Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

General Master Data for an Approval Procedure

Enter the following master data for an approval procedure.

Table 50: General Master Data for an Approval Procedure
Property Description
Approval Procedure Descriptor for the approval procedure (maximum two characters).
Description Approval procedure identifier.
DBQueue Processor task Approvals can either be made automatically through a DBQueue Processor calculation task or by specified approvers. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.

You cannot assign a DBQueue Processor task if a query is entered for determining the approvers.

Max. number approvers Maximum number of approvers to be determined by the approval procedure. Specify how many employees must really make approval decisions in the approval steps used by this approval procedure.
Sort order

Value for sorting approval procedures in the menu.

Specify the value 10 to display this approval procedure at the top of the menu when you set up an approval step.

Related Topics

Queries for Finding Approvers

Queries for Finding Approvers

The condition through which the approvers are determined, is formulated as a database query. Several queries may be combined into one condition. This adds all employees to the group of approvers who have been determined through single queries.

To edit the condition

  1. Select the category IT Shop | Basic configuration data | Approval procedures.
  2. Select an approval procedure from the result list.
  3. Select Change queries for approver selection in the task view.

To create single queries

  1. Click Add.

    This inserts a new row in the table.

  2. Mark this row. Enter the query properties.
  3. Add more queries if required.
  4. Save the changes.

To edit a single query

  1. Select the query you want to edit in the table. Edit the query's properties.
  2. Save the changes.

To remove single queries

  1. Select the query you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Table 51: Query Properties
Approver selection Query identifier, which determines the approvers.
Query

Database query for determining approvers.

The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. The query returns one or more employees that are presented to the request for approval. If the query does not return a result, the request is aborted.

NOTE:

  • A query contains exactly one select statement. To combine several select statements, create several queries.
  • You cannot enter a query to determine approvers if a DBQueue Processor task is assigned.

You can, for example, determine predefined approvers with the query (example 1). The approver can also be found dynamically depending on the request to approve. To do this you access the request waiting approval in the database query over the variable @UID_PersonWantsOrg (SQL) or v_uid_personwantsorg (Oracle) (example 2). Every query must return a value for UID_PWORulerOrigin.

Example 1

The request should be approved by a specified approver.

Query: select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='Knight, Dr. Rudiger von'
Example 2

Approval for requests should be granted or denied through the requester’s parent department. The approver is the cost center manager that is assigned to the requester‘s primary department. The requester is the employee that started the request (UID_PersonInserted, for example, when placing requests for employees).

Query:

select pc.UID_PersonHead as UID_Person, null as UID_PWORulerOrigin from PersonWantsOrg pwo

join Person p on pwo.UID_PersonInserted = p.UID_Person
join Department d on p.UID_Department = d.UID_Department
join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter

where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg

Notes for Experts

To take delegation into account when determining approvers

  1. Use the table HelperHeadOrg to find the approvers if managers of hierarchical role are to approve. This table groups all hierarchical role managers, their deputy manager and employees delegated to the manager.
  2. Determine the delegated UID_PWORulerOrigin to make it clear in the Web Portal whether the approver was originally delegated.
    • Determine the delegated UID_PersonWantsOrg and add this value to the query as UID_PWORulerOrigin. Use the table function dbo.QER_FGIPWORulerOrigin to do this.

      select dbo.QER_FGIPWORulerOrigin(hho.XObjectkey) as UID_PWORulerOrigin

      Modified query from example 2:

      select pc.UID_PersonHead as UID_Person, dbo.QER_FGIPWORulerOrigin(hho.XObjectkey) as UID_PWORulerOrigin from PersonWantsOrg pwo

      	join Person p on pwo.UID_PersonInserted = p.UID_Person
      	join Department d on p.UID_Department = d.UID_Department
      	join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter
      	join HelperHeadOrg hho on hho.UID_Org = pc.UID_ProfitCenter

      where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg

Deleting Approval Procedures

Deleting Approval Procedures

To delete an approval procedure

  1. Remove all assignments to approval steps.
    1. Check on the approval procedure overview form, which approval steps are assigned to the approval procedure.
    2. Switch to the approval workflow and assign another approval procedure to the approval step.
  2. Select the category IT Shop | Basic configuration data | Custom defined | Approval procedures.
  3. Select an approval procedure from the result list.
  4. Click .
  5. Confirm the security prompt with Yes.

Determining Approvers

Determining Approvers

Table 52: Configuration Parameters for Recalculating Approvers and
Configuration parameter Description
QER\ITShop\ReducedApproverCalculation This configuration parameter specifies, which approval steps are recalculated if the IT Shop approver must be recalculated.

The DBQueue Processor calculates, which employee is authorized as approver in which approval level. Once a request is triggered, the approvers are determined for every approval step of the approval workflow to be processed. Changes to responsibilities may lead to an employee no longer being authorized as approver for a request that is not yet finally approved. In this case, approvers must be recalculated. The following changes can trigger recalculation of pending requests:

  • Approval policy, workflow, step or procedure changes.
  • An authorized approver loses their responsibility in the One Identity Manager, for example, if a department manager, the product owner or the target system manager is changed.
  • An employee obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example the request recipient's manager.

Once an employee's responsibilities have change in the One Identity Manager, an approver recalculation task is queued in the DBQueue. By default, all approval steps of the pending approval procedures are recalculated at the same time. Approval steps that have already been approved, remain approved, even if their approver has changed. Recalculating approvers may take a long time depending on the configuration of the system environment and the amount of data that has changed. To optimize this processing time, you can specify which approval steps the approvers are recalculated for.

To configure recalculation of approvers

  • Set the configuration parameter "QER\ITShop\ReducedApproverCalculation" in the Designer and select one of the following options as a value.
    Table 53: Options for Recalculating Approvers
    Option Description
    No All approval steps are recalculated. This behavior also applies if the configuration parameter is not set.

    Advantage: All valid approvers are displayed in the approval sequence. The rest of the approval sequence is transparent.

    Disadvantage: Recalculating approvers can take a long time.

    CurrentLevel Only approvers for the approval level currently being processed are recalculated. Once an approval level has been approved, the approvers are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating approves is probably faster.

    TIP: Use this option if performance problems within your system have occurred in connection with recalculating approvers.

    Disadvantage: In the approval sequence, the originally calculated approvers are displayed for the subsequent approval steps although they may no longer be authorized. The rest of the approval sequence is not correctly represented.

    NoRecalc Approvers are not recalculated. The previous approvers remain authorized to approve the current approval levels. Once an approval level has been approved, the approvers are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating approves is probably faster.

    TIP: Use this option if performance problems within your system have occurred in connection with recalculating approvers, although the "CurrentLevel" option is used.

    Disadvantage: In the approval sequence, the originally calculated approvers are displayed for the subsequent approval steps although they may no longer be authorized. The rest of the approval sequence is not correctly represented. Employees that are no longer authorized can approve the current approval level.

    In the best case, only approvers are found that do not have access to the One Identity Manager, for example because they have left the company. The approval level cannot be approved.

    To see approval steps of this type through

    • Define a timeout and timeout behavior when you set up the approval workflows on the approval steps.

      - OR -

    • Assign members to the chief approval team when you set up the IT Shop. These can always intervene in pending approval processes.
Detailed information about this topic
Related Documents