Chat now with support
Chat with Support

Identity Manager On Demand Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Setting up an IT Shop solution

The IT Shop allows users to request company resources such as software, system roles, or group membership as well as non-IT resources such as mobile telephones or keys. Furthermore, membership of a hierarchical role (department, location, cost center, or business role) can be requested through the IT Shop. The requests are processed by a flexible policy-based approval process. Introducing the IT Shop avoids time-consuming demands within the company and reduces the administration effort. The request history makes it possible to follow who requested which company resource or hierarchical role and when it was requested, renewed, or canceled.

Shops, shelves, customers, and products all belong to an IT Shop solution. Several shops can be grouped together into shopping centers. The shelves are assigned company resources in the form of products. Products can be grouped into service categories. All the service categories are summarized in a service catalog. Customers can select products from a service catalog in the Web Portal, add them to a cart, and send a purchase request.

The following figure shows an example of a service catalog with service categories.

Figure 1: Example of a service catalog

Requests follow a defined approval process that determines whether a product may be assigned or not. Products can be renewed or canceled. Approval processes can also be specified for renewals and cancellations. Approval policies are defined for approval processes. The approval policies are assigned to approval workflows for product requests, renewals, or cancellations.

Figure 2: Example of a simple approval workflow

The products are requested, renewed, and canceled through the Web Portal. Authorized employees have the option to approve requests and cancellations. For detailed information, see the One Identity Manager Web Designer Web Portal User Guide.

One Identity Manager users in the IT Shop

The following users are involved in the setting up and operating of an IT Shop system.

Table 1: Users

Users

Tasks

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Create the IT Shop structure with shops, shelves, customers, templates, and service catalog.

  • Create approval policies and approval workflows.

  • Specify which approval procedure to use to find attestors.

  • Create products and service items.

  • Set up request notifications.

  • Monitor request procedures.

  • Administrate application roles for product owners and attestors.

  • Maintain members of the chief approval team.

  • Set up other application roles as required.

  • Create extended properties for company resources of any type.

  • Edit the resources and assign them to IT Shop structures.

  • Assign system entitlements to IT Shop structures.

Product owners

Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.

Users with this application role:

  • Approve through requests.

  • Edit service items and service categories under their management.

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Role approver
  • Request approval in the Web Portal.

Approvers are determined through approval processes.

Attestors for requests

Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

Users with this application role:

  • Attest correct assignment of company resource to IT Shop structures for which they are responsible.

  • Attest objects that have service items assigned to them.

  • Can view main data for these IT Shop structures but not edit them.

NOTE: This application role is available if the Attestation Module is installed.

Chief approval team

Chief approvers must be assigned to the Request & Fulfillment | IT Shop | Chief approval team application role.

Users with this application role:

  • Approve through requests.
  • Assign requests to other approvers.

Implementing the IT Shop

Identity & Access Lifecycle is already included in the default installation of One Identity Manager. This shop contains several shelves that have standard products assigned to them. You can use these products to request role or group memberships, for example, or to delegate duties. All active employees automatically become members of this shop and can therefore make requests.

You can use the Identity & Access Lifecycle shop to request standard products. Default approval policies are implemented for approving these requests. You can request any company resources you like by taking the default shop and extending it with your own shelves or by setting up your own IT Shop solution.

To use the Identity & Access Lifecycle shop

  1. In the Designer, set the QER | ITSHOP configuration parameter.

    In the default installation, the configuration parameter is set and the IT Shop is available. If the configuration parameter is not set, you can set it in the Designer and then compile the database.

    If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  2. Install and configure the Web Portal.

    The products are requested, renewed, and canceled through the Web Portal. Authorized employees have the option to approve requests and cancellations.

    For more information, see the One Identity Manager Installation Guide and the One Identity Manager Web Designer Web Portal User Guide.

To customize the Identity & Access Lifecycle shop

  1. Set up more shelves.

    For more information, see Managing an IT Shop.

  2. Prepare company resources for requesting.

    For more information, see Preparing products for requesting.

  3. Assign requestable products to the shelves.

    For more information, see Assigning and removing products.

  4. Set up the approval process.

    In the default installation, different default approval policies are assigned to the Identity & Access Lifecycle shop. Therefore, requests from this shop are run through predefined approval processes.

    You can also assign your own approval policy to the shop. For more information, see Approval processes for IT Shop requests.

  5. If necessary, edit the dynamic role condition.

    For more information, see Assigning employees through dynamic roles. For more information about creating the condition, see the One Identity Manager Identity Management Base Module Administration Guide.

To set up your own IT Shop solution

  1. In the Designer, set the QER | ITSHOP configuration parameter.

    In the default installation, the configuration parameter is set and the IT Shop is available. If the configuration parameter is not set, you can set it in the Designer and then compile the database.

    If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  2. Set up shops, shelves, and customer node.

    For more information, see Managing an IT Shop.

  3. Prepare company resources for requesting.

    For more information, see Preparing products for requesting.

  4. Assign requestable products to the IT Shop.

    For more information, see Assigning and removing products.

    One Identity Manager makes different standard products available, which can be requested through the Identity & Access Lifecycle shop. You can also add these standard products to your own IT Shop.

  5. Set up the approval process.

    For more information, see Approval processes for IT Shop requests.

  6. Install and configure the Web Portal.

    The products are requested, renewed, and canceled through the Web Portal. Authorized employees have the option to approve requests and cancellations.

    For more information, see the One Identity Manager Installation Guide and the One Identity Manager Web Designer Web Portal User Guide.

Related topics

Using the IT Shop with the Application Governance Module

The Application Governance Module allows you to quickly and simply run the onboarding process for new applications from one place. An application created with the Application Governance Module combines all the permissions application users require for their regular work. This way, you can assign application entitlements to your applications (such as system entitlements or system roles) and plan when they will be available as requestable products (service items) (for example, in the Web Portal).

For more information about the Application Governance Module, see the One Identity Manager Application Governance User Guide. For more information about configuring the Application Governance Module, see the One Identity Manager Web Application Configuration Guide.

Applications can also be set up in the Manager if the Application Governance Module is available. For more information about this, see the One Identity Manager Web Application Configuration Guide.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating