Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Creating Requests for Workdesks

Creating Requests for Workdesks

Requests for workdesks are created with the method CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName). Prepare the IT Shop correspondingly in order to create the requests.

To create requests from assignments to workdesks

  1. Prepare the company resources (application, system role or driver) for use in the IT Shop.
  2. Assign the company resources to a shelf in the IT Shop.
  3. Select an employee as requester for the assignment to workdesks.
    • Pass the employee's UID_Person as the parameter uidPerson to the method.
  4. Add the selected employee as a customer to the shops to which the company resources are assigned as products.
  5. Optional: Create a script that populates other properties of the requests.
    • Pass the script name as a parameter to the method CustomScriptName.
  6. Create a script to run the method CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName) for the affected tables.

How One Identity Manager creates requests for workdesks from existing assignments

  1. Determine workdesks and their assigned company resources.
  2. Determine requester from the parameter uidPerson.
  3. Determine shops assigned to company resources and requester.
  1. Create the requests with initial data.
  2. Execute custom scripts.
  3. Save the requests (entry in table PersonWantsOrg).
  1. Assign employees to the product structure (entry in table PersonInITShopOrg).
  2. Transform direct company resource assignments into indirect assignments to workdesks (for example, in the table WorkDeskHasApp).
Related Topics

Creating Assignment Requests

Creating Assignment Requests

You can create assignment requests for existing company resource assignments to hierarchical roles and for memberships of employees, devices or workdesks in hierarchical roles. The following methods are available.

Table 28: Methods for Transforming Direct Assignments into Assignment Requests
Method Description
CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName) Creates an assignment request from an assignment or membership. This method can be applied to all tables which cannot be used to find a UID_Person.
CreateITShopOrder (string uidOrgProduct, string uidWorkdeskOrdered, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership and, in addition, saves a UID_WorkdeskOrdered with the request procedure.

Prepare the IT Shop correspondingly in order to create the requests.

To create assignment requests from direct assignment to hierarchical roles and role memberships

  1. Select an assignment resource from the shelf IT Shop | Identity & Access Lifecycle | Shelf: Identity Lifecycle.
    • Pass the product's UID_ITShopOrg as the parameter uidOrgProduct to the method.
  2. Select an employee from the shop's customer node IT Shop | Identity & Access Lifecycle as requester for the assignment request.
    • Pass the product's UID_ITShopOrg as the parameter uidPersonOrdered to the method.
  3. Optional: Create a script that populates other properties of the requests.
    • Pass the script name as a parameter to the method CustomScriptName.
  4. Create a script to run the method CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName) for the affected tables.

TIP: You can also create your own assignment resource and assign it to a shelf in any shop. Select an employee as requester for the assignment request from this shop's customer node. For more information, see Customizing Assignment Requests.

To create One Identity Manager assignment requests from existing assignments to hierarchical roles

  1. Determine the hierarchical roles and their assigned company resources and employees (employees, devices or workdesks).
  2. Determine the requester from the parameter uidPersonOrdered.
  3. Determine the assignment resource from the parameter uidOrgProduct.
  4. Determine shops assigned to the assignment resource and requester.
  1. Create the requests with initial data.
  2. Execute custom scripts.
  3. Save the requests (entry in table PersonWantsOrg).
  1. Transform direct company resource assignments to hierarchical roles into indirect assignments to workdesks (for example, in the table DepartmentHasQERResource). Transform direct company memberships to hierarchical roles into indirect memberships (for example, in the table PersonInDepartment).

If the assignment request is to be created for a workdesk, pass the method the workdesk's UID_WorkDesk as parameter uidWorkdeskOrdered. The method saves this UID as UID_WorkdeskOrdered in the request (table PersonWantsOrg).

Detailed information about this topic
Related Topics

Adding Groups Automatically to the IT Shop

Adding Groups Automatically to the IT Shop

Table 29: Configuration Parameter for Automatically Add Groups in the IT Shop
Configuration parameter Description Applys in Module

QER\ITShop\GroupAutoPublish

Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to the parameter require recompiling the database.

SharePoint Module

Active Directory Module

Active Roles Module

QER\ITShop\GroupAutoPublish\ADSGroupExcludeList

This configuration parameter contains a list of all Active Directory groups for which automatic IT Shop assignment should not take place. Names given in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

Active Directory Module

Active Roles Module

TargetSystem\ADS\ARS_SSM

Preprocessor relevant configuration parameter for controlling the database model components for Active Roles Self-Service Management in the One Identity Manager IT Shop. If the parameter is set, Self-Service Management components are available. Changes to the parameter require recompiling the database.

Active Roles Module

To add groups automatically to the IT Shop

  1. Set the configuration parameter for automatically adding groups to the IT Shop in the Designer depending on existing modules.
  2. Compile the database.

The groups are added automatically to the IT Shop from now on.

  • Synchronization ensures that the groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor.
  • New groups created in One Identity Manager are added to the IT Shop.

The following step are run to add a group to the IT Shop.

  1. A service item is determined for the group.

    The service item is tested and modified for each group as required. The service item name corresponds to the name of the group. The service item is assigned to one of the default service categories.

    • The service item is modified for groups with service items.
    • Groups without service items are allocated new service items.
  2. An application role for product owners is determined and the service item is assigned. Product owners can approve requests for membership in these groups. By default, the group's account manager/owner is established as the product owner.

    NOTE: The application role for product owners must be below the application role Request & Fulfillment | IT Shop | Product owners.
    • If the group's account manager/owner is already a member of an application role for product owners, then this application role is assigned to the service item.
    • If the group's account manager/owner is not a member of a product owner application role, a new application role is added. The name of the application role corresponds to the name of the account manager/owner.
      • If the account manager/owner is a user account, the user account's employee is added to the application role.
      • If you are dealing with a group of account managers/owners, the employees of all user accounts in this group are added to the application role.
    • If the group does not have an account manager/owner, the default application role Request & Fulfillment | IT Shop | Product owner | without owner in AD/SharePoint is used.
  3. The group is labeled with the option IT Shop and assigned to the IT Shop shelf "Active Directory groups" or "SharePoint groups" in the shop "Identity & Access Lifecycle" respectively.

Then product owners for shop customers group memberships can make requests through the Web Portal.

NOTE: When a One Identity Manager group is irrevocably deleted from the database, the associated service item is deleted.
Related Topics

Deleting Unused Application Roles

Deleting Unused Application Roles

The list of product owner application roles can quickly become confusing when groups are automatically added to the IT Shop. This is because an application role is added for each account manager. These application roles are no longer required when a groups are deleted.

Redundant application roles for product owners can be deleted through a scheduled process task. This deletes all the application role from the database for which the following applies:

  • The parent application role is RequestIT Shop & Fulfillment | | Product owner.
  • The application role is not assigned to a service item.
  • The application role is not assigned to a service category.
  • The application role does not have members.

To delete application roles automatically

  • Configure and enable the schedule "Cleans up application role "Request & Fulfillment\IT Shop\Product owners"" in the Designer.
Related Topics
Related Documents