Chat now with support
Chat with Support

Identity Manager 9.2.1 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Editing approval steps

To edit approval level properties

  1. Select the approval step.

  2. Select the Toolbox > Approval steps > Edit item.

  3. Edit the approval step properties.

  4. Save the changes.
Detailed information about this topic

Properties of an approval step

On the General tab, enter the data described below. On the Mail templates tab, select the mail templates for generating mail notifications. If you add a new approval step, you must fill out the required fields.

Table 28: General properties of an approval step

Property

Meaning

Single step

Approval step name.

Approval procedure

Procedure to use for determining the approvers.

Processing status

Processing status of the success or failure case of the approval step. The processing status for the request is set according to the decision and whether it has been made positively or negatively. Define the processing status in the basic configuration data.

Role

Hierarchical role from which to determine the approvers.

The role is used in the OM and OR default approval procedures. Additionally, you can use the role if you use a custom approval procedure in the approval step.

Fallback approver

Application role whose members are authorized to approve requests if an approver cannot be determined through the approval procedure. Assign an application from the menu.

To create a new application role, click . Enter the application role name and assign a parent application role. For more information, see the One Identity Manager Authorization and Authentication Guide.

NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Condition

Condition for calculating the approval decision. The condition is used in the CD, EX, or WC default approval procedures. Additionally, you can use the role if you use a custom approval procedure in the approval step.

Comparison value for the risk index in the approval procedure RI. Enter a number in the range 0.1 to 1.0. 1.0. You can use , or . as a decimal point.

Number of approvers

Number of approval required to approve a request. Use this number to further restrict the maximum number of approvers of the implemented approval procedure.

If there are several identities allocated as approvers, then this number specifies how many identities from this group have to approve a request. A request can only be passed on to the next level if this has been done.

If you want approval decisions to be made by all the identities found using the applicable approval procedure, for example, all members of a role (default approval procedure OR), enter the value -1. This overrides the maximum number of approvers defined in the approval procedure.

If not enough approvers can be found, the approval step is presented to the fallback approvers. The approval step is considered approved as soon as one fallback approver has approved the request.

If an approval decision is made by the chief approval team, it overrides the approval decision of just one regular approver. This means, if three approvers must approve an approval step and the chief approval team makes a decision, two more are still required.

The number of approvers defined in an approval step is not taken into account in the approval procedures CD, EX, or WC.

Description

Text field for additional explanation.

Approval reason

Reason entered in the request if approval is automatically granted.

This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC. In the CR approval procedure, you can user the wild card {0} in the text. The place holder syntax corresponds to a format place holder in VB.Net ({0} to {9})

Reject reason

Reason entered in the request and the approval history, if approval is automatically denied.

This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC. In the CR approval procedure, you can user the wild card {0} in the text. The place holder syntax corresponds to a format place holder in VB.Net ({0} to {9})

Reminder after (minutes)

Number of minutes to elapse after which the approver is notified by mail that there are still pending requests for approval. The input is converted into working hours and displayed additionally.

NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

If more than one approver was found, each approver will be notified. The same applies if an additional approver has been assigned.

If an approver delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other approvers are notified. The original approver is not notified.

If an approver has made an inquiry, the time point for reminding the queried identity is recalculated. As long as the inquiry has not been answered, only this identity is notified.

Timeout (minutes)

Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

The working hours of the respective approver are taken into account when the time is calculated.

NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

Timeout behavior

Action that is run if the timeout expires.

  • Approved: The request is approved in this approval step. The next approval level is called.

  • Deny: The request is denied in this approval step. The approval level for denying is called.

  • Escalation: The request process is escalated. The escalation approval level is called.

  • Cancel: The approval step, and therefore the entire approval process for the request, is canceled.

Reason type on approval

Specifies which type of reason is required when granting approval to this approval step.

  • Optional: A reason can be provided if required.

  • Reason required (standard or free): A standard reason must be selected or a reason given with any text.

  • Free text required: A reason must be given with freely selected text.

NOTE: In the Web Designer Web Portal this information is not used. No distinction is made between the different types of reasons.

Reason type on denial

Specifies which type of reason is required when denying approval to this approval step.

  • Optional: A reason can be provided if required.

  • Reason required (standard or free): A standard reason must be selected or a reason given with any text.

  • Free text required: A reason must be given with freely selected text.

NOTE: In the Web Designer Web Portal this information is not used. No distinction is made between the different types of reasons.

Additional approver possible

Specifies whether a current approver is allowed to instruct another identity as an approver. This additional approver has parallel authorization to make approvals for the current request. The request is not passed on to the next approval level until both approvers have made a decision.

This option can only be set for approval levels with a single, manual approval step.

Approval can be delegated

Specifies whether a current approver can delegate the approval of the request to another identity. This identity is added to the current approval step as the approver and then makes the approval decision instead of the approver who delegated.

This option can only be set for approval levels with a single, manual approval step.

Approval by affected identity

Specifies whether the identity that is affected by the approval decision can also approve this attestation case. If this option is set, requester, and request recipients can approve the request.

If this option is not set, use the QER | ITShop | PersonInsertedNoDecide, QER | ITShop | PersonOrderedNoDecide, QER | ITShop | PersonInsertedNoDecideCompliance, and QER | ITShop | PersonOrderedNoDecideCompliance configuration parameters to specify for all requests whether requester and request recipient can approve the request.

Do not show in approval history

Specifies whether or not the approval step should be displayed in the approval history. For example, this behavior can be applied to approval steps with the CD - calculated approval procedure, which are used only for branching in the approval workflow. It makes it easier to follow the approval history.

No automatic approval

Specifies whether the approval step is decided manually. The request is presented again to an approver even if they are the requester themselves or the request has been approved in a previous approval step. The setting of the DecisionOnInsert, ReuseDecision and AutoDecision configuration parameters is ignored in this approval step.

Escalate if no approver found

Specifies whether the approval step is escalated if no approver can be found and no fallback approver is assigned. In this case, the request is neither canceled nor passed to the chief approval team.

This option can only be enabled if an approval level is linked to escalation. The option cannot be enables if the approval step uses the approval procedure OC or OH.

Detailed information about this topic
Related topics

Connecting approval levels

When you set up an approval workflow with several approval levels, you have to connect each level with another. You may create the following links.

Table 29: Links to approval levels

Link

Description

Approve

Link to next approval level if the current approval level was granted approval.

Deny

Link to next approval level if the current approval level was not granted approval.

Reroute

Link to another approval level to bypass the current approval.

Approvers can pass the approval decision through another approval level, for example, if approval is required by a manager in an individual case. To do this, create a connection to the approval levels to which the approval can be rerouted. This way, approvals can also be rerouted to a previous approval level, for example, if an approval decision is considered not to be well-founded. Starting from one approval level, more than one reroute can lead to different approval levels. The approvers select, in the Web Portal, which of these approval levels to reroute the approval to.

It is not possible to reroute approval steps with the approval procedures OC, OH, EX, CR, CD, SB, or WC.

Escalation

Link to another approval level when the current approval level is escalated after timing out.

If there are no further approval levels after the current approval level, the request is considered approved if the approval decision was to grant approval. If approval is not granted, the request is considered to be finally denied. The approval process is closed in both cases.

Additional tasks for approval workflows

After you have entered the main data, you can run the following tasks.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating