Requests that would cause a rule violation can still be approved by exception approval.
To allow exception approval for request with rule violations
For more information, see the One Identity Manager Compliance Rules Administration Guide.
||NOTE: Only apply this approval procedure after an approval level with the approval procedure "CR".|
||NOTE: You can define only one approval step with the approval procedure "OC" or "OH".|
|OC (Exception approvers for violated rules)||The approval decision is agreed by the exception approvers of the violated rule. As it may be possible that several rule are broken with one request, the request is presented to all the exception approvers in parallel. If one of the exception approvers rejects the exception, it results in the request being rejected.|
|OH (exception approver for worst rule violation)||
The approval decision is agreed by the rule's exception approver which poses the highest threat. In this way, the exception approval procedure can be shortened for a request that violates several rules.
Ensure the following apply for this approval procedure:
Figure 9: Example of an Approval Workflow with Compliance Checking and Exception Approval
Sequence of compliance checking with exception approval
|This configuration parameter specifies whether the employee that initiated the request can also approve it in cases of compliance violation.|
|This configuration parameter specifies whether the employee for whom a request has been initiated, can also approve it in cases of compliance violation.|
|Excludes rule violators from becoming exception approvers. If this parameter is set, no one can approve their own rule violations.|
You must to decide whether exception approvers are allowed to approve their own requests. Specify the desired behavior with the configuration parameter "QER\ITShop\PersonOrderedNoDecideCompliance" and "QER\ITShop\PersonInsertedNoDecideCompliance". This prevents the requester's main identity (or the request's recipient) and its sub-identities being granted approval exception.
To prevent exception approvers from approving their own requests
This configuration parameter effects requests made by exception approvers for themselves and all requests other employees have made for them. If this configuration parameter is not set, exception approvers are also authorized to approve their own requests. Their requests are presented for approval.
To prevent exception approvers from approving requests they initiated for themselves or for other customers
If the configuration parameter is not set, exception approvers can also approve these requests.
You must also decide whether exception approvers are allowed to approve their own rule violations. By default, an employee who violates a rule is determined to be the exception approver for this rule if they are a member of the application role Exception approvers for the rule. This means they can approve their own rule violations.
To prevent an employee from granting themselves exception approval
Employees that violate a rule, are not determined to be exception approvers for this rule violation.
|Configuration Parameter||Meaning if Set|
|QER\ComplianceCheck\EnableITSettingsForRule||IT Shop properties for the compliance rule are visible and can be edited.|
If the configuration parameter "QER\ComplianceCheck\EnableITSettingsForRule" is set, properties can be added to compliance rules that are taken into account when rule checking requests.
Use the IT Shop property Explicit exception approval to specify whether the reoccurring rule violation should be presented for exception approval or whether an existing exception approval can be reused.
|Enabled||A known rule violation must always be presented for exception approval, even if there is an exception approval from a previous violation of the rule.|
|Disabled||A known rule violation is not presented again for exception approval, if there is an exception approval from a previous violation of the rule. This exception approval is reused and the known rule violation is automatically granted exception.|
If several rules are violated by a request and Explicit exception approval is set for one of the rules, the request is presented for approval to all exception approvers for this rule.
Rules that have the option Explicit exception approval set, result in a renewed exception approval if:
- AND -
- OR -
In case a) the request for the IT Shop customer is presented to the exception approver. If the request is approved, case b) applies to the next request. In case b), every request for the IT Shop customer must be decided by the violation approver, even when the request itself does not result in a violation. The result you achieve is that assignments for employees that have been granted an exception, are verified and reapproved for every new request.
For more detailed information about exception approvals, see the One Identity Manager Compliance Rules Administration Guide.
Self-service (approval procedure "SB") is always defined as a one-step procedure. That means, you cannot set up more approval steps in addition to a self-service approval step.
To realize compliance checking for requests with self-service
If the rule check is successful, the request is granted approval and self-service is accomplished implicitly.
To make exception approval possible for rule violations, add an approval level with the approval procedure "OC" or "OH". For more information, see Finding an Exception Approver.