Chat now with support
Chat with Support

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

General main data for adaptive cards

Enter the following main data for an adaptive card.

Table 60: Adaptive card main data

Property

Description

Adaptive card

Name of the adaptive card.

Description

Text field for additional explanation.

Disabled

Specifies whether the adaptive card is actively used.

Adaptive card templates

Name of templates to use with this adaptive card.

Language

The template is provided in this language. The recipient's language preferences are taken into account when an adaptive card is generated and a matching template is applied. If a language cannot be identified or there is no suitable template for the language found, en-US is used as fallback.

Template

JSON template of the adaptive card that contains placeholders for Adaptive Cards Templating.

Related topics

Deploying and evaluating adaptive cards for requests

Once an approver is determined in an approval step, the QER_PWOHelperPWO approve anywhere process runs. The process is generated if the following conditions are fulfilled:

  • The approver is registered as the recipient in Starling Cloud Assistant.

  • A default email address is stored for the approver.

  • The QER | Person | Starling | UseApprovalAnywhere configuration parameter is set.

  • An expiry date is entered in the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter.

  • Approval by multi-factor authentication is not set on the requested service item.

The process runs the QER_CloudAssistant_CreateMessage_PWOHelperPWO script passing to it the name and the UID of the adaptive card to send. The script created the adaptive card from the JSON template for adaptive cards and the data in the request and then sends it to the approver The QER_CloudAssistant_CheckMessage_PWOHelperPWO script checks if the approver has sent a response, evaluates the response and updates the request process according to the approval decision.

NOTE: If you want to use your own adaptive cards template, check the QER_CloudAssistant_CreateMessage_PWOHelperPWO, QER_CloudAssistant_CreateData_PWOHelperPWO, and QER_CloudAssistant_CheckMessage_PWOHelperPWO scripts and adjust them if necessary to reflect content changes in the template. For more information about overriding scripts, see the One Identity Manager Configuration Guide.

Related topics

Disabling adaptive cards

Adaptive cards that are not used can be disabled.

To disable an adaptive card

  1. In the Manager, select the IT Shop > Basic configuration data > Adaptive cards category.

  2. Select the adaptive card in the result list.

  3. Select the Change main data task.

  4. Set Disabled.

  5. Save the changes.
Related topics

Requests with limited validity period for changed role memberships

If an identity changes their primary department (business role, cost center, or location), they lose all company resources and system entitlements inherited through it. However, it may be necessary for the identity to retain these company resources and system entitlements for a certain period. Use temporary requests to retain the state of the identity's current memberships. Inherited assignments are not removed until after the validity period for this request has expired. The identity can renew the request within the validity period.

Prerequisites

  • Identity main data is modified by import.

  • The import sets the session variable FullSync=TRUE.

To configure automatic requests for removal of role memberships

  1. In the Designer, set the QER | ITShop | ChallengeRoleRemoval configuration parameter.

  2. In the Designer, set the QER | ITShop | ChallengeRoleRemoval | DayOfValidity configuration parameter and enter a validity period for the request.

  3. In the Designer, set the configuration parameters under QER | ITShop | ChallengeRoleRemoval for roles whose primary memberships need to remain intact when modified.

  4. Commit the changes to the database.

NOTE: The configuration parameters are set by default. The validity period is set to seven days.

If identity main data is modified by importing, One Identity Manager checks if a primary role (for example Person.UID_Department) was modified or deleted on saving. If this is the case, VI_CreateRequestForLostRoleMembership is run. The script create a temporary assignment request for this role, which is granted approval automatically. Thus, the identity remains a members of the role and retains their company resources and system entitlements. The request is automatically canceled when the validity period expires.

The request can be renewed during the validity period. The request renewal must be approved by the role manager. The request becomes permanent if approval is granted. Role membership stays the same until the assignment is canceled.

TIP: The QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter specifies which product nodes to use for a limited validity period request of modified role memberships. The Challenge loss of role membership product is available by default in the Identity & Access Lifecycle | Identity Lifecycle shelf. You can also add this product to your own IT Shop solution.

To use the "Challenge loss of role membership" product in your own IT Shop

  1. Assign the Challenge loss of role membership assignment resource to one of your own shelves.

  2. In the Designer, edit the value of the QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration parameter.

    • Enter the full name or the UID of the new product node.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating