지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager On Demand - Starling Edition Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Requests with limited validity period for changed role memberships

If an identity changes their primary department (business role, cost center, or location), they lose all company resources and system entitlements inherited through it. However, it may be necessary for the identity to retain these company resources and system entitlements for a certain period. Use temporary requests to retain the state of the identity's current memberships. Inherited assignments are not removed until after the validity period for this request has expired. The identity can renew the request within the validity period.

Prerequisites

  • Identity main data is modified by import.

  • The import sets the session variable FullSync=TRUE.

To configure automatic requests for removal of role memberships

  1. In the Designer, set the QER | ITShop | ChallengeRoleRemoval configuration parameter.

  2. In the Designer, set the QER | ITShop | ChallengeRoleRemoval | DayOfValidity configuration parameter and enter a validity period for the request.

  3. In the Designer, set the configuration parameters under QER | ITShop | ChallengeRoleRemoval for roles whose primary memberships need to remain intact when modified.

  4. Commit the changes to the database.

NOTE: The configuration parameters are set by default. The validity period is set to seven days.

If identity main data is modified by importing, One Identity Manager checks if a primary role (for example Person.UID_Department) was modified or deleted on saving. If this is the case, VI_CreateRequestForLostRoleMembership is run. The script create a temporary assignment request for this role, which is granted approval automatically. Thus, the identity remains a members of the role and retains their company resources and system entitlements. The request is automatically canceled when the validity period expires.

The request can be renewed during the validity period. The request renewal must be approved by the role manager. The request becomes permanent if approval is granted. Role membership stays the same until the assignment is canceled.

TIP: The QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter specifies which product nodes to use for a limited validity period request of modified role memberships. The Challenge loss of role membership product is available by default in the Identity & Access Lifecycle | Identity Lifecycle shelf. You can also add this product to your own IT Shop solution.

To use the "Challenge loss of role membership" product in your own IT Shop

  1. Assign the Challenge loss of role membership assignment resource to one of your own shelves.

  2. In the Designer, edit the value of the QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter.

    • Enter the full name or the UID of the new product node.

Related topics

Requests from permanently deactivated identities

By default, permanently deactivated identities remain members in all the customer nodes. This ensures that all pending request and resulting assignments are retained. One Identity Manager can be configured such that identities are automatically removed from all custom nodes once they are permanently deactivated. This means that all pending requests are broken off and remaining assignments are removed.

To remove identities from all customer nodes if they are permanently deactivated

  • In the Designer, set the QER | ITShop | AutoCloseInactivePerson configuration parameter.

Deleting request procedures and deputizations

To limit request procedures in the One Identity Manager database, you can remove closed request procedures from the database. The request procedure properties are logged in the approval history at the same time. The requests are subsequently deleted. Only closed requests with unexpired retention periods are kept in the database.

If the request to be deleted still contains dependent requests, the request is only deleted after the dependent requests have been deleted. Dependent requests are requests that are entered into PersonWantsOrg.UID_PersonWantsOrgParent.

The same procedure is followed for completed deputizations. The properties of the deputizations are recorded; then the deputizations are deleted from the database.

To delete request procedures and deputizations automatically

  1. In the Designer, set the QER | ITShop | DeleteClosed configuration parameter.

    1. To delete canceled requests, set the QER | ITShop | DeleteClosed | Aborted configuration parameter and set the retention period in days.

    2. To delete denied requests, set the QER | ITShop | DeleteClosed | Dismissed configuration parameter and set the retention period in days.

    3. To delete canceled requests, set the QER | ITShop | DeleteClosed | Unsubscribed configuration parameter and specify its retention period in days.

  2. In the Designer, set the Common | ProcessState | PropertyLog configuration parameter and compile the database.

    If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    The deleted deputizations, request procedures, and their approval history are logged. For more detailed information about logging data changes, see the One Identity Manager Configuration Guide.

    NOTE: Ensure that the recorded request procedures and deputizations are archived for audit reasons. For more detailed information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Closed requests are deleted by the DBQueue Processor once the request's retention period has expired. As the basis for calculating the retention period, the request's cancellation date is used. If this date cannot be given, the time at which the request was last changed, is used. The DBQueue Processor determines the requests to be deleted in the context of daily maintenance tasks. All request procedure properties are logged in the approval history.

Managing an IT Shop

Depending on your company structure, you can use the supplied default shop, Identity & Access Lifecycle, and extend it or set up your own IT Shop solution. Set up different IT Shop structures for your custom IT Shop solution. Specify which identities are authorized to make request in the shops.

To set up an IT Shop solution with the help of the IT Shop wizard.

  • In the Manager, select the My One Identity Manager > IT Shop wizards > Create shop category.

    The wizard includes the most important configuration stages for setting up an IT Shop. After completing the wizard, there may be other configuration steps necessary.

IT Shop structures such as shopping centers, shops, and shelves are mapped in the IT Shop > IT Shop category. An IT Shop solution is displayed hierarchically.

The following sections describe the procedure for manually setting up an IT Shop.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택