Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Using a Cost Center to Find Approvers

Using a Cost Center to Find Approvers

Use the following procedure to determine the approver through a cost center given in the request.

Table 43: Approval Procedures for Determining Approvers for a Cost Center
Approval procedure Approver

PP

A cost center is entered in the request. The cost center is assigned a manager.

The manager of the given cost center is established as approver.

PR

A cost center is entered in the request. The cost center is assigned an application role in the Role approver menu.

all secondarily assigned employees of this application role are determined to be approvers,

Approvers are determined following the same method as described in Using an Approval Role to Find Approvers.

PI

A cost center is entered in the request. The cost center is assigned an application role in the Role approver (IT) menu.

all secondarily assigned employees of this application role are determined to be approvers,

Approvers are determined following the same method as described in Using an Approval Role to Find Approvers.

Using a Department to Find Approvers

Using a Department to Find Approvers

Use the following procedure to determine the approver through a department given in the request.

Table 44: Approval Procedures for Determining Approvers for a Department
Approval procedure Approver

DP

A department is entered in the request. The department is assigned a manager.

The manager of the given department is established as approver.

DR

A department is entered in the request. The department is assigned an application role in the Role approver menu.

all secondarily assigned employees of this application role are determined to be approvers,

Approvers are determined following the same method as described in Using an Approval Role to Find Approvers.

DI

A department is entered in the request. The department is assigned an application role in the Role approver (IT) menu.

all secondarily assigned employees of this application role are determined to be approvers,

Approvers are determined following the same method as described in Using an Approval Role to Find Approvers.

Using a Requested Role to find Approvers

Using a Requested Role to find Approvers

If membership in or assignment to a hierarchical role is requested and the manager of the requested role should be the approver, use the approval procedure "MS". Then the manager and deputy of the requested department, cost center, business role or location are determined as the approvers. This approval procedure can only be used for assignment requests.

Deferred Request Approval

Deferred Request Approval

NOTE: Only one approval step can be defined with the approval procedure "WC" per approval level.

You can use deferred approval (approval procedure "WC") within an approval process, to ensure that a defined prerequisite is fulfilled before the request is approved. Therefore the approval of a permissions group request should only take place if the corresponding user account exists. Deferred approval is useful when a request should be tested with respect to rule conformity. If the user account does not exist when the requested permissions groups are tested, any rule violations that may occur due to the request will not be logged.

You can specify which prerequisites have to be fulfilled so that a request can be presented for approval by defining an appropriate condition. The condition is evaluated as a function call. The function must accept the request UID as parameter (PersonWantsOrg.UID_PersonWantsOrg). It must define three return values as integer. One of the following actions is carried out depending on the function‘s return value:

Table 45: Return Value for Deferred Approval
Return value Action

Return value > 0

The condition is fulfilled. Deferred approval has completed successfully. The next approval step (in case of success) is carried out.

Return value = 0

The condition is not yet fulfilled. Approval is rolled back and is retested the next time DBQueue Processor runs.

Return value < 0

The condition is not fulfilled. Deferred approval has failed. The next approval step (in case of failure) is carried out.

To use an approval procedure

  1. Create a database function, which tests the condition for the request.
  2. Create an approval step with the approval procedure "CW". Enter the function call in Condition.
    Table 46: Syntax for the function call
    SQL Server:

    dbo.<function name>

    Oracle Database:

    <database schema name>.<function name>

  3. Specify an approval step in the case of success. Use the approval procedure with which One Identity Manager can determine the approvers.
  4. Specify an approval step in the case of failure.
Example

To check whether the necessary user account exists when the permissions group is requested, you can use the function TSB_FGIPWODecisionForGroup which is supplied.

Table 47: Example of an Approval Step with Deferred Approval
Single step: Waiting Condition
Approval procedures: WC - Waiting for further approval
Condition: dbo.TSB_FGIPWODecisionForGroup
Number of approvers: 1
Table 48: Return Value for Deferred Approval Decisions in the Function TSB_FGIPWODecisionForGroup
Return value Action

Return value > 0

The user account exists, thus fulfilling the condition. The delayed approval is decided positively. The request is passed onto the next approval step. Now an approval step must follow which can establish the approvers for the request.

Return value = 0

The condition is not fulfilled. There is an open request for a user account or the employee has an account definition with which a user account could be created. Approval is, therefore, deferred and tested again on the next DBQueue Processor run.

Return value < 0

The condition is not fulfilled. There is no request for a user account and the employee does not have an account definition with which a user account could be created. The delayed approval is decided negatively. The request is passed onto the next approval step.

Related Documents