Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Request Risk Analysis

Request Risk Analysis

Everyone with IT system authorization in a company represents a security risk for that company. For example, a employee editing financial data in an SAP system carries a higher risk than a employee who can edit their own personal data. To quantify the risk, you can enter a risk value for every company resource in the One Identity Manager. A risk index is calculated from this value for every employee who is assigned this company resource, directly or indirectly. Company resources include target system entitlements (for example, Active Directory groups or SAP profiles), subscribable reports, applications and resources. In this way, all employees representing a particular risk to the company can be found.

Every time a company resource with a specified risk index is assigned, the employee's risk index might exceed a permitted level. You can check the risk index of company resources if they are requested through the IT Shop. If the risk index is higher than the specified value, the request is denied.

To set up risk assessment for requests

  • Create an approval workflow.
    1. Add an approval step with the approval procedure "RI".
    2. Enter the comparison value for the risk index in the Condition box. Enter a number in the range 0.1 to 1.0.
    3. Add more approval levels as required.

The approval step is granted approval by One Identity Manager if the risk index of the requested company resource is lower than the comparison value. If the risk index is higher or equal to the comparison value, the approval step is not granted approval.

Risk assessment of requests works for both direct company resource request and assignment requests. Only imputed risk indexes are examined for the decision; calculated risk indexes are not taken into account. Therefore, risk assessment of requests only works if the product's original table or one of the member tables of a requested assignment has a RiskIndex column. If the table only has the column RiskIndexCalculated, the request is automatically approved. If both member tables of an assignment request have a RiskIndex column, the highest of the two risk indexes is used as the basis for the approval.

If the company resource request or an assignment has been granted approval, the employee's risk index is recalculated the next time the scheduled calculation task is run.

For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Related Topics

Testing Requests for Rule Compliance

Testing Requests for Rule Compliance

Installed Module: Compliance Rules Module

You can integrate rule conformity testing for IT Shop requests within an approval workflow. A separate approval procedure is supplied for this. This approval procedure checks whether the request's recipient will violate compliance rule if the requests are granted approval. The result of the test is logged in the request's approval sequence and approval history.

Table 54: Approval Procedures for Compliance Checking
Approval procedure Description
CR (compliance risk analysis)

Checks the current request for possible rule violations. It takes into account the requested product and all the company resources already assigned to the request recipient.

Prerequisites for Request Validation

Compliance Checking Requests

Compliance Checking Requests

To retain an overview of potential rule violations, you can run a simplified compliance check. Use the approval procedure "CR" to test requests for possible rule violations before finally approving them.

The following data of a recipient's request is taken into account by the compliance check:

  • All pending requests
  • All company resources already assigned to the recipient
  • All the recipient's user accounts
  • All entitlement in the target system (for example Active Directory groups or SAP roles) the recipient has obtained through these user accounts

Auxiliary tables for object assignments are regularly evaluated for the compliance check. Auxiliary tables are calculated on a scheduled basis. Furthermore, the approval procedure only takes into account compliance rules that are created using the simplified definition.

Rule checking does not completely check the requests with this. It is possible that under the following conditions, rule checking does not identify a rule violation.

  • Customer permissions change after the auxiliary table have been calculated.
  • A rule is not violated by the requested product but by an object inherited through the requested product. Inheritance is calculated after request approval and can therefore not be identified until after the auxiliary table is calculated again.
  • The customer does not belong to the rule's employee group effected until the request is made.
  • The rule condition was created in expert node or as an SQL query.

TIP: A complete check of assignments is achieved with cyclical testing of compliance rule using schedules. This finds all the rule violations that result from the request.

It is possible that under the following conditions, rule checking identifies a rule violation where there isn't one.

  • Two products violate one rule when they are assigned at the same time. The product requests are, however, for a limited period. The validity periods does not overlap. Still a potential rule violation is identified.

TIP: These requests can be approved after checking by exception approver in so far as permitted by the definition of the violation rule.

The compliance check is not only useful for specifying which rule is violated by a request, it can also find out, which product in the request caused the rule violation. This makes a detailed analysis possible of the rule violation. The request can still be approved by exception approval, the definition of compliance rules permitting. Additional approval steps are added in approval workflows to deal with exception approval.

Conditions for Compliance Checking Requests

  • You can add only one approval step per approval policy with the "CR" approval procedure.
  • The rule conditions were created in the simple definition.
  • The IT Shop properties that are specified for each rule are taken into account in the rule testing. Identification of a rule violation depends on the setting of the property Rule violation identified.
  • The compliance check should be added as the last approval level in the approval workflow. The subsequent approval levels only get one approval step to determine the exception approver if approval is denied.

Compliance Check Sequence

  1. If an approval step for compliance checking using the "CR" approval procedure is found in the request’s approval procedure, all products in pending requests are assigned to the customer. It is assumed that all pending request will be approved and therefore the customer will obtain all the products. The current request is then analyzed with respect to potential violations against the defined rules.
  2. If no rule violations are found, the approval step is automatically granted approval and the request is passed onto the approver at the next approval level above.
  3. If a rule violation is detected the request is automatically not granted approval. The request can still be approved by exception approval, the definition of rule violations permitting.
Detailed information about this topic

For more detailed information about compliance checking, see the One Identity Manager Compliance Rules Administration Guide.

Identifying a Rule Violation

Table 55: Configuration Parameter for IT Shop Relevant Properties
Configuration Parameter Meaning if Set
QER\ComplianceCheck\EnableITSettingsForRule IT Shop properties for the compliance rule are visible and can be edited.

If the configuration parameter "QER\ComplianceCheck\EnableITSettingsForRule" is set, properties can be added to compliance rules that are taken into account when rule checking requests.

Specify which violation should be logged for the rule by using the IT Shop property Rule violation identified.

Table 56: Permitted Value
Value Description
New rule violation due to a request Only rule violations that are added through approval of the current request are logged.
Unapproved exception Rule violations that are added through approval of the current request are logged. Already known rule violations that have not yet been granted an exception are also logged.
Any compliance violation All rule violations are logged, independent of whether an exception approval has already been granted or not.

This value is automatically set when the option Explicit exception approval is enabled.

If the configuration parameter "QER\ComplianceCheck\EnableITSettingsForRule" is disabled, new rule violations are logged through the current request.

For more detailed information, see the .One Identity Manager Compliance Rules Administration Guide

Related Documents