Requesting memberships in application roles
You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable application role. The application role then automatically becomes part of the assignment resource request. If the request is approved, the requester becomes a member of the application role.
Each requestable application role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.
To limit assignment requests to single application roles
-
In the Manager, select an application role in the One Identity Manager Administration category.
-
Select the Create assignment resource task.
This starts a wizard that takes you through the steps for adding an assignment resource.
-
Enter a description and allocate a resource type.
This creates a new assignment resource with the following custom properties:
-
Enter the service item properties to allocate to the assignment resource.
A new service item is created and linked to the assignment resource.
-
Assign the assignment resource to an IT Shop shelf as a product.
-
Assign an approval policy to the shelf or the assignment resource’s service item.
Assignment resource and service item main data can be processed later on if required.
The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee for whom it was requested becomes a member of the associated application role through internal inheritance processes. For more information about requesting assignment resources, see the One Identity Manager Web Designer Web Portal User Guide.
Related topics
Customizing assignment requests
Assignment requests with standard products are automatically approved through self-service. If assignment requests are going to be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means that assignment requests also go through the defined approval process.
To approve assignment requests through an approver
Sometimes assignment requests should be subject to various approval processes depending on the object requested. For example, a department manager should approve department assignment, but department membership should be approved by the employee’s manager. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.
To configure custom assignment requests
-
Create a new assignment resource.
-
In the Manager, select the Entitlements > Assignment resources for IT Shop category.
-
Click in the result list.
-
Select the Change main data task.
-
Enter the assignment resource name.
-
Assign a new service item.
- Save the changes.
-
Assign the assignment resource to an IT Shop shelf as a product.
-
Select the Add to IT Shop task.
-
In the Add assignments pane, assign a shelf.
- Save the changes.
-
Assign an approval policy to the shelf or the assignment resource’s service item.
-
In the Designer, override the VI_GetAccproductAssignmentMember script. Use the new service item in the script code.
For more information about overriding scripts, see the One Identity Manager Configuration Guide.
Detailed information about this topic
Related topics
Canceling requests
Assignments, like all other products, can be canceled through Web Portal or requested for a limited time period. These requests are automatically canceled when the validity period expires. For more information, see the One Identity Manager Web Designer Web Portal User Guide.
Detailed information about this topic
Removing customers from a shop
If a customer has requested assignment through a shop and later they are removed from the shop, then the assignment request is closed and the assignment is revoked. In this case, however, assignments to roles should be retained if required.
To prevent the assignment from being revoked
-
In the Designer, set the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter.
-
(Optional) Enable the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter in the Designer.
-
In the Value field, enter the UID_Person of the person that should be used as the fallback if no other request recipient can be found.
This person must be a customer in all shops in which assignments can be requested.
- Save the changes.
-
In the Manager, select the Entitlements > Assignment resources for IT Shop category.
-
In the result list, select an assignment resource and select the Change main data task.
-
Set the Keeps requested assignment resource option.
- Save the changes.
This option is enabled by default for the Role entitlement assignment default assignment resource. These configuration parameters are disabled by default.
If this option is enabled and the request recipient is removed from the customer node, then the request is updated according to the following rules:
-
If the service item
- Has the Retain service item assignment on relocation option set
- The request recipient and service item are available in another shop
The assignment request is transferred into this shop. The request recipient remains the same.
-
If by doing this the request recipient does not remain the same, then a new request recipient is determined.
-
The manager of the business role or organization that has been requested (PersonWantsOrg.ObjectKeyOrgUsedInAssign).
-
A member of the business role or organization that has been requested.
-
A member of the chief approval team.
-
The employee given in the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter.
These rules are applied in the order given. The person who is found must be a customer in the shop.
If no authorized approver can be found or the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter is disabled, then the assignment request is converted into a direct assignment. If direct assignment for the assigned product is not permitted to the requested business role or organization, the request is canceled and the assignment is removed.
NOTE: This option does not influence membership requests in roles or delegation.
Membership assignments are not removed, if the requester is removed from the customer node. They are removed when the recipient of the assignment request is deleted from the customer node.
Delegation ends when the delegate is deleted from the customer node.
Related topics