Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Calculated approval

Calculated approval

NOTE: Only one approval step can be defined with the approval procedure "CD" per approval level.

It is possible to determine who should be presented with the request for approval on the basis of a defined condition. For example, if the price of the request is below a defined limit then the department manager can grant approval. If this limit is exceeded, the request has to be presented to the cost center manager. In another case, requests from members of department "XY" can be granted immediate approval as long as the request does not exceed the defined price limit. If the limit is exceeded or if the employee belongs to another department, the approval has to be granted by the department manager.

Enter a condition when you set up the approval step if approval should be calculated (approval procedure "CD"). If the condition returns a result, the approval step is approved through the One Identity Manager. If the condition does not return a result, the approval step is denied by the One Identity Manager. If there are no subsequent steps to be carried out, the request is finally granted or denied approval. The condition is defined as a valid where clause for database queries. You can enter the SQL query directly or with a wizard. The condition is always checked for the current request and requester.

NOTE: If there is reference to the current request in the condition, use one of the following variables. The variable must be in quotes.

SQL Server syntax: '@UID_PersonWantsOrg'

Oracle Database syntax: 'v_uid_personwantsorg'

Example for calculated approval

Requests with a price of under 1000 euros can be approved by the customer’s department manager. Requests over 1000 euros must be presented to the cost center manager.

Table 49: Approval Step with Calculated Approval
Single step: Calculated approval
Approval procedures: CD - calculated approval

Condition:

isnull(UID_Org, '') in

(Select UID_ITShopOrg From ITShopOrg Where isnull(UID_AccProduct, '') In
(Select UID_AccProduct From AccProduct Where isnull(PurchasePrice, 0) < 1000))
Number of approvers: 1

Then the query is composed as:

select 1 from PersonWantsOrg

where (isnull(UID_Org, '') in

(Select UID_ITShopOrg From ITShopOrg Where isnull(UID_AccProduct, '') In

(Select UID_AccProduct From AccProduct Where isnull(PurchasePrice, 0) < 1000)))

and UID_PersonWantsOrg = '@UID_PersonWantsOrg'

Figure 8: Approval Workflow Showing Calculated Approval

Making External Approvals

Making External Approvals

Use external approvals (approval procedure "EX") if a request needs to be approved once a defined event from outside the One Identity Manager takes place. You can also use this procedure to allow requests from users with no access to the One Identity Manager to be approved.

Specify an event in the approval step that triggers an external approval. A process is started by the event that initiates the external approval for the request and evaluates the result of the approval decision. The approval process waits for the external decision to be passed to One Identity Manager. Define the subsequent approval steps depending on the result of the external approval.

To use an approval procedure

  1. Define your own processes that:
    • Trigger an external approval
    • Analyze the results of the external approval
    • Subsequently grant or deny approval for the external approval step in One Identity Manager
  2. Define an event, which starts the process for external approval. Enter the result in Result in the approval step.

If the external event occurs, the approval step status in One Identity Manager has to be changed. Use the process task CallMethod with the method MakeDecision for this. Pass the following parameters to the process task:

MethodName: Value = "MakeDecision"

ObjectType: Value = "PersonWantsOrg"

Param1: Value = "sa"

Param2: Value = <approval> ("true" = granted; "false" = denied)

Param3: Value = <reason for approval decision>

Param4: Value = <standard reason>

Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)

WhereClause: Value = "UID_PersonWantsOrg ='"& $UID_PersonWantsOrg$ &"'"

Use these parameters to specify which request is approved by external approval (whereClause). Parameter param 1 specifies the approver. Approver is always the system user "sa". Parameter param 2 is passed to the approval. If the request was granted approval the value must be "true". If the request was denied approval the value must be "false". Use parameter Param3 to pass a reason text fro the approval decision; use Param4 to pass a predefined standard reason. If more than one external approval steps have been defined in an approval level, use Param5 to pass the approval step count. This ensures the approval is aligned with the correct approval step.

Use the Process Editor to define and edit processes.

Example

All approved requests should be entered into an external ticketing system and started. If a request is completed in an external ticketing system, it must also be completed in the One Identity Manager. Use this approval procedure to make external approvals and define:

  • A process "P1" that creates a ticket with the information about the requested product in the external system and passes the ticket number to the One Identity Manager in the request instance.
  • An event "E1" that starts the process "P1".
  • A process "P2" which checks whether the ticket status is "closed" and calls the function Call Method with the task MakeDecision in the One Identity Manager.
  • An event "E2" that starts the process "P2".
  • A schedule that starts the events "E2" on a regular basis.

Enter "E1" in the approval step Event box as trigger for the external decision.

Pass the product and customer data that the product is being requested for in the process "P1" to the external ticket system. In another parameter, pass the ticket number from the external ticketing system to the One Identity Manager.

Use the ticket number to check the ticket status in process "P2". If the ticket is closed, call the task MakeDecision and pass the ticket status from the external system to the One Identity Manager in a parameter (Param2). In another parameter, specify the system user that changes the approval step status in the One Identity Manager (Param1). Pass "sa" as value for this parameter. Pass the reason for the approval decision in the parameter Param3.

Detailed information about this topic

For more detailed information about defining processes, see One Identity Manager Configuration Guide.

Finding Requesters

Use the approval procedures "BS" and "BR" to return the approval to the requester or request recipient. The approval procedure "BS" finds the request requester, the approval procedure "BR" finds the request recipient. The requester and the request recipient can therefore, have further influence on the approval. Their approval can be viewed in the approval history. The approval workflow can be continued from any approval level.

The requesters are also found if the configuration parameters "QER\ITShop\PersonInsertedNoDecide" or "QER\ITShop\PersonOrderedNoDecide" are set. For more information, see Approving Requests from an Approver.

Setting up Approval Procedures

Setting up Approval Procedures

You can create your own approval procedures if the default approval procedures for finding approvers do not meet your requirements. The condition through which the approvers are determined, is formulated as a database query. Several queries may be combined into one condition.

To set up an approval procedure

  1. Select the category IT Shop | Basic configuration data | Approval procedures.
  2. Select an approval procedure in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the approval procedure master data.
  4. Save the changes.

To edit the condition

  1. Select the category IT Shop | Basic configuration data | Approval procedures.
  2. Select an approval procedure from the result list.
  3. Select Change queries for approver selection in the task view.
Detailed information about this topic
Related Documents