Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Standard Products for Assignment Requests and Delegation

Standard Products for Assignment Requests and Delegation

You require special resources for assignment requests and delegation, so called assignment resources. Assignment resources are linked to service items and can thus be made available as products in the IT Shop.

One Identity Manager provides standard products for assignment requests and delegation. These are used to:

  • Request membership in business roles or organizations for which the logged in One Identity Manager user is responsible.
  • Order assignments of system entitlements or other company resources to business roles or organizations for which the logged in One Identity Manager user is responsible.
  • Delegate responsibilities or memberships in hierarchical roles.
Table 23: Standard Products for Assignment Requests and Delegation
Assignment resource Service item Shop | Shelf Request
Members in roles Members in roles Identity & Access Lifecycle | Identity Lifecycle Memberships in business roles and organizations
Role entitlement assignments Role entitlement assignments Assignment of company resources to business roles and organizations
Delegation Delegation Delegations

All active One Identity Manager database employees in the default installation are customers of the shop, "Identity & Access Lifecycle". This allows all enabled employees to request assignments or delegate roles. Assignment requests with default products are automatically approved through self-service and delegation.

You can add default products for assignment requests and delegations to your own IT Shop.

Assignments can only be requested from and for customers of this shop. This means, the manager of the hierarchical roles as well as the employees that are also members of these roles, must be customers in the shop. The same applies to delegation.

TIP: Assignment requests can also be made for custom assignment tables (many-to-many tables), if they have an XOrigin column. The properties for this column must correspond to the column definition for XOrigin columns in the One Identity Manager data model.
Example for an Assignment Request

Clara Harris is the project X project leader. A business role "Project X" is added in the Manager to ensure that all the project staff obtain the necessary entitlements. Clara Harris is assigned as manager of this business role. All project staff have a user account in the Active Directory domain "domain P".

Clara Harris can request memberships in the business role "Project X" in Web Portal because she is a manager. Clara Harris requests memberships for herself and all project staff.

Furthermore, Clara Harris wants all project staff to obtain their entitlements in Active Directory through the Active Directory group "Project X AD permissions". To this, she request permission "Project X AD permissions" in the Web Portal for the business role "Project X".

The user accounts of all project staff become members in the Active Directory group "Project X AD permissions" through internal inheritance processes.

Detailed information about this topic
Related Topics

Requesting Single Business Roles

Requesting Single Business Roles

Installed Module: Business Roles Module

You have the option to limit assignment request to single business roles. To do this, an assignment resource is created for a fixed requestable business role. The business role is automatically part of the request in an assignment resource request.

Furthermore, you have the option to define an approval process for requestable business roles of this type. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single business roles

  1. Select the category Business roles | <Role class>.
  2. Select the business role in the result list.
  3. Select Create assignment resource... in the task view.

    This starts a wizard, which takes you through adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This adds a new assignment resource with the user defined properties

      Table = "ORG" and path = "<business role UID>".

    2. Enter the service item properties to allocate to the assignment resource.

      Assign a service category in order to request the assignment resource Web Portalin the through the service category.

      A new service item is added and linked to the assignment resource.

  4. Assign the assignment resource to an IT Shop shelf as a product.
  5. Assign an approval policy to the shelf or the assignment resource’s service item.
  6. You can post-process the assignment resource master data if required.
  7. You can post-process the service item master data if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee, for whom it was requested, becomes a member of the associated business role through internal inheritance processes.

Related Topics

Customizing Assignment Requests

Customizing Assignment Requests

Assign requests with standard products are automatically approved through self-service. If assignment requests should be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means assignment requests also go through the defined approval process.

To approve assignment requests through an approver

  • Assign separate approval policies to the default assignment resources service positions.

    - OR -

  • Assign any approval policy to the shelf "Identity Lifecycle".

Sometimes, assignment requests should be subject to various approval process depending on the object requested. For example, a department manager should approve department assignment but department membership should be approved by the employee’s manager. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.

NOTE: To use these assignment resources you must make more modifications to the Web Designer configuration.

To configure custom assignment requests

  1. Create a new assignment resource.
    1. Select the category Entitlements | Assignment resource for IT Shop.
    2. Click in the result list toolbar.

    3. Select Change master data in the task view.
    4. Enter the assignment resource name.
    5. Assign a new service item.
    6. Save the changes.
  2. Assign the assignment resource to an IT Shop shelf as a product.
    1. Select Add to IT Shop in the task view.
    2. Assign a shelf in Add assignments.
    3. Save the changes.
  3. Assign an approval policy to the shelf or the assignment resource’s service item.
  4. Configure usage of the assignment resource in Web Designer.
Detailed information about this topic
Related Topics

Preparing for Delegation

Preparing for Delegation

Table 24: Configuration Parameter for Delegation
Configuration parameter Meaning
QER\ITShop\Delegation Preprocessor relevant configuration parameter for controlling model components for delegation and role membership. Changes to the parameter require recompiling the database. If the parameter is set, delegation components are available.

Delegation is a special type of assignment request. It allows an employee to temporarily pass on responsibilities or a role assignment to another person.

To run delegation in One Identity Manager

  • Set the configuration parameter "QER\ITShop\Delegation" in the Designer.

Delegations are also subject to a fixed approval process. For delegations, you need a separate "delegation" assignment resource. This already exists in the standard installation as a product in the shop "Identity Lifecycle" on the shelf "Identity Lifecycle".

The following objects in the standard installation can be delegated.

Membership in: Business roles

Application Roles

Responsibilities for: Departments

Cost centers

Locations

Business roles

Employees

IT Shop structures (owners)

TIP: Specify the role classes associated to business roles for which memberships can be delegated. This option is available when the Business Roles Module is installed.

Delegation only takes effect if the delegated membership or responsibility does not yet exist.

Example:

Jenny Basset is member of the business role "Project X". She delegates this membership to Jan Bloggs. Jan Bloggs is also a member of this business role. The delegation is saved but is not yet in effect. After Jan Bloggs losses his membership in the business role, delegation takes effect. This way Jan Bloggs remains a member in the business role. After delegation is canceled, Jan Bloggs is removed from the business role.

To permit delegation of a role class

  1. Select the category Business roles | Basic configuration data | Role classes.
  2. Select the role class in the result list.
  3. Select Change master data in the task view.
  4. Set Delegable.
  5. Save the changes.

Use Web Portal to delegate roles or responsibilities.

Detailed information about this topic
  • One Identity Manager Business Roles Administration Guide
  • One Identity Manager Web Portal User Guide
Related Documents