Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Finding an Exception Approver

Finding an Exception Approver

Requests that would cause a rule violation can still be approved by exception approval.

To allow exception approval for request with rule violations

  1. Set the option Exception approval allowed and assign an exception approver.

    For more information, see the One Identity Manager Compliance Rules Administration Guide.

  2. Enter an approval step in the approval workflow with the procedure "OC" or "OH". Connect this approval level with the compliance checking approval level at the connection point for denying this approval decision.

    NOTE: Only apply this approval procedure after an approval level with the approval procedure "CR".

    NOTE: You can define only one approval step with the approval procedure "OC" or "OH".
  3. If the configuration parameter "QER\ComplianceCheck\EnableITSettingsForRule" is set, you can use the rule properties IT Shop to configure which rule violations are presented to an exception approver. Set or unset the option Explicit exception approval to do this.

    For more information, see Explicit Exception Approval.

Table 57: Approval Procedures for Exception Approval
Approval procedure Description
OC (Exception approvers for violated rules) The approval decision is agreed by the exception approvers of the violated rule. As it may be possible that several rule are broken with one request, the request is presented to all the exception approvers in parallel. If one of the exception approvers rejects the exception, it results in the request being rejected.
OH (exception approver for worst rule violation)

The approval decision is agreed by the rule's exception approver which poses the highest threat. In this way, the exception approval procedure can be shortened for a request that violates several rules.

Ensure the following apply for this approval procedure:

  • The severity level is set in the assessment criteria for all compliance rules.
  • The exception approver for the worst rule violation in all affected rules is one of the exception approvers.

Figure 9: Example of an Approval Workflow with Compliance Checking and Exception Approval

Sequence of compliance checking with exception approval

  1. If a rule violation is detected during compliance checking, the request is automatically not granted approval. The request is passed on to the approver of the next approval level for approval.
  2. Exception approvers are found according to the given approval procedure.
  3. If exception approval is granted, the request is approved and assigned.
  4. If exception approval is not granted, the request is denied.

NOTE:
  • As opposed to the manager/deputy principle normally in place, an exception approver’s deputy is not permitted to grant exception approval alone.
  • You cannot determine fallback approvers for exception approvers, The request is aborted if no exception approver can be established.
  • The chief approval team cannot grant exception approvals.

Limitation for Exception Approvers

Table 58: Configuration Parameter for Approving Requests with Rule Violations
Configuration parameter Meaning
QER\ITShop\
PersonInsertedNoDecideCompliance
This configuration parameter specifies whether the employee that initiated the request can also approve it in cases of compliance violation.
QER\ITShop\
PersonOrderedNoDecideCompliance
This configuration parameter specifies whether the employee for whom a request has been initiated, can also approve it in cases of compliance violation.
QER\ComplianceCheck\
DisableSelfExceptionGranting
Excludes rule violators from becoming exception approvers. If this parameter is set, no one can approve their own rule violations.

You must to decide whether exception approvers are allowed to approve their own requests. Specify the desired behavior with the configuration parameter "QER\ITShop\PersonOrderedNoDecideCompliance" and "QER\ITShop\PersonInsertedNoDecideCompliance". This prevents the requester's main identity (or the request's recipient) and its sub-identities being granted approval exception.

To prevent exception approvers from approving their own requests

  • Set the configuration parameter "QER\ITShop\PersonOrderedNoDecideCompliance" in the Designer.

    This configuration parameter effects requests made by exception approvers for themselves and all requests other employees have made for them. If this configuration parameter is not set, exception approvers are also authorized to approve their own requests. Their requests are presented for approval.

To prevent exception approvers from approving requests they initiated for themselves or for other customers

  • Set the configuration parameter "QER\ITShop\PersonInsertedNoDecideCompliance" in the Designer.

    If the configuration parameter is not set, exception approvers can also approve these requests.

You must also decide whether exception approvers are allowed to approve their own rule violations. By default, an employee who violates a rule is determined to be the exception approver for this rule if they are a member of the application role Exception approvers for the rule. This means they can approve their own rule violations.

To prevent an employee from granting themselves exception approval

  • Set the configuration parameter "QER\ComplianceCheck\DisableSelfExceptionGranting" in the Designer.

    Employees that violate a rule, are not determined to be exception approvers for this rule violation.

Explicit Exception Approval

Table 59: Configuration Parameter for IT Shop Relevant Properties
Configuration Parameter Meaning if Set
QER\ComplianceCheck\EnableITSettingsForRule IT Shop properties for the compliance rule are visible and can be edited.

If the configuration parameter "QER\ComplianceCheck\EnableITSettingsForRule" is set, properties can be added to compliance rules that are taken into account when rule checking requests.

Use the IT Shop property Explicit exception approval to specify whether the reoccurring rule violation should be presented for exception approval or whether an existing exception approval can be reused.

Table 60: Permitted Value
Option is Description
Enabled A known rule violation must always be presented for exception approval, even if there is an exception approval from a previous violation of the rule.
Disabled A known rule violation is not presented again for exception approval, if there is an exception approval from a previous violation of the rule. This exception approval is reused and the known rule violation is automatically granted exception.

If several rules are violated by a request and Explicit exception approval is set for one of the rules, the request is presented for approval to all exception approvers for this rule.

Rules that have the option Explicit exception approval set, result in a renewed exception approval if:

  • A rule check is carried out within the approval process for the current request

    - AND -

    1. the rule is violated by the current request

      - OR -

    2. the IT Shop customer has already violated the rule.

In case a) the request for the IT Shop customer is presented to the exception approver. If the request is approved, case b) applies to the next request. In case b), every request for the IT Shop customer must be decided by the violation approver, even when the request itself does not result in a violation. The result you achieve is that assignments for employees that have been granted an exception, are verified and reapproved for every new request.

For more detailed information about exception approvals, see the One Identity Manager Compliance Rules Administration Guide.

Checking the Request with Self-Service

Checking the Request with Self-Service

Self-service (approval procedure "SB") is always defined as a one-step procedure. That means, you cannot set up more approval steps in addition to a self-service approval step.

To realize compliance checking for requests with self-service

Related Documents