サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.3 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results Example of defining request properties

Requesting memberships in business roles

NOTE: This function is only available if the Business Roles Module is installed.

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable business role. The business role is automatically part of the request in an assignment resource request. If the request has been approved, the requester becomes a member of the application role.

Each requestable business role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single business roles

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the Create assignment resource task.

    This starts a wizard that takes you through the steps for adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This creates a new assignment resource with the following custom properties:

      • Table: Org

      • Object: Full name of business role

    2. Enter the service item properties to allocate to the assignment resource.

      • Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.

      A new service item is created and linked to the assignment resource.

  4. Assign the assignment resource to an IT Shop shelf as a product.

  5. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item main data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the identity for whom it was requested becomes a member of the associated business role through internal inheritance processes. For more information about requesting assignment resources, see the One Identity Manager Web Portal User Guide.

The assignment resource cannot be used to request the assignment of company resources to this business role. Instead, use the Role entitlement assignment default assignment resource.

Related topics

Requesting memberships in application roles

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable application role. The application role then automatically becomes part of the assignment resource request. If the request is approved, the requester becomes a member of the application role.

Each requestable application role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single application roles

  1. In the Manager, select an application role in the One Identity Manager Administration category.

  2. Select the Create assignment resource task.

    This starts a wizard that takes you through the steps for adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This creates a new assignment resource with the following custom properties:

      • Table: AERole

      • Object: Full name of application role

    2. Enter the service item properties to allocate to the assignment resource.

      • Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.

      A new service item is created and linked to the assignment resource.

  3. Assign the assignment resource to an IT Shop shelf as a product.

  4. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item main data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the identity for whom it was requested becomes a member of the associated application role through internal inheritance processes. For more information about requesting assignment resources, see the One Identity Manager Web Portal User Guide.

Related topics

Customizing assignment requests

Assignment requests with standard products are automatically approved through self-service. If assignment requests are going to be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means that assignment requests also go through the defined approval process.

To approve assignment requests through an approver

  • Assign separate approval policies to the default assignment resources service items.

    - OR -

  • Assign any approval policy to the Identity Lifecycle shelf.

Sometimes assignment requests should be subject to various approval processes depending on the object requested. For example, the department manager approves memberships in department A, but memberships in department Z are approved by the managers of the identities. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.

To configure customized assignment requests

  1. Create a new assignment resource.

    1. In the Manager, select the Entitlements > Assignment resources for IT Shop category.

    2. Click in the result list.

    3. Select the Change main data task.

    4. Edit the following master data:

      • Assignment resource: Name of the assignment resource.

      • Service item: Assign a new service item.

      • Table: Table used for the assignment, such as Department.

      • Object: Fixed hierarchical role to which the identities are assigned (Department A for example).

    5. Save the changes.

  2. Assign the assignment resource to an IT Shop shelf as a product.

    1. Select the Add to IT Shop task.

    2. In the Add assignments pane, assign a shelf.

    3. Save the changes.

  3. Assign an approval policy to the shelf or the assignment resource’s service item.

The VI_GetAccproductAssignmentMember script uses the object key of the requested assignment (ObjectKeyAssignment) to determine the assignment resource and service item that apply to the request. In the Designer, modify this script according to your requirements.

Detailed information about this topic
Related topics

Canceling requests

Assignments, like all other products, can be canceled through Web Portal or requested for a limited time period. These requests are automatically canceled when the validity period expires. For more information, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択