Creating workdesk requests
Requests for workdesks are created with CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName). Prepare the IT Shop accordingly in order to create the requests.
To create requests from assignments to workdesks
-
Prepare the company resources (software, system role, or driver) for use in the IT Shop.
-
Assign the company resources to a shelf in the IT Shop.
-
Select an employee as requester for the assignment to workdesks.
-
Add the selected employee as a customer to the shops to which the company resources are assigned as products.
-
(Optional): Create a script that populates other properties of the requests.
-
Create a script to run CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName) for the affected tables.
One Identity Manager creates requests for workdesk requests in the following way:
-
Determine workdesks and their assigned company resources.
-
Determine requester from the uidPerson parameter.
-
Determine shops assigned to company resources and requester.
- Create the requests with initial data.
- Run custom scripts.
- Save the requests (entry in the PersonWantsOrg table).
-
Assign employees to the product structure (entry in PersonInITShopOrg table).
-
Transform direct company resource assignments into indirect assignments to workdesks (for example, in the WorkDeskHasApp table).
TIP: To create an employee who can be used as a requester when creating a workstation, set the Hardware | Workdesk | WorkdeskAutoPerson configuration parameter in the Designer. The following properties are used for the employee object:
When the workstation is deleted, the associated employee object is also deleted.
Related topics
Creating assignment requests
You can create assignment requests for existing company resource assignments to hierarchical roles and for memberships of employees, devices, or workdesks in hierarchical roles. The following methods are available.
Table 23: Methods for transforming direct assignments into assignment requests
CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName) |
Creates an assignment request from an assignment or membership. This method can be applied to all tables which cannot be used to find a UID_Person. |
CreateITShopOrder (string uidOrgProduct, string uidWorkdeskOrdered, string uidPersonOrdered, string CustomScriptName) |
Creates an assignment request from an assignment or membership and, in addition, saves a UID_WorkdeskOrdered with the request procedure. |
Prepare the IT Shop accordingly in order to create the requests.
To create assignment requests from direct assignment to hierarchical roles and role memberships
-
From the IT Shop > Identity & Access Lifecycle > Shelf: Identity Lifecycle shelf, select an assignment resource.
-
From the customer node of the IT Shop | Identity & Access Lifecycle shop, select an employee as a requester for the assignment request.
-
(Optional): Create a script that populates other properties of the requests.
-
Create a script to run the CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName) method for the affected tables.
One Identity Manager creates assignment requests from existing assignments to hierarchical roles as follows:
-
Determine the hierarchical roles and their assigned company resources and employees (employees, devices, or workdesks).
-
Determine the requester from the uidPersonOrdered parameter.
-
Determine the assignment resource from the uidOrgProduct parameter.
-
Determine shops assigned to the assignment resource and requester.
- Create the requests with initial data.
- Run custom scripts.
- Save the requests (entry in the PersonWantsOrg table).
-
Transform direct company resource assignments to hierarchical roles into indirect assignments to workdesks (for example, in the DepartmentHasQERResource) table. Transform direct company memberships to hierarchical roles into indirect memberships (for example, in the PersonInDepartment) table.
If the assignment request is to be created for a workdesk, pass the method the workdesk's UID_WorkDesk as uidWorkdeskOrdered parameter. The method saves this UID as UID_WorkdeskOrdered in the request (PersonWantsOrg table).
Detailed information about this topic
Related topics
Adding system entitlements automatically to the IT Shop
The following steps can be used to automatically add system entitlements to the IT Shop. Synchronization ensures that the system entitlements are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor. New system entitlements created in One Identity Manager also are added automatically to the IT Shop.
To add system entitlements automatically to the IT Shop
-
In the Designer, set the configuration parameter for automatically adding system entitlements to the IT Shop depending on existing modules.
Example: QER | ITShop | AutoPublish | ADSGroup and QER | ITShop | AutoPublish | ADSGroup | ExcludeList
-
For disabled Azure Active Directory service plans:
QER | ITShop | AutoPublish | AADDeniedServicePlan
QER | ITShop | AutoPublish | AADDeniedServicePlan | ExcludeList
-
For Azure Active Directory groups:
QER | ITShop | AutoPublish | AADGroup
QER | ITShop | AutoPublish | AADGroup | ExcludeList
-
For Azure Active Directory subscriptions:
QER | ITShop | AutoPublish | AADSubSku
QER | ITShop | AutoPublish | AADSubSku | ExcludeList
-
For Active Directory groups:
QER | ITShop | AutoPublish | ADSGroup
QER | ITShop | AutoPublish | ADSGroup | ExcludeList
QER | ITShop | AutoPublish | ADSGroup | AutoFillDisplayName
If Self-Service Manager is used:
TargetSystem | ADS | ARS_SSM
-
For Exchange Online mail-enabled distribution groups:
QER | ITShop | AutoPublish | O3EDL
QER | ITShop | AutoPublish | O3EDL | ExcludeList
-
For Office 365 groups:
QER | ITShop | AutoPublish | O3EUnifiedGroup
QER | ITShop | AutoPublish | O3EUnifiedGroup | ExcludeList
-
For Microsoft Teams teams:
QER | ITShop | AutoPublish | O3TTeam
QER | ITShop | AutoPublish | O3TTeam | ExcludeList
-
For PAM user groups:
QER | ITShop | AutoPublish | PAGUsrGroup
QER | ITShop | AutoPublish | PAGUsrGroup | ExcludeList
-
For SharePoint groups:
QER | ITShop | AutoPublish | SPSGroup
QER | ITShop | AutoPublish | SPSGroup | ExcludeList
-
Compile the database.
The system entitlements are added automatically to the IT Shop from now on.
The following steps are run to add a system entitlement to the IT Shop.
-
A service item is determined for the system entitlement.
The service item is tested for each system entitlement and modified if necessary. The name of the service item corresponds to the name of the system entitlement.
-
The service item is assigned to one of the default service categories.
-
An application role for product owners is determined and the service item is assigned. For more information, see the administration manuals for the respective target system connection.
Product owners can approve requests for membership in these system entitlements.
-
The system entitlement is labeled with the IT Shop option and assigned to the corresponding IT Shop shelf in the Identity & Access Lifecycle shop.
Subsequently, the shop's customers can request memberships in system entitlement through the Web Portal.
NOTE: When a system entitlement is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.
Related topics
Deleting unused application roles for product owners
The list of product owner application roles can quickly become confusing when groups are automatically added to the IT Shop. This is because an application role is added for each account manager. These application roles are no longer required when a groups are deleted.
Redundant application roles for product owners can be deleted through a scheduled process task. This deletes all the application role from the database for which the following applies:
-
The parent application role is Request & Fulfillment | IT Shop | Product owner.
-
The application role is not assigned to a service item.
-
The application role is not assigned to a service category.
-
The application role does not have members.
To display no longer required application roles with members
To delete application roles automatically
NOTE: If you have set up your own application roles under the Request & Fulfillment | IT Shop | Product Owner application role that you use for custom use cases (tables), then check whether these can be deleted automatically. Otherwise, disable the Clean up application role "Request & Fulfillment\IT Shop\Product owners" schedule.
Related topics