You require special resources for assignment requests and delegation, so called assignment resources. Assignment resources are linked to service items and can thus be made available as products in the IT Shop.
One Identity Manager provides standard products for assignment requests and delegation. These are used to:
|Assignment resource||Service item||Shop | Shelf||Request|
|Members in roles||Members in roles||Identity & Access Lifecycle | Identity Lifecycle||Memberships in business roles and organizations|
|Role entitlement assignments||Role entitlement assignments||Assignment of company resources to business roles and organizations|
All active One Identity Manager database employees in the default installation are customers of the shop, "Identity & Access Lifecycle". This allows all enabled employees to request assignments or delegate roles. Assignment requests with default products are automatically approved through self-service and delegation.
You can add default products for assignment requests and delegations to your own IT Shop.
Assignments can only be requested from and for customers of this shop. This means, the manager of the hierarchical roles as well as the employees that are also members of these roles, must be customers in the shop. The same applies to delegation.
|TIP: Assignment requests can also be made for custom assignment tables (many-to-many tables), if they have an XOrigin column. The properties for this column must correspond to the column definition for XOrigin columns in the One Identity Manager data model.|
Clara Harris is the project X project leader. A business role "Project X" is added in the Manager to ensure that all the project staff obtain the necessary entitlements. Clara Harris is assigned as manager of this business role. All project staff have a user account in the Active Directory domain "domain P".
Clara Harris can request memberships in the business role "Project X" in Web Portal because she is a manager. Clara Harris requests memberships for herself and all project staff.
Furthermore, Clara Harris wants all project staff to obtain their entitlements in Active Directory through the Active Directory group "Project X AD permissions". To this, she request permission "Project X AD permissions" in the Web Portal for the business role "Project X".
The user accounts of all project staff become members in the Active Directory group "Project X AD permissions" through internal inheritance processes.
|Installed Module:||Business Roles Module|
You have the option to limit assignment request to single business roles. To do this, an assignment resource is created for a fixed requestable business role. The business role is automatically part of the request in an assignment resource request.
Furthermore, you have the option to define an approval process for requestable business roles of this type. The service items connected with the assignment resources are assigned separate approval policies in order to do this.
To limit assignment requests to single business roles
This starts a wizard, which takes you through adding an assignment resource.
This adds a new assignment resource with the user defined properties
Table = "ORG" and path = "<business role UID>".
Assign a service category in order to request the assignment resource Web Portalin the through the service category.
A new service item is added and linked to the assignment resource.
The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee, for whom it was requested, becomes a member of the associated business role through internal inheritance processes.
Assign requests with standard products are automatically approved through self-service. If assignment requests should be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means assignment requests also go through the defined approval process.
To approve assignment requests through an approver
- OR -
Sometimes, assignment requests should be subject to various approval process depending on the object requested. For example, a department manager should approve department assignment but department membership should be approved by the employee’s manager. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.
|NOTE: To use these assignment resources you must make more modifications to the Web Designer configuration.|
To configure custom assignment requests
Click in the result list toolbar.
|QER\ITShop\Delegation||Preprocessor relevant configuration parameter for controlling model components for delegation and role membership. Changes to the parameter require recompiling the database. If the parameter is set, delegation components are available.|
Delegation is a special type of assignment request. It allows an employee to temporarily pass on responsibilities or a role assignment to another person.
To run delegation in One Identity Manager
Delegations are also subject to a fixed approval process. For delegations, you need a separate "delegation" assignment resource. This already exists in the standard installation as a product in the shop "Identity Lifecycle" on the shelf "Identity Lifecycle".
The following objects in the standard installation can be delegated.
|Membership in:||Business roles
IT Shop structures (owners)
|TIP: Specify the role classes associated to business roles for which memberships can be delegated. This option is available when the Business Roles Module is installed.|
Delegation only takes effect if the delegated membership or responsibility does not yet exist.
Jenny Basset is member of the business role "Project X". She delegates this membership to Jan Bloggs. Jan Bloggs is also a member of this business role. The delegation is saved but is not yet in effect. After Jan Bloggs losses his membership in the business role, delegation takes effect. This way Jan Bloggs remains a member in the business role. After delegation is canceled, Jan Bloggs is removed from the business role.
To permit delegation of a role class
Use Web Portal to delegate roles or responsibilities.