To delete an approval procedure
Remove all assignments to approval steps.
On the approval procedure overview form, check which approval steps are assigned to the approval procedure.
Switch to the approval workflow and assign another approval procedure to the approval step.
In the Manager, select the IT Shop > Basic configuration data > Custom defined > Approval procedures category.
Select an approval procedure from the result list.
- Confirm the security prompt with Yes.
The DBQueue Processor calculates which employee is authorized as an approver and in which approval level. Once a request is triggered, the approvers are determined for every approval step of the approval workflow to be processed. Changes to responsibilities may lead to an employee no longer being authorized as an approver for a request that is not yet finally approved. In this case, approvers must be recalculated. The following changes can trigger a recalculation for as yet unapproved requests:
Approval policy, workflow, step, or procedure changes.
An authorized approver loses their responsibility in One Identity Manager, for example, if a change is made to the department manager, product owner, or target system manager.
An employee obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example as the manager of the request recipient.
An employee authorized as an approver is deactivated.
Once an employee's responsibilities have changed in One Identity Manager, an approver recalculation task is queued in the DBQueue. By default, all approval steps of the pending approval processes are recalculated at the same time. Approval steps that have already been approved remain approved, even if their approver has changed. Recalculating approvers may take a long time depending on the configuration of the system environment and the amount of data to be processed. To optimize this processing time, you can specify the approval steps for which the approvers are to be recalculated.
To configure recalculation of approvers
Detailed information about this topic
Everyone with IT system authorization in a company represents a security risk for that company. For example, a person with permission to edit financial data in SAP carries a higher risk than an employee with permission to edit their own personal data. To quantify the risk, you can enter a risk value for every company resource in One Identity Manager. A risk index is calculated from this value for every person who is assigned this company resource, directly, or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), system roles, subscribable reports, software, and resources. In this way, all the people that represent a particular risk to the company can be found.
Every time a company resource with a specified risk index is assigned, the employee's risk index may exceed a permitted level. You can check the risk index of company resources if they are requested through the IT Shop. If the risk index is higher than the specified value, the request is denied.
To set up risk assessment for requests
The approval step is granted approval by One Identity Manager if the risk index of the requested company resource is lower than the comparison value. If the risk index is higher or equal to the comparison value, the approval step is not granted approval.
Risk assessment of requests works for both direct company resource request and assignment requests. Only risk indexes with inputted values are examined for the approval decision; calculated risk indexes are not taken into account. Therefore, risk assessment of requests only works if the product's original table or one of the member tables of a requested assignment has a RiskIndex column. If the table only has the RiskIndexCalculated column, the request is automatically approved. If both member tables of an assignment request have a RiskIndex column, the highest of the two risk indexes is used as the basis for the approval.
If the company resource request or an assignment has been granted approval, the employee's risk index is recalculated the next time the scheduled calculation task is run.
For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.
|Compliance Rules Module
You can integrate rule conformity testing for IT Shop requests within an approval workflow. A separate approval procedure is supplied for this. This approval procedure checks whether the request's recipient will violate compliance rules if the requests are granted approval. The result of the test is logged in the request's approval sequence and approval history.
Table 46: Approval procedures for compliance checking
CR - compliance check (simplified)
Checks the current request for possible rule violations. It takes into account the requested product and all the company resources already assigned to the request recipient.
Prerequisites for request validation