Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Using the Request Recipient to find Approvers

Using the Request Recipient to find Approvers

Use the following approval procedure if you want to determine the manager of the request recipient to be approver.

Table 40: Approval Procedures for Determining Approvers for Request Recipients
Approval procedure Approver
The request recipient is assigned a manager.

CM

Request recipient's manager

The request recipient is assigned to a department.

The department is assigned a manager or a deputy manager.

DM

Manager and deputy manager of the request recipient's department.

The request recipient is assigned a cost center.

The cost center is assigned a manager or a deputy manager.

PM

Manager and deputy manager of the request recipient's cost center.

Using a Specific Role to find Approvers

If members of a specific role are to be determined as approvers, use the approval procedure "OR" or "OM". Specify the role in the approval step to be used to find the approver. The approval procedures determine the approvers listed below. If there is an "IT Shop deputy" entered in the master data for these employees, they are also authorized as approver.

Table 41: Approval Procedures for Determining Approvers for a Specific Role
Selectable Roles Approver
OM
Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Manager and deputy manager of the hierarchical role specified in the approval step.
OR
Departments (Department)

Cost centers (ProfitCenter)

Locations (Locality)

Business roles (Org)

Application roles (AERole)

All secondary members of the hierarchical role specified in the approval step.

Using the Requested Product to Find Approvers

If the owner of the requested product is to be determined as an approver, use the following approval procedures:

OA - Product Owner

Assign an application role to the product‘s service item in the Product owner input field to make it possible to find owners of a product as approvers. In this case, all the employees assigned to the application role through secondary assignment are recognized as approvers.

PA - Additional owner of the Active Directory group
Installed Module: Active Roles Module

If an Active Directory group is requested, the approvers can be found through the additional owner of this Active Directory group. All employees are found that are:

  • A member in the assigned Active Directory group through their Active Directory user account
  • Linked to the assigned Active Directory user account

NOTE: Only use the approval procedure if the configuration parameter "TargetSystem\ADS\ARS_SSM" is set.

The column Additional owner is only available in this case.

TO - Target system manager of the requested system entitlement
Installed Module: Target System Base Module

Other target system modules

If a system entitlement is requested, the target system managers can be found as approvers using this approval procedure. Assign the synchronization base object of the target system to the target system manager (for example Active Directory domain, SAP client, target system type in the Unified Namespace). This finds, as approvers, all employees assigned to the application role assigned here and all members of the parent application roles.

This finds all target system managers of the system entitlement that is stored as final product with the request (column PersonWantsOrg.UID_ITShopOrgFinal).

Using an Approval Role to Find Approvers

Using an Approval Role to Find Approvers

Use the following approval procedure if you want to establish the approver of a hierarchical role to be approver.

Table 42: Approval Procedures to Determine Appovers through an Approval Role
Approval Procedure Approver

RD

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver menu.

all secondarily assigned employees of this application role are determined to be approvers,

RL

The request recipient is assigned a primary location. The location is assigned an application role in the Role approver menu.

all secondarily assigned employees of this application role are determined to be approvers,

RO

Installed Modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver menu.

all secondarily assigned employees of this application role are determined to be approvers,

RP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver menu.

all secondarily assigned employees of this application role are determined to be approvers,

Figure 7: Determining Approvers through a Department's Role Approver

Approval Procedure Approver

ID

The request recipient is assigned a primary department. The department is assigned an application role in the Role approver (IT) menu.

all secondarily assigned employees of this application role are determined to be approvers,

IL

The request recipient is assigned a primary location. The location is assigned an application role in the Approver (IT) menu.

all secondarily assigned employees of this application role are determined to be approvers,

IO

Installed Modules: Business Roles Module

The request recipient is assigned a primary business role. The business role is assigned an application role in the Role approver (IT) menu.

all secondarily assigned employees of this application role are determined to be approvers,

IP

The request recipient is assigned a primary cost center. The cost center is assigned an application role in the Role approver (IT) menu.

all secondarily assigned employees of this application role are determined to be approvers,

Determining the approver using the example of an approval role for the request's recipient primary department (approval procedure "RD"):

  1. Determine the requester’s primary department (UID_Department).
  2. The application role (UID_AERole) is determined through the department‘s role approver (UID_RulerContainer).
  3. Determine the secondary employees assigned to this application role. These can issue approval.
  4. If there is no approval role given for the primary department, the approval role is determined for the parent department.
  5. The request cannot be approved if no approval role is found by drilling up to the top department.
  6. If there are no employees assigned to the application role then an approval decision cannot be made for the request.

NOTE: When approvers are found using the approval procedure "RO" or "IO", and inheritance for business roles is defined "Bottom-up", note the following:

If no role approver is given for the primary business role, the role approver is determined from the child business role.

Related Documents