Delegations
Role assignment and responsibilities can be temporarily delegated to others. Thereby, a distinction is made between single delegations and deputizing.
-
Deputize: Delegate all your responsibilities for a defined area to a deputy. The following areas can be selected:
-
Approval authorization for requests
Once an identity is determined as the approver for requests, their deputy is added as an additional approver.
-
Exception approval requests violate the rules
Once an identity is determined as the exception approver for requests, their deputy is added as an additional exception approver.
-
Approval authorization in attestation cases
Once an identity is determined as the attestor, their deputy is added as an additional attestor.
-
Managers of identities
The deputy of an identity's manager can also approve managerial tasks. For example, a deputy can initiate requests for employees.
-
Manager of all roles of a role class
The deputy of a hierarchical roles manager can also approve all managerial tasks. For example, a deputy can initiate assignment requests for a business role.
You can delegate responsibility for the following role classes:
Example: During their leave, user 1 delegates their responsibilities as manager of business role with the "Projects 2222" role class and approval authorization for requests to their deputy, user 2.
-
A deputy, unlike single delegation, cannot be subdelegated.
-
An identity that is connected as a main or sub-identity cannot become a delegate nor can deactivated identities.
-
Single delegation: Delegate your responsibility for a specific role or your memberships in a specific business or application role to any given identity.
Example: User 1 delegates their membership in the "Project 2222-A" business role to user 2.
Delegations are automatically approved after a compliance check. They can be canceled and deleted. For more information about delegating tasks, see the One Identity Manager Web Portal User Guide.
Delegations are revoked when the valid-until date is exceeded, the delegate is deleted from the customer node, or the deputy is deactivated.
Detailed information about this topic
Standard products for delegation
One Identity Manager provides standard products for delegations.
Table 20: Standard products for delegation
Deputy (temporary) |
Identity & Access Lifecycle | Identity Lifecycle |
Deputize |
Delegation |
Single delegations |
In the default installation, all active One Identity Manager database identities are customers of the Identity & Access Lifecycle shop. This allows all enabled identities to delegate responsibilities.
Related topics
Preparing single delegations
Single delegations temporarily assign responsibilities for a specific role or memberships in a specific business or application role to any identity. This identity may subdelegate responsibility or membership as needed.
To run single delegation in One Identity Manager
-
In the Designer, set the QER | ITShop | Delegation configuration parameter.
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
The following objects in the default installation can be delegated.
-
Responsibilities for:
-
Membership in:
-
Business roles
-
Application roles
TIP: Specify the role classes associated to business roles for which memberships can be delegated. This option is available when the Business Roles Module is installed.
To permit single delegation of a role class
-
In the Manager, select the Business roles > Basic configuration data > Role classes category.
-
Select the role class in the result list.
-
Select the Change main data task.
-
Set Delegable.
- Save the changes.
Use the Web Portal to delegate roles or responsibilities. For more information, see the One Identity Manager Web Portal User Guide and the One Identity Manager Business Roles Administration Guide.
Related topics
Allowing delegation approvals
Delegations are automatically approved after a compliance check. If delegations are going to be approved by an approver, assign a suitable approval policy to the default service item. This means that delegation also go through the defined approval process.
To approve deputization by an approver
-
In the Manager, select the IT Shop > Service catalog > Predefined category.
-
In the result list, select the Deputy (temporary) service item then select the Change main data task.
-
In the Approval policy field, select an approval policy.
- Save the changes.
To approve single delegation by an approver
-
In the Manager, select the IT Shop > Service catalog > Predefined category.
-
In the result list, select the Delegation service item and select the Change main data task.
-
In the Approval policy field, select an approval policy.
- Save the changes.
Related topics