Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager On Demand Hosted - IT Shop Administration Guide

Table of Contents

Setting up an IT Shop solution

One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products

Multi-request resources

Preparing products for requesting

Entering service items

General main data for service items Pricing for service items Extended main data for service items Default service items Specifying dependencies between products Editing product dependencies for requests Defining hierarchy for service items Assigning hierarchical roles to service items

Assigning organizations to service items Assigning business roles to service items

Assigning functional areas to service items Assigning extended properties to service items Displaying websites for service items Changing products for service items Adding tags and assigning them to service items Assigning object-dependent references to service items Displaying the service item overview Reports about service items

Overview of all assignments

Entering service categories

Main data for service categories Default service categories Assigning service items to service categories Assigning object-dependent references to a service category Displaying the service category overview

Entering product-specific request properties

Request property and request parameter settings Copy request properties Displaying the request properties overview

Products for requests with time restrictions Product request on customer or product relocation Non-requestable products Entering terms of use

Assigning service items to terms of use Displaying the terms of use overview

Assigning service items to tags Displaying the tags overview

Assigning and removing products

Assigning products to shelves Removing products from shelves Moving products to another shelf Replacing products

Preparing the IT Shop for multi-factor authentication

Using multi-factor authentication for requests

Assignment requests

Standard products for assignment requests Requesting memberships in business roles Requesting memberships in application roles Customizing assignment requests Canceling requests Removing customers from a shop Setting up assignment resources

General main data for assignment resources Default assignment resources Displaying assignment resource overviews Adding assignment resources to the IT Shop Removing assignment resources from the IT Shop

Standard products for delegation Preparing single delegations Allowing delegation approvals

Creating IT Shop requests from existing user accounts, assignments, and role memberships

Creating requests for employees Creating user account requests Creating workdesk requests Creating assignment requests

Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners

Approval processes for IT Shop requests

Approval policies for requests

General main data of approval policies Default approval policies Additional tasks for approval policies

The approval policy overview Adding to the IT Shop Validity checking Editing approval workflows

Approval workflows for requests

Working with the workflow editor Setting up approval workflows

Editing approval levels Editing approval steps Properties of an approval step Connecting approval levels

Additional tasks for approval workflows

The approval workflow overview Copying approval workflows

Deleting approval workflows Default approval workflows

Determining the effective approval policies

Approvers for renewals Approvers for unsubscriptions

Selecting responsible approvers

Default approval procedures

Self-service Using IT Shop structures to find approvers Using request recipients to find approvers Using specific roles to find approvers Using requested products to find approvers Using approval roles to find approvers Using cost centers to find approvers Using departments to find approvers Using requested roles to find approvers Waiting for further approval Calculated approval Approvals to be made externally Finding requesters

Setting up approval procedures

General main data of an approval procedure Queries for approver selection

Copying an approval procedure Deleting approval procedures Determining the responsible approvers

Request risk analysis Testing requests for rule compliance

Compliance checking requests Identifying rule violations Finding exception approvers Restricting exception approvers

Setting up exception approver restrictions

Explicit exception approval Rule checking for requests with self-service

Approving requests from an approver

Setting up approver restrictions

Automatically approving requests

Configuring automatic approval

Approval by peer group analysis

Configuring peer group analysis for requests

Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes

Request sequence

The request overview

Displaying request details Displaying the approval sequence Displaying the approval history

Requesting products more than once Requests with limited validity period

Renewing requests Canceling or unsubscribing requests Checking request validity periods

Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process

Demanding an approval decision Reminding approvers Scheduled demand for approval Sequence for limited requests Approving or denying request approval Notifying delegates Canceling requests Escalating requests Delegating approvals Rejecting approvals Notifications with questions Using additional approvers to approve requests Unsubscribing approved requests Renewing approved requests Product change notifications Default mail templates Bulk delegation notifications

Approval by mail

Editing approval emails

Allowing approval decisions using the Starling 2FA app Requests with limited validity period for changed role memberships Requests from permanently inactive employees Deleting requests

Managing an IT Shop

IT Shop base data

Processing status Standard reason for requests

Predefined standard reasons for requests

Role classes for the IT Shop Role types for the IT Shop Business partners Functional areas Chief approval team Product owners Attestors

Setting up IT Shop structures

Adding IT Shop structures General main data of IT Shop structures Custom main data of IT Shop structures Additional tasks for IT Shop structures

The IT Shop structure overview Assigning approval policies Assigning requestable products to shelves

Setting up a customer node

Adding customer nodes General main data of customer nodes Custom main data of customer nodes Additional tasks for customer nodes

The entitled customers overview Assigning employees directly Assigning employees through dynamic roles

Deleting IT Shop structures

Deleting customer nodes Deleting shelves Deleting shops Deleting shopping centers

Templates for automatically filling the IT Shop

Using shelf templates in an IT Shop solution Editing shelf templates General main data of a shelf template Custom main data of shelf templates Additional tasks for shelf templates

Assigning approval policies Assigning requestable products to shelf templates Shelf-filling wizard

Assigning shelf templates to shops and shopping center templates Deleting shelf templates

Custom mail templates for notifications

Creating and modifying IT Shop mail templates General properties of mail templates Creating and editing mail definitions

Using base object properties Use of hyperlinks to the Web Portal Default functions for creating hyperlinks Customize email signatures

Copying IT Shop mail templates Displaying IT Shop mail template previews Deleting IT Shop mail templates Custom notification processes

Request templates

Creating and modifying request templates General main data of a request template Cart items Deleting request templates

Recommendations and tips for transporting IT Shop components with the Database Transporter

Troubleshooting errors in the IT Shop

Timeout on saving requests Bulk delegation errors Process monitoring for requests

Configuration parameters for the IT Shop Request statuses Examples of request results

Requesting memberships in application roles

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable application role. The application role then automatically becomes part of the assignment resource request. If the request is approved, the requester becomes a member of the application role.

Each requestable application role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single application roles

In the Manager, select an application role in the One Identity Manager Administration category.
Select the Create assignment resource task.

This starts a wizard that takes you through the steps for adding an assignment resource.
1. Enter a description and allocate a resource type.
  
  This creates a new assignment resource with the following custom properties:
  - Table: AERole
  - Object: Full name of application role
2. Enter the service item properties to allocate to the assignment resource.
  - Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.
  A new service item is created and linked to the assignment resource.
Assign the assignment resource to an IT Shop shelf as a product.
Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item main data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee for whom it was requested becomes a member of the associated application role through internal inheritance processes. For more information about requesting assignment resources, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics

Customizing assignment requests

Assignment requests with standard products are automatically approved through self-service. If assignment requests are going to be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means that assignment requests also go through the defined approval process.

To approve assignment requests through an approver

Assign separate approval policies to the default assignment resources service items.

- OR -
Assign any approval policy to the Identity Lifecycle shelf.

Sometimes assignment requests should be subject to various approval processes depending on the object requested. For example, a department manager should approve department assignment, but department membership should be approved by the employee’s manager. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.

To configure custom assignment requests

Create a new assignment resource.
1. In the Manager, select the Entitlements > Assignment resources for IT Shop category.
2. Click in the result list.
3. Select the Change main data task.
4. Enter the assignment resource name.
5. Assign a new service item.
6. Save the changes.
Assign the assignment resource to an IT Shop shelf as a product.
1. Select the Add to IT Shop task.
2. In the Add assignments pane, assign a shelf.
3. Save the changes.
Assign an approval policy to the shelf or the assignment resource’s service item.
In the Designer, override the VI_GetAccproductAssignmentMember script. Use the new service item in the script code.

For more information about overriding scripts, see the One Identity Manager Configuration Guide.

Detailed information about this topic

Related topics

Approval processes for IT Shop requests

Canceling requests

Assignments, like all other products, can be canceled through Web Portal or requested for a limited time period. These requests are automatically canceled when the validity period expires. For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic

Requests with limited validity period

Removing customers from a shop

If a customer has requested assignment through a shop and later they are removed from the shop, then the assignment request is closed and the assignment is revoked. In this case, however, assignments to roles should be retained if required.

To prevent the assignment from being revoked

In the Designer, set the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter.
(Optional) Enable the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter in the Designer.
- In the Value field, enter the UID_Person of the person that should be used as the fallback if no other request recipient can be found.
  
  This person must be a customer in all shops in which assignments can be requested.
Save the changes.
In the Manager, select the Entitlements > Assignment resources for IT Shop category.
In the result list, select an assignment resource and select the Change main data task.
Set the Keeps requested assignment resource option.
Save the changes.

This option is enabled by default for the Role entitlement assignment default assignment resource. These configuration parameters are disabled by default.

If this option is enabled and the request recipient is removed from the customer node, then the request is updated according to the following rules:

If the service item
- Has the Retain service item assignment on relocation option set
- The request recipient and service item are available in another shop
The assignment request is transferred into this shop. The request recipient remains the same.
If by doing this the request recipient does not remain the same, then a new request recipient is determined.
1. The manager of the business role or organization that has been requested (PersonWantsOrg.ObjectKeyOrgUsedInAssign).
2. A member of the business role or organization that has been requested.
3. A member of the chief approval team.
4. The employee given in the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter.

These rules are applied in the order given. The person who is found must be a customer in the shop.

If no authorized approver can be found or the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter is disabled, then the assignment request is converted into a direct assignment. If direct assignment for the assigned product is not permitted to the requested business role or organization, the request is canceled and the assignment is removed.

NOTE: This option does not influence membership requests in roles or delegation.

Membership assignments are not removed, if the requester is removed from the customer node. They are removed when the recipient of the assignment request is deleted from the customer node.

Delegation ends when the delegate is deleted from the customer node.

Related topics

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center