Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Preparing Starling 2FA Token Requests

Preparing Starling 2FA Token Requests

One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Starling 2FA Token in the Web Portal. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee master data.

NOTE: The user's default email address, mobile phone and country must be stored in their master data. This data is required for registering.

To facilitate requesting a Starling 2FA token

  1. Select the category IT Shop | Service catalog | Predefined.
  2. Select New Starling 2FA token in the result list.
  3. Select Change master data in the task view.
  4. Disable Not available.
  5. Save the changes.

The Starling 2FA token request must be granted approval by the request recipient's manager.

Using Multi-Factoring for Requests

Multi-factor authentication can be implemented for requests as well as for request approvals.

Once the option "Approval by multi-factor authentication" is set on a service item, a security code is requested in each approval step of the approval process. This means that every approver that makes approval decisions about this product, must have a Starling 2FA token.

So that requester can also use multi-factor authentication, assign terms of use to the service time as well. The requester must enter the security code when he confirms the terms of use. The request recipient must also enter a security code if the approval workflow is accordingly configured. For more information, see Approving Requests with Terms of Use.

Table 20: Variations of Multi-factor Authentication in the IT Shop
Effective Approval Policy Terms of use Security code is requested from
Requester Approver
Self-Service None    
Self-Service Assigned x  
No self-service None   x
No self-service Assigned x x
Related Topics

Requesting a Security Code

Requesting a Security Code

Table 21: Configuration Parameter for Requesting Starling 2FA Security Codes
Configuration parameter Meaning

QER\Person\Defender\DisableForceParameter

This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA.

If the OTP is requested for a request or request approval, the user decides how the OTP is send. The following options are available:

  • By Starling 2FA app
  • By SMS
  • By phone call

By default, Starling 2FA is forced to send the OTP by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the OTP. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the OTP using the app.

To use this method

  • Set the configuration parameter ""QER\Person\Defender\DisableForceParameter" in the Designer.

    Starling 2FA can refuse to transmit the OTP by SMS or phone call if the Starling 2FA app is installed on the phone. Then the OTP must be generated by the app.

If the configuration parameter is not set (default), Starling 2FA is forced to send the OTP by SMS or phone call.

Assignment Requests and Delegating

Assignment Requests and Delegating

Table 22: Configuration Parameters for the IT Shop
Configuration parameter Meaning
QER\ITShop\ShowClosedAssignmentOrders

This configuration parameter specifies whether the Manager of an organization or business role can view completed assignment requests for their organization or business role.

If this parameter is not set, the manager can only view open assignment requests for their organization or business role.

You can also use One Identity Manager to request hierarchical roles, like departments or business roles, through the IT Shop and assign them to employees, devices and workdesks. This allows any number of assignments to be made through IT Shop requests. The advantage of this method is that any kind of assignments can be authorized using an approval process. Assignment renewals and assignment recall are also subject to an approval process in the same way. The request history makes it possible to follow who, where and why requested, renewed or canceled which assignments.

Managers of hierarchical roles can make assignment requests for their roles.

Delegation is a special type of assignment request. This allows an employee to pass on a role assignment to another person for a limited period of time. Delegations are also subject to a fixed approval process.

Hierarchical role managers can view the role assignment requests they manage in the Web Portal. Use the configuration parameter "QER\ITShop\ShowClosedAssignmentOrders" to specify whether all request assignments are displayed or only open ones. By default, open as well as closed request assignments are displayed.

To only display a manager's open request assignments in the Web Portal

  • Disable the configuration parameter "QER\ITShop\ShowClosedAssignmentOrders" in the Designer.
Related Documents