Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Setting up an IT Shop Solution

Setting up an IT Shop Solution

The IT Shop allows users to request company resources such as applications, system roles or group membership as well as non-IT resources such as mobile telephones or keys. Furthermore, membership of a hierarchical role (department, location, cost center, business role) can be requested through the IT Shop. The requests are processed by a flexible policy based approval process. Introducing IT Shop avoids time consuming demands within the company and reduces the administration effort. The request history makes it possible to follow who requested which company resource or hierarchical role and when it was requested, renewed or canceled.

Shops, shelves, customers and products all belong to an IT Shop solution. Several shops can be grouped together into shopping centers. The shelves are assigned company resources in the form of products. Products can be grouped into service categories. All the service categories are summarized in a service catalog. Customers can select products from a service catalog in Web Portal, add them to a cart and send a purchase request.

The following visual shows an example of a service catalog with service categories.

Figure 1: Example of a Service Catalog

Requests follow a defined approval process which decides whether a product may be assigned or not. Products can be renewed or canceled. Approval process can also be specified for renewals and cancellations. Approval policies are defined for an approval process. The approval policies are assigned to approval workflows for product requests, renewals or cancellations.

Figure 2: Example for a Simple Approval Workflow

The products are request, renewed and canceled through the Web Portal. Authorized employees have the option to approve requests and cancellations. For more detailed information, see the .One Identity Manager Web Portal User Guide

One Identity Manager Users in the IT Shop

One Identity Manager Users in the IT Shop

The following users are involved in the setting up and operating of an IT Shop system.

Table 1: Users
User Task

Administrators for the IT Shop

 

Administrators must be assigned to the application role Request & Fulfillment | IT Shop | Administrators.

Users with this application role:

  • Create the IT Shop structure with shops, shelves, customers, templates and service catalog.
  • Create approval policies and approval workflows.
  • Specify which approval procedure to use to find attestors.
  • Create products and service items.
  • Set up request notifications.
  • Monitor request procedures.
  • Administrate application roles for product owners and attestors.
  • Set up other application roles as required.
  • Create extended properties for company resources of any type.
  • Edit the resources and assign them to IT Shop structures and employees.
  • Assign system authorizations to IT Shop structures.

Product owners

The product owners must be assigned to the application roles Request & Fulfillment | IT Shop | Product owners or an application role below that.

Users with this application role:

  • Approve through requests.
  • Edit service items and service categories under their management.

One Identity Manager administrators

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.

Role approver

  • Request approval in the Web Portal.

Approvers are determined through approval procedures.

Attestors for requests

Attestors must be assigned to the application role Request & Fulfillment | IT Shop | Attestors.

Users with this application role:

  • Attest correct assignment of company resource to IT Shop structures for which they are responsible.
  • Can view master data for these IT Shop structures but not edit them.

Note: This application role is available if the module Attestation Module is installed.
Chief approval team

The chief approver must be assigned to the application Request & Fulfillment | IT Shop | Chief approval team

Users with this application role:

  • Approve through requests.
  • Assign requests to other approvers.

Putting the IT Shop into Operation

Putting the IT Shop into Operation

Table 2: Configuration Parameters for the IT Shop
Configuration parameter Meaning
QER\ITShop Preprocessor relevant configuration parameter to control the component parts for the IT Shop. If the parameter is set, the IT Shop components are available. Changes to the parameter require recompiling the database.

To utilize the IT Shop

  • Set the configuration parameter "QER\ITShop" in the Designer.

The shop "Identity & Access Lifecycle" is already included in the default installation of the One Identity Manager. The contains several shelves which have standard products assigned to them. You can use these products to request role or group memberships, for example, or to delegate duties. All active employees automatically become members of this shop and can therefore make requests.

You can use the "Identity & Access Lifecycle" shop to request standard products. Default approval policies are implemented for approving these requests. You can request any company resources you like, by taking the default shop and extending it with your own shelves or by setting up your own IT Shop solution.

To use the shop "Identity & Access Lifecycle"

  1. Set the configuration parameter "QER\ITShop" in the Designer.

    In the default installation, the configuration parameter is enabled and the IT Shop is available. If the configuration parameter is not set, you can set it in the Designer and then compile the database.

  2. Install and configure the Web Portal.

    The products are request, renewed and canceled through the Web Portal. Authorized employees have the option to approve requests and cancellations.

    For more detailed information, see the One Identity Manager Installation Guide and the One Identity Manager Web Portal User Guide.

IMPORTANT: The shop's customers are determined by dynamic role. If a shop contains a large number of customer, the calculations in the IT Shop can cause a heavy load on the DBQueue Processor and therefore on the database server as well.

Formulate the condition for the dynamic role so that no more than 30 00 employees are found. If necessary, set up your own IT Shop solution with several shops and customer nodes.

To customize the shop "Identity & Access Lifecycle"

  1. Set up more shelves.

    For more information, see Managing an IT Shop.

  2. Prepare company resources for requesting.

    For more information, see Preparing Products for Requesting.

  3. Assign requestable products to the shelves.

    For more information, see Assigning and Removing Products.

  4. Set up the approval process.

    In the default installation, several approval policies are assigned to the "Identity Lifecycle". Therefore, requests from this shop are run through predefined approval processes.

    You can also assign your own approval policy to the shop. For more information, see Approval Processes for IT Shop Requests.

  5. If necessary, edit the dynamic role condition.

    For more information, see Creating Dynamic Roles. For more detailed information about creating the condition, see the One Identity Manager Identity Management Base Module Administration Guide.

To set up your own IT Shop solution:

  1. Set the configuration parameter "QER\ITShop" in the Designer.

    In the default installation, the configuration parameter is enabled and the IT Shop is available. If the configuration parameter is not set, you can set it in the Designer and then compile the database.

  2. Set up shops, shelves and customer node.

    For more information, see Managing an IT Shop.

  3. Prepare company resources for requesting.

    For more information, see Preparing Products for Requesting.

  4. Assign requestable products to the IT Shop.

    For more information, see Assigning and Removing Products.

    One Identity Manager makes different default products available, which can be requested through the shop "Identity & Access Lifecycle". You can also add these products to your own IT Shop.

  5. Set up the approval process.

    For more information, see Approval Processes for IT Shop Requests.

  6. Install and configure the Web Portal.

    The products are request, renewed and canceled through the Web Portal. Authorized employees have the option to approve requests and cancellations.

    For more detailed information, see the One Identity Manager Installation Guide and the One Identity Manager Web Portal User Guide.

Requestable Products

Requestable Products

Requestable products in the IT Shop are company resources such as target system groups, applications as well as non-IT resources after they have been assigned to a shelf. The following company resources can be assigned to shelves as requestable products.

Table 3: Requestable Products

Company Resource

Available in Module

Documentation Guide

Groups of custom target systems

Target System Base Module

One Identity Manager Target System Base Module Administration Guide

Active Directory groups

Active Directory Module

One Identity Manager Administration Guide for Connecting to Active Directory

SharePoint groups and SharePoint roles

SharePoint Module

One Identity Manager Administration Guide for Connecting to SharePoint

IBM Notes groups

IBM Notes Module

One Identity Manager Administration Guide for Connecting to IBM Notes

LDAP groups

LDAP Module

One Identity Manager Administration Guide for Connecting to LDAP

SAP groups, SAP roles and SAP profiles

SAP R/3 User Management module Module

One Identity Manager Administration Guide for Connecting to SAP R/3

SAP structural profiles

SAP R/3 Structural Profiles Add-on Module

One Identity Manager Administration Guide for SAP R/3 Structural Profiles Add-on

SAP BI analysis authorizations

SAP R/3 Analysis Authorizations Add-on Module

One Identity Manager Administration Guide for SAP R/3 Analysis Authorizations Add-on

Resources

Identity Management Base Module

One Identity Manager Identity Management Base Module Administration Guide

Multi-request resources

Identity Management Base Module

One Identity Manager Identity Management Base Module Administration Guide

Account definitions

Target System Base Module

One Identity Manager Target System Base Module Administration Guide

System roles

System Roles Module

One Identity Manager System Roles Administration Guide

Subscribable reports

Report Subscription Module

One Identity Manager Report Subscriptions Administration Guide

Applications

Application Management Module

One Identity Manager Application Management Administration Guide

Assign resources

Identity Management Base Module

Business Roles Module

Use assignment resources to request any number of assignments to hierarchical roles or to delegate responsibilities through the IT Shop. For more information, see Assignment Requests and Delegating.

Azure Active Directory groups

Azure Active Directory Module

One Identity Manager Administration Guide for Connecting to Azure Active Directory

Azure Active Directory Administrator Roles

Azure Active Directory Module

One Identity Manager Administration Guide for Connecting to Azure Active Directory

Applications and system roles can also be requested for workdesks. The request's UID_Workdesk is given as additional information here (PersonWantsOrg.UID_WorkdeskOrdered).

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents