Chatta subito con l'assistenza
Chat con il supporto

Identity Manager On Demand - Starling Edition Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Using request recipients to find approvers

Use the following approval procedure if you want to determine the manager of the request recipient to be approver.

Table 33: Approval procedures for determining approvers for request recipients

Approval procedure

Approver

The request recipient is assigned a manager.

CM

Request recipient's manager

The request recipient is assigned to a department.

The department is assigned a manager or a deputy manager.

DM

Manager and deputy manager of the request recipient's department.

The request recipient is assigned a cost center.

The cost center is assigned a manager or a deputy manager.

PM

Manager and deputy manager of the request recipient's cost center.

Using specific roles to find approvers

If members of a specific role are to be determined as approvers, use the OR or OM approval procedure. In the approval step, also specify the role to be used to find the approver. The approval procedures determine the following approvers. If a deputy IT Shop has been entered in the main data of these identities, they are also authorized as approver.

Table 34: Approval procedures for determining approvers for a specific role

Selectable roles

Approver

OM

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the hierarchical role specified in the approval step.

OR

Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the hierarchical role specified in the approval step.

Using requested products to find approvers

If the owner of the requested product is to be determined as an approver, use the following approval procedures:

ClosedOA - product owner
ClosedOT - Attestor of assigned service item
ClosedPA - Additional owner of the Active Directory group
ClosedKA - Product owner and additional owner of the Active Directory Group
ClosedPG - owners of the requested privileged access request
ClosedTO - target system manager of the requested system entitlement
ClosedBA - Owner of the application
ClosedBE - Approver of application entitlement

Using approval roles to find approvers

Use the following approval procedure if you want to establish the approver of a hierarchical role to be approver.

Table 35: Approval procedures to determine approvers through an approval role

Approval procedure

Approver

RD

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

RL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

RO

Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

RP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver menu.

All secondarily assigned identities of this application role are determined to be approvers.

Figure 6: Determining approvers through a department's role approver

Approval procedure

Approver

ID

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

IL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

IO

Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

IP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver (IT) menu.

All secondarily assigned identities of this application role are determined to be approvers.

Determining the approver using the example of an approval role for the request's recipient primary department (approval procedure RD):

  1. Determine the requester’s primary department (UID_Department).

  2. The application role (UID_AERole) is determined through the department’s role approver (UID_RulerContainer).

  3. Determine the secondary identities assigned to this application role. These can issue approval.

  4. If there is no approval role given for the primary department or the approval role does not have any members, the approval role is determined for the parent department.

  5. The request cannot be approved if no approval role with members is found by drilling up to the top department.

NOTE: When approvers are found using the approval procedures RO or IO, and inheritance for business roles is defined from the bottom up, note the following:

If no role approver is given for the primary business role, the role approver is determined from the child business role.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione