Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager On Demand Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Setting up approval workflows

An approval workflow consists of one or more approval levels. An approval level can contain one approval step or several parallel approval steps. Within the approval process, all of the approval steps for one approval level must be run before the next approval level is called. Use connectors to set up the sequence of approval levels in the approval workflow.

When you add a new approval workflow, the first thing to be created is a new workflow element.

To edit approval level properties

  1. Open the Workflow Editor.

  2. Select the Toolbox > Workflow > Edit item.

  3. Edit the workflow properties.

  4. Click OK.
Table 29: Approval workflow properties

Property

Meaning

Name

Approval workflow name.

System halt (days)

Number of days to elapse after which the approval workflow, and therefore the system, automatically halts the entire approval process.

Description

Text field for additional explanation.
Detailed information about this topic

Editing approval levels

An approval level provides a method of grouping individual approval steps. All the approval steps in one approval level are run in parallel. All the approval steps for different approval levels are run one after the other. You use the connectors to specify the order.

Specify the individual approval steps in the approval levels. At least one approval step is required per level. Enter the approval steps first before you add an approval level.

To add an approval level

  1. Select the Toolbox > Approval levels > Add item.

    This opens the properties dialog for the first approval step.

  2. Enter the approval step properties.

  3. Save the changes.

You can edit the properties of an approval level as soon as you have added an approval level with at least one approval step.

To edit approval level properties

  1. Select the approval level.

  2. Select the Toolbox > Approval levels > Edit item.

  3. Enter a display name for the approval level.

  4. Save the changes.
NOTE: You can define more than one approval step for each approval level. In this case, the approvers of an approval level can make a decision about a request in parallel rather than sequentially. The request cannot be presented to the approvers at the next approval level until all approval steps of an approval level have been completed within the approval process.

To add more approval steps to an approval level

  1. Select the approval level.

  2. Select the Toolbox > Approval steps > Add item.

  3. Enter the approval step properties.

  4. Save the changes.
Detailed information about this topic

Editing approval steps

To edit approval level properties

  1. Select the approval step.

  2. Select the Toolbox > Approval steps > Edit item.

  3. Edit the approval step properties.

  4. Save the changes.
Detailed information about this topic

Properties of an approval step

On the General tab, enter the data described below. On the Mail templates tab, select the mail templates for generating mail notifications. If you add a new approval step, you must fill out the required fields.

Table 30: General properties of an approval step

Property

Meaning

Single step

Approval step name.

Approval procedure

Procedure to use for determining the approvers.

Processing status

Processing status of the success or failure case of the approval step. The processing status for the request is set according to the decision and whether it has been made positively or negatively. Define the processing status in the basic configuration data.

Role

Hierarchical role from which to determine the approvers.

The role is used in the OM and OR default approval procedures. Additionally, you can use the role if you use a custom approval procedure in the approval step.

Fallback approver

Application role whose members are authorized to approve requests if an approver cannot be determined through the approval procedure. Assign an application from the menu.

To create a new application role, click . Enter the application role name and assign a parent application role. For detailed information, see the One Identity Manager Authorization and Authentication Guide.

NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Relevance for compliance

Specifies whether the approver is notified when a request leads to a rule violation. The following values are permitted:

  • Not relevant: Information about rule violations is not relevant for approvers in this approval step. No additional information is displayed for the approver in the approval process.

  • Information: Approvers in this approval step receive information during the approval process if the request causes a compliance rule violation. The approvers decided whether to grant or deny the request.

  • Necessary measures: Approvers in this approval step receive information during the approval process if the request causes a compliance rule violation. The request is automatically denied.

Condition

Condition for calculating the approval decision. The condition is used in the CD, EX, or WC default approval procedures. Additionally, you can use the role if you use a custom approval procedure in the approval step.

Comparison value for the risk index in the approval procedure RI. Enter a number in the range 0.1 to 1.0. 1.0. You can use , or . as a decimal point.

Number of approvers

Number of approval required to approve a request. Use this number to further restrict the maximum number of approvers of the implemented approval procedure.

If there are several people allocated as approvers, then this number specifies how many people from this group have to approve a request. A request can only be passed on to the next level if this has been done.

If you want approval decisions to be made by all the employees found using the applicable approval procedure, for example all members of a role (default approval procedure OR), enter the value -1. This overrides the maximum number of approvers defined in the approval procedure.

If not enough approvers can be found, the approval step is presented to the fallback approvers. The approval step is considered approved as soon as one fallback approver has approved the request.

If an approval decision is made by the chief approval team, it overrides the approval decision of just one regular approver. This means, if three approvers must approve an approval step and the chief approval team makes a decision, two more are still required.

The number of approvers defined in an approval step is not taken into account in the approval procedures CD, EX,or WC.

Description

Text field for additional explanation.

Approval reason

Reason entered in the request if approval is automatically granted.

This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC. In the CR approval procedure, you can user the wild card {0} in the text. The place holder syntax corresponds to a format place holder in VB.Net ({0} to {9})

Reject reason

Reason entered in the request and the approval history, if approval is automatically denied.

This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC. In the CR approval procedure, you can user the wild card {0} in the text. The place holder syntax corresponds to a format place holder in VB.Net ({0} to {9})

Reminder after (minutes)

Number of minutes to elapse after which the approver is notified by mail that there are still pending requests for approval. The input is converted into working hours and displayed additionally.

NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

If more than one approver was found, each approver will be notified. The same applies if an additional approver has been assigned.

If an approver delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other approvers are notified. The original approver is not notified.

If an approver has made an inquiry, the time point for reminding the queried employee is recalculated. As long as the inquiry has not been answered, only this employee is notified.

Timeout (minutes)

Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

The working hours of the respective approver are taken into account when the time is calculated.

NOTE: Ensure that a state, county, or both is entered into the employee's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

Timeout behavior

Action that is run if the timeout expires.

  • Approved: The request is approved in this approval step. The next approval level is called.

  • Deny: The request is denied in this approval step. The approval level for denying is called.

  • Escalation: The request process is escalated. The escalation approval level is called.

  • Cancel: The approval step, and therefore the entire approval process for the request, is canceled.

Additional approver possible

Specifies whether a current approver is allowed to instruct another employee as an approver. This additional approver has parallel authorization to make approvals for the current request. The request is not passed on to the next approval level until both approvers have made a decision.

This option can only be set for approval levels with a single, manual approval step.

Approval can be delegated

Specifies whether a current approver can delegate the approval of the request to another employee. This employee is added to the current approval step as the approver. This employee then makes the approval decision instead of the approver who made the delegation.

This option can only be set for approval levels with a single, manual approval step.

Approval by affected employee

Specifies whether the employee who is affected by the approval decision can also approve this request. If this option is set, requester, and request recipients can approve the request.

If this option is not set, use the QER | ITShop | PersonInsertedNoDecide, QER | ITShop | PersonOrderedNoDecide, QER | ITShop | PersonInsertedNoDecideCompliance, and QER | ITShop | PersonOrderedNoDecideCompliance configuration parameters to specify for all requests whether requester and request recipient can approve the request.

Do not show in approval history

Specifies whether or not the approval step should be displayed in the approval history. For example, this behavior can be applied to approval steps with the CD - calculated approval procedure, which are used only for branching in the approval workflow. It makes it easier to follow the approval history.

No automatic approval

Specifies whether the approval step is decided manually. The request is presented again to an approver even if they are the requester themselves or the request has been approved in a previous approval step. The setting of the DecisionOnInsert, ReuseDecision and AutoDecision configuration parameters is ignored in this approval step.

Escalate if no approver found

Specifies whether the approval step is escalated if no approver can be found and no fallback approver is assigned. In this case, the request is neither canceled nor passed to the chief approval team.

This option can only be enabled if an approval level is linked to escalation. The option cannot be enables if the approval step uses the approval procedure OC or OH.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating