Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Approving Requests from an Approver

Approving Requests from an Approver

Table 61: Configuration Parameter for Approving an Approver’s Requests
Configuration parameter Meaning
QER\ITShop\PersonInsertedNoDecide The configuration parameter specifies whether the employee that trigger the request may approve it.
QER\ITShop\PersonOrderedNoDecide This configuration parameter specifies whether the employee that the request was triggered for, may approve it.
QER\ITShop\PersonInsertedNoDecideCompliance This configuration parameter specifies whether the employee that initiated the request can also approve it in cases of compliance violation.
QER\ITShop\PersonOrderedNoDecideCompliance This configuration parameter specifies whether the employee for whom a request has been initiated, can also approve it in cases of compliance violation.

It is possible that the requester or recipient of a request is also determined as the approver for the request. In such cases, you must establish whether the approver is entitled to approver his or hers own requests. Specify the desired behavior using the configuration parameter.

NOTE:

  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.
  • This configuration parameter does not influence the approval procedures "BS" and "BR". These approval procedures also find the requester and the request recipient if the configuration parameter is not set. For more information, see Finding Requesters.

To prevent approvers from approving their own requests

  • Set the configuration parameter "QER\ITShop\PersonOrderedNoDecide" in the Designer.

This configuration parameter affects all requests in which the recipient is also determined to be the approver through the assigned approval procedures. Whilst determining which approvers are responsible, the following employees are removed from the group of approvers:

  • Request recipient
  • Recipient's main identity
  • All sub-identities of these main identities

If the configuration parameter is not set, approvers of requests they received themselves, can also grant approval.

To prevent exception approvers from approving requests they initiated for themselves or for other customers

  • Set the configuration parameter "QER\ITShop\PersonInsertedNoDecide" in the Designer.

This configuration parameter affects all requests in which the requester is also determined to be the approver through the assigned approval procedures. Whilst determining which approvers are responsible, the following employees are removed from the group of approvers:

  • The requester (employee that started, renewed or canceled the request)
  • Requester's main identity
  • All sub-identities of these main identities

If the configuration parameter is not set, approvers of requests they requested themselves, can also grant approval.

Example

A department manager places a request for his or her deputy. Both employees are found as approvers by the approval procedure. To prevent the department manager from approving the request, set the parameter "QER\ITShop\PersonInsertedNoDecide". To prevent the deputy from approving the request, set the parameter "QER\ITShop\PersonOrderedNoDecide".

Approving requests from an exception approver

Similarly, you specify whether exception approvers are allowed to approve their own requests if compliance rules are violated by a request. This prevents the requester's main identity (or the request's recipient) and its sub-identities being granted approval exception.

To prevent exception approvers from approving their own requests

  • Set the configuration parameter "QER\ITShop\PersonOrderedNoDecideCompliance" in the Designer.

This configuration parameter affects all requests in which the recipient is also determined to be the exception approver. If the configuration parameter is not set, exception approvers of requests they received themselves, can also grant approval.

To prevent exception approvers from approving requests they initiated for themselves or for other customers

  • Set the configuration parameter "QER\ITShop\PersonInsertedNoDecideCompliance" in the Designer.

    If the configuration parameter is not set, exception approvers can also approve these requests.

This configuration parameter affects all requests in which the requester is also determined to be the exception approver. If the configuration parameter is not set, exception approvers of requests they requested themselves, can also grant approval.

Related Topics

Automatic Request Approval

Automatic Request Approval

Table 62: Configuration Parameters for Automatic Request Approval
Configuration parameter Meaning
QER\ITShop\AutoDecision This configuration parameter controls automatic approval of IT Shop request over several approval levels.
QER\ITShop\DecisionOnInsert This configuration parameter controls approval of a request the moment is it added.
QER\ITShop\ReuseDecision This configuration parameter specifies whether the approval decision of an approver should be applied to all approval steps in the procedure which are made by him or her.

Approvers may be involved in an approval procedure more than once, for example, if they are also requesters or determined as approvers in various approval steps. In such cases, the approval process can be speeded up with automatic approval.

NOTE: Automatic approvals apply to all fallback approvers but not for the chief approval team.

Use configuration parameters to specify when automatic approvals are used. You can specify exceptions from default behavior for individual approval steps.

To prevent automatic approvals for particular approval steps

  • Set the option No automatic approval in the approval step.

    The configuration parameter "QER\ITShop\DecisionOnInsert", "QER\ITShop\ReuseDecision" and "QER\ITShop\AutoDecision" are not taken into account in this approval step. Requests are be presented to the approver of this approval step. For more information, see Setting up an Approval Step.

Case 1: Requester is approver

Approvers can start requests for themselves and for other customers. If a requester is determined to be approver for the request, their approval steps are immediated granted approval.

To prevent automatic approval for an approver's requests

  • Disable the configuration parameter "QER\ITShop\DecisionOnInsert" in the Designer.

    If a requester is determined to be the approver of an approval step, the request is presented to the requester to be approved.

To prevent approvers from making decisions about request they have placed themselves, use the configuration parameters "QER\ITShop\PersonInsertedNoDecide". For more information, see Approving Requests from an Approver.

The configuration parameter "QER\ITShop\DecisionOnInsert" is set by default.

Case 2: An approver can grant or deny approval in several approval steps.

It may be the case that an approver is authorized to approve several levels of an approval workflows. By default, the request is presented to the approver in each approval step. You can allow automatic approval so that the approver is not presented with a request more than once.

To allow an approver's approval decisions to be met automatically in several sequential approval levels

  • Set the configuration parameter "QER\ITShop\AutoDecision" in the Designer.

    The approval decision of the first approval levels is applied to subsequent approval levels for which the approver is authorized.

To attain automatic acceptance for an approver's approval decisions for non-sequential approval levels

  • Set the configuration parameter "QER\ITShop\ReuseDecision" in the Designer.

    Approval is taken from a previous approval step for which the approver was also authorized.

    IMPORTANT: If approvers can also grant exceptions for rule violations, requests that violate compliance rules will also be automatically approved without being presented for exception approval.
Related Topics

Obtaining Other Information about Requests by an Approver

Obtaining Other Information about Requests by an Approver

An approver has the possibility to gather further information about a request. This ability does not, however, replace granting or denying approval for a request. There is no addition approval step required in the approval workflow to obtain the information.

Approvers can request information in form of a question from anybody. The request is placed on hold for the period of the inquiry. Once the person in question has supplied the necessary information and the approver has made an approval decision, the request is taken off hold. The approver can recall a pending inquiry at any time. The request is taken off hold. The approver’s request and the person’s answer are recorded in the approval flow and are therefore available to the approver.

NOTE: If the approver who made the enquiry, is dropped, hold status is revoked. The queried person must not answer. The request procedure continues.
Detailed information about this topic

Appointing Other Approvers

Once an approval level in the approval workflow has been reached, approvers at this level can appoint another employee to deal with the approval. To do this, you have the options described below. The required behavior is configured in the approval workflow.

  • reroute approval

    The approverappoints another approval level for approving. To do this, create a connection to the approval level to which the approval can be rerouted.

  • Appoint additional approvers

    .The approver appoints another employee with the approval. This adds another approval step to the current approval level. The new approver must make an approval decision in addition to the known approvers.

    The additional approver can reject the approval and return the request to the original approver. The original approver is informed about this by email. The original approvers can appoint another additional approver.

  • delegate approval

    The approver appoints another employee with approval. This employee is added to the current approval step as approver. The employee makes the approval decision instead of the approver who made the delegation.

    The current approver can reject the approval and return the request to the original approver. The original approvers can accept the refusal and delegate a different employee, for example, if another approver is not available.

Email notification can be sent to the original approver and the others.

Detailed information about this topic
Related Topics
Related Documents