval roles to find approvers

Use the following approval procedure if you want to establish the approver of a hierarchical role to be approver.

Table 34: Approval procedures to determine approvers through an approval role

Approval procedure

Approver

RD

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

RL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

RO

Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

RP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

Figure 6: Determining approvers through a department's role approver

Approval procedure

Approver

ID

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

IL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

IO

Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

IP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

Determining the approver using the example of an approval role for the request's recipient primary department (approval procedure RD):

  1. Determine the requester’s primary department (UID_Department).

  2. The application role (UID_AERole) is determined through the department’s role approver (UID_RulerContainer).

  3. Determine the secondary identities assigned to this application role. These can issue approval.

  4. If there is no approval role given for the primary department or the approval role does not have any members, the approval role is determined for the parent department.

  5. The request cannot be approved if no approval role with members is found by drilling up to the top department.

NOTE: When approvers are found using the approval procedures RO or IO, and inheritance for business roles is defined from the bottom up, note the following:

If no role approver is given for the primary business role, the role approver is determined from the child business role.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione