지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.0 LTS - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Automatic approval on timeout

Requests can be automatically granted or denied approval once a specified time period has expired.

To configure automatic approval if the timeout expires

  • Enter the following data for the approval step.

    • Timeout (minutes):

      Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

      The working hours of the respective approver are taken into account when the time is calculated.

      NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

      If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

      If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

      If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    • Timeout behavior:

      Action, which is run if the timeout expires.

      • Approved: The request is approved in this approval step. The next approval level is called.

      • Deny: The request is denied in this approval step. The approval level for denying is called.

If a request is decided automatically, the requester can be notified by email.

Related topics

Halting a request on timeout

Requests can be automatically halted once a specified time period has been exceeded. The action halts when either a single approval step or the entire approval process has exceeded the timeout.

To configure halting after the timeout of a single approval step has been exceeded

  • Enter the following data for the approval step.

    • Timeout (minutes):

      Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

      The working hours of the respective approver are taken into account when the time is calculated.

      NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

      If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

      If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

      If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    • Timeout behavior:

      Action that runs if the timeout expires.

      • Cancel: The approval step, and therefore the entire approval process for the request, is canceled.

To configure halting on timeout for the entire approval process

  • Enter the following data for the approval workflow.

    • System halt (days):

      Number of days to elapse after which the approval workflow, and therefore the system, automatically halts the entire approval process.

If a request is halted, the requester can be notified by email.

Related topics

Approval by the chief approval team

Sometimes, approval decisions cannot be made for requests because the approver is not available or does not have access to One Identity Manager tools. To complete these requests, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

The chief approval team is authorized to approve, deny, or cancel requests in special cases or to authorize other approvers.

IMPORTANT:

  • The four-eye principle can be broken like this because chief approval team members can make approval decisions for requests at any time. Specify, on a custom basis, in which special cases the chief approval team may intervene in the approval process.

  • The chief approval team members may always approval their own requests. The settings for the QER | ITShop | PersonInsertedNoDecide and QER | ITShop | PersonOrderedNoDecide configuration parameters do not apply for the chief approval team.

  • Approvals made by the chief approval team are not automatically transferred to other approval levels. Settings for the QER | ITShop | DecisionOnInsert, QER | ITShop | AutoDecision and QER | ITShop | ReuseDecision configuration parameters do not apply to the chief approval team.

  • In the approval step, you can specify how many approvers must make a decision on this approval step.

    • If an approval decision is made by the chief approval team, it overrides the approval decision of just one regular approver. This means, if three approvers must approve an approval step and the chief approval team makes a decision, two more are still required.

    • The number of approvers is not taken into account if the request is assigned to fallback approvers. The chief approval team can also approve in this case. The approval decision is considered to be made as soon as one member of the chief approval team has made an approval decision about the request.

  • If a regular approver has added an additional approver, the chief approval team can approve for both the regular and the additional approvers. If both approvals are pending, a chief approver first replaces the regular approver's approval only. Only a second approval of the chief approval team can replace the approval of the additional approver.

The chief approval team can approve requests for all manual approval steps. The following applies:

  • Chief approval team decisions are not permitted for approval steps using the CR, SB, CD, EX, and WC approval procedures or the OC and OH procedures.

  • If a member of the chief approval team is identified as a regular approver for an approval step, they can only make an approval decision for this step as a regular approver.

  • The chief approval team can also make an approval decision if a regular approver has submitted a query and the request is in hold status.

To add members to the chief approval team

  1. In the Manager, select the IT Shop > Basic configuration data > Chief approval team category.

  2. Select the Assign employees task.

    In the Add assignments pane, assign the employees who are authorized to approve all requests.

    TIP: In the Remove assignments pane, you can remove the assignment of employees.

    To remove an assignment

    • Select the employee and double-click .

  3. Save the changes.
Related topics

Approving requests with terms of use

Terms of use that explain conditions of use for a product can be stored for individual service items (for example, software license conditions). When someone requests this product, the requester, and request recipient must accept the terms of use before the request can be finalized.

In order for the request recipient to accept the terms of use, the request must be assigned to the request recipient in the approval process. Set an approval workflow for such requests that contain a BR approval step and enable the No automatic approval option for this approval step. One Identity Manager provides a default approval procedure and a Terms of Use acknowledgment for third-party orders (sample) default approval policy that you can use for this. Using the default approval workflow as a basis, create your own approval workflow that returns the request to the request recipient and determines the approver after the terms of use have been accepted. Use the BR approval procedure to do this.

To create an approval workflow for requests with terms of use

  1. In the Manager, select the IT Shop > Basic configuration data > Approval workflows > Predefined category.

  2. In the result list, select the Terms of Use acknowledgment for third-party orders (sample) approval workflow and run the Change main data task.

  3. Select the Copy workflow task.

  4. Enter a name for the copy and click OK.

  5. Edit the copy. Modify the approval workflow to suit your requirements.

  6. Create an approval policy and assign it to the approval workflow.

  7. Assign service items to the approval policy, which are assigned terms of use.

Detailed information about this topic
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택