One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Starling 2FA Token in the Web Portal. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee master data.
|NOTE: The user's default email address, mobile phone and country must be stored in their master data. This data is required for registering.|
To facilitate requesting a Starling 2FA token
The Starling 2FA token request must be granted approval by the request recipient's manager.
Multi-factor authentication can be implemented for requests as well as for request approvals.
Once the option "Approval by multi-factor authentication" is set on a service item, a security code is requested in each approval step of the approval process. This means that every approver that makes approval decisions about this product, must have a Starling 2FA token.
This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA.
If the OTP is requested for a
By default, Starling 2FA is forced to send the OTP by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the OTP. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the OTP using the app.
To use this method
Set the configuration parameter ""QER\Person\Defender\DisableForceParameter" in the Designer.
Starling 2FA can refuse to transmit the OTP by SMS or phone call if the Starling 2FA app is installed on the phone. Then the OTP must be generated by the app.
If the configuration parameter is not set (default), Starling 2FA is forced to send the OTP by SMS or phone call.
This configuration parameter specifies whether the Manager of an organization or business role can view completed assignment requests for their organization or business role.
If this parameter is not set, the manager can only view open assignment requests for their organization or business role.
You can also use One Identity Manager to request hierarchical roles, like departments or business roles, through the IT Shop and assign them to employees, devices and workdesks. This allows any number of assignments to be made through IT Shop requests. The advantage of this method is that any kind of assignments can be authorized using an approval process. Assignment renewals and assignment recall are also subject to an approval process in the same way. The request history makes it possible to follow who, where and why requested, renewed or canceled which assignments.
Managers of hierarchical roles can make assignment requests for their roles.
Delegation is a special type of assignment request. This allows an employee to pass on a role assignment to another person for a limited period of time. Delegations are also subject to a fixed approval process.
Hierarchical role managers can view the role assignment requests they manage in the Web Portal. Use the configuration parameter "QER\ITShop\ShowClosedAssignmentOrders" to specify whether all request assignments are displayed or only open ones. By default, open as well as closed request assignments are displayed.
To only display a manager's open request assignments in the Web Portal