Chat now with support
Chat with Support

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Editing approval levels

An approval level provides a method of grouping individual approval steps. All the approval steps in one approval level are executed in parallel. All the approval steps for different approval levels are executed one after the other. You use the connectors to specify the order of execution.

Specify the individual approval steps in the approval levels. At least one approval step is required per level. Enter the approval steps first before you add an approval level.

To add an approval level

  1. Select the Toolbox | Approval levels | Add item.

    This opens the properties dialog for the first approval step.

  2. Enter the approval step properties.

  3. Save the changes.

You can edit the properties of an approval level as soon as you have added an approval level with at least one approval step.

To edit approval level properties

  1. Select the approval level.

  2. Select the Toolbox | Approval levels | Edit item.

  3. Enter a display name for the approval level.

  4. Save the changes.
NOTE: You can define more than one approval step for each approval level. In this case, the approvers of an approval level can make a decision about a request in parallel rather than sequentially. The request cannot be presented to the approvers at the next approval level until all approval steps of an approval level have been completed within the approval procedure.

To add more approval steps to an approval level

  1. Select the approval level.

  2. Select the Toolbox | Approval levels | Add item.

  3. Enter the approval step properties.

  4. Save the changes.
Detailed information about this topic

Editing approval steps

To edit approval level properties

  1. Select the approval step.

  2. Select the Toolbox | Approval steps | Edit item.

  3. Edit the approval step properties.

  4. Save the changes.
Detailed information about this topic

Properties of an approval step

On the General tab, enter the data described below. On the Mail templates tab, select the mail templates for generating mail notifications. If you add a new approval step, you must fill out the required fields.

Table 27: General properties of an approval step

Property

Meaning

Single step

Approval step name.

Approval procedure

Procedure to use for determining the approvers.

Processing status

Processing status of the success or failure case of the approval step. The processing status for the request is set according to the decision and whether it has been made positively or negatively. Define the processing status in the basic configuration data.

Role

Hierarchical role from which the approvers are to be determined using the default approval procedures OM and OR.

Fallback approver

Application role whose members are authorized to approve requests if an approver cannot be determined through the approval procedure. Assign an application from the menu.

To create a new application role, click . Enter the application role name and assign a parent application role. For detailed information, see the One Identity Manager Authorization and Authentication Guide.

NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Relevance for compliance

Specifies whether the approver is notified when a request leads to a rule violation. The following values are permitted:

  • Not relevant: Information about rule violations is not relevant for approvers in this approval step. No additional information is displayed for the approver in the approval process.

  • Information: Approvers in this approval step receive information during the approval process if the request causes a compliance rule violation. The approvers decided whether to grant or deny the request.

  • Necessary measures: Approvers in this approval step receive information during the approval process if the request causes a compliance rule violation. The request is automatically denied.

Condition

Condition for calculating approval with approval procedures CD, EX, or WC.

Comparison value for the risk index in the approval procedure RI. Enter a number in the range 0.1 to 1.0. 1.0. You can use , or . as a decimal point.

Number of approvers

Number of approval required to approve a request. Use this number to further restrict the maximum number of approvers of the implemented approval procedure.

If there are several people allocated as approvers, then this number specifies how many people from this group have to approve a request. A request can only be passed on to the next level if this has been done.

If not enough approvers can be found, the approval step is presented to the fallback approvers. The approval step is considered approved as soon as one fallback approver has approved the request.

If you want approval decisions to be made by all the employees found using the applicable approval procedure, for example all members of a role (default approval procedure OR), enter the value -1. This overrides the maximum number of approvers defined in the approval procedure.

The number of approvers defined in an approval step is not taken into account in the approval procedures CD, EX,or WC.

Description

Text field for additional explanation.

Approval reason

Reason entered in the request if approval is automatically granted.

This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC.

Reject reason

Reason entered in the request and the approval history, if approval is automatically denied.

This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC.

Reminder interval (hours)

Number of working hours to elapse after which the approver is notified by mail that there are still pending requests for approval.

NOTE: Ensure that a state, county, or both is entered into the employee's master data for determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more detailed information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

If more than one approver was found, each approver will be notified. The same applies if an additional approver has been assigned.

If an approver delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other approvers are notified. The original approver is not notified.

If an approver has made an inquiry, the time point for reminding the queried employee is recalculated. As long as the inquiry has not been answered, only this employee is notified.

TimeOut (working hours)

Number of working hours to elapse after which the approval step is automatically granted or denied approval.

The working hours of the respective approver are taken into account when the time is calculated.

NOTE: Ensure that a state, county, or both is entered into the employee's master data for determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more detailed information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

If more than one approver was found, the an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

Timeout behavior

Action that is executed if the timeout expires.

  • Approved: The request is approved in this approval step. The next approval level is called.

  • Deny: The request is denied in this approval step. The approval level for denying is called.

  • Escalation: The request process is escalated. The escalation approval level is called.

  • Abort: The approval step, and therefore the entire approval process for the request, is aborted.

Additional approver possible

Specifies whether a current approver is allowed to instruct another employee as an approver. This additional approver has parallel authorization to make approvals for the current request. The request is not passed on to the next approval level until both approvers have made a decision.

This option can only be set for approval levels with a single, manual approval step.

Approval can be delegated

Specifies whether a current approver can delegate the approval of the request to another employee. This employee is added to the current approval step as the approver. This employee then makes the approval decision instead of the approver who made the delegation.

This option can only be set for approval levels with a single, manual approval step.

Approval by affected employee

Specifies whether the employee who is affected by the approval decision can also approve this request. If this option is set, requester, and request recipients can approve the request.

If this option is not set, use the QER | ITShop | PersonInsertedNoDecide, QER | ITShop | PersonOrderedNoDecide, QER | ITShop | PersonInsertedNoDecideCompliance, and QER | ITShop | PersonOrderedNoDecideCompliance configuration parameters to specify for all requests whether requester and request recipient can approve the request.

Do not show in approval history

Specifies whether or not the approval step should be displayed in the approval history. For example, this behavior can be applied to approval steps with the CD - calculated approval procedure, which are used only for branching in the approval workflow. It makes it easier to follow the approval history.

No automatic approval

Specifies whether the approval step is decided manually. The request is presented again to an approver even if they are the requester themselves or the request has been approved in a previous approval step. The setting of the DecisionOnInsert, ReuseDecision and AutoDecision configuration parameters is ignored in this approval step.

Detailed information about this topic
Related topics

Connecting approval levels

When you set up an approval workflow with several approval levels, you have to connect each level with another. You may create the following links.

Table 28: Links to approval levels

Link

Description

Approve

Link to next approval level if the current approval level was granted approval.

Deny

Link to next approval level if the current approval level was not granted approval.

Reroute

Link to another approval level to bypass the current approval.

Approvers can pass the approval decision through another approval level, for example, if approval is required by a manager in an individual case. To do this, create a connection to the approval level to which the approval can be rerouted. This way, approvals can also be rerouted to a previous approval level, for example, if an approval decision is considered not to be well-founded.

It is not possible to reroute approval steps with the approval procedures OC, OH, EX, CR, CD, SB, or WC.

Escalation

Link to another approval level when the current approval level is escalated after timing out.

If there are no further approval levels after the current approval level, the request is considered approved if the approval decision was to grant approval. If approval is not granted, the request is considered to be finally denied. The approval method is closed in both cases.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating