Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Approval through Chief Approval Team

Sometimes, approval decisions cannot be made for requests because the approver is not available or does not have access to One Identity Manager tools. To complete the request, however, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

The chief approval team is authorized to approve, deny, abort requests in special cases or to authorize other approvers.

IMPORTANT:

  • The four-eye principle can be broken like this because chief approval team members can make approval decisions for requests at any time! Specify, on a custom basis, in which special cases the chief approval team may intervene in the approval process.
  • The chief approval team members may always approval their own requests. The configuration parameter settings "QER\ITShop\PersonInsertedNoDecide" and "QER\ITShop\PersonOrderedNoDecide" do not apply to the chief approval team.
  • Specify in the approval step, how many approvers must approve this approval step. This limit is not valid for the chief approval team. The approval step is considered approved once one member of the chief approval team has granted or denied approval for the request.

The chief approval team can approve requests for all manual approval steps. The chief approvals are not permitted for approval steps with the approval procedures CR, SB, CD, EX and WC as well as OC and OH. If a member of the chief approval team is identified as a regular approver for an approval step, he or she can only make an approval decision for this step as a regular approver.

To add members to the chief approval team

  1. Select the category IT Shop | Basic configuration data | Chief approval team.
  2. Select Assign employees in the task view.
  3. Assign employee authorized to approve requests in Add assignments.

    - OR -

    Remove the assignments of employee to chief approval team in Remove assignments.

  4. Save the changes.
Related Topics

Approving Requests with Terms of Use

Approving Requests with Terms of Use

Terms of use that explain conditions of use for a product can be stored for individual service items (for example, application license conditions). When someone requests this product, the requester and request recipient must accept the terms of use before the request can be finalized.

In order for the request recipient to accept the terms of use, the request must be assigned to the request recipient in the approval process. Set a workflow for request like this with an approval stpe "BR" and set the option No automatic approval. One Identity Manager provides a default approval procedure and a default approval policy "Terms of Use acknowledgment for third-party orders (sample)" that you can use for this. Using the default approval workflow as a basis, create your own approval workflow, which returns the request to the request recipient and determines the approver after the terms of use have been accepted. Use the approval procedure "BR" to do this.

To create an approval workflow for requests with terms of use

  1. Select the category IT Shop | Basic configuration data | Approval workflows | Predefined.
  2. Select the approval workflow "Terms of Use acknowledgement for third-party orders (sample)" in the result list. Select Change master data in the task view.
  3. Select Copy workflow... in the task view.
  4. Enter the name of the copy. Click OK.
  5. Edit the copy. Modify the approval workflow to suit your requirements.
  6. Create an approval policy and assign it to the approval workflow.
  7. Assign service items to the approval policy, which are assigned terms of use.
Detailed information about this topic

Using Default Approval Processes

By default, the One Identity Manager supplies approval policies and approval workflows. These are used in the approval processes of the shop "Identity & Access Lifecycle".

Table 70: Default Approval Policies and Workflows in the Shop "Identity & Access Lifecycle"

Approval policy/workflow

Description

Shelf/product

Compliance checking simplified

Compliance checking and exception approval for all products on the shelf, which do not have their own approval policy assigned to them. For more information, see Testing Requests for Rule Compliance.

Identity Lifecycle

Self-Service

Assignment requests and delegations are are automatically approved by default. For more information, see Standard Products for Assignment Requests and Delegation.

Identity Lifecycle\Delegation

Identity Lifecycle\Business role entitlement assignment

Identity Lifecycle\Business role membership

Self-Service

Automatic approval for all products on the shelf, which do not have their own approval policy assigned to them. For more information, see Self-Service.

Group Lifecycle

Terms of Use acknowledgment for third-party orders (sample)

Copy template for requests with terms of use. For more information, see Approving Requests with Terms of Use.

 

Challenge loss of role membership

Limited period assignment requests for role memberships are automatically granted approval. For more information, see Requests with Limited Validity Period for Challenged Role Memberships.

Identity Lifecycle\Challenge loss of role membership

New manager assignment

Requesting a change of manager must be approved by the new manager. For more information, see Request Change of Manager for an Employee.

Identity Lifecycle\New manager assignment

Approval of Active Directory group create requests

A new Active Directory group requests must be approved by the target system manager. The groups are added in One Identity Manager and published in the target system. For more information, see Adding an Active Directory group.

Group Lifecycle\New Active Directory security group

Group Lifecycle\New Active Directory distribution group

Approval of Active Directory group change requests

Changes to group type and range of Active Directory groups, must be approved by the target system manager. For more information, see Modifying an Active Directory group.

Group Lifecycle\Modify Active Directory group

Approval of Active Directory group deletion requests

Deleting a Active Directory group, must be approved by the target system manager. For more information, see Deleting an Active Directory group.

Group Lifecycle\Delete Active Directory group

Approval of SharePoint group create requests

A new SharePoint group requests must be approved by the target system manager. The groups are added in One Identity Manager and published in the target system. For more information, see Adding an SharePoint group.

Group Lifecycle\New SharePoint group

Approval of Active Directory group membership requests

Product owners and target system managers can request members for groups in these shelves. For more information, see Requesting Groups Memberships.

Active Directory groups

Approval of Active Directory group membership requests II

Active Directory groups

Approval of group membership requests

SharePoint groups

Request Sequence

Request Sequence

Shop customers can request, renew and unsubscribe products as soon as a IT Shop solution is set up. Use the Web Portal to do this. Furthermore, requests and cancellations are approved in the Web Portal. You can make an overview of pending and closed requests for yourself. You can also find an overview of pending and closed requests in the Manager

Requests can have a limited time period, which means the requested product assignment is only valid with the validity period.

General Request Sequence

  1. A customer requests in the Web Portal
    1. A product.

      - OR -

    2. Membership in a hierarchical role.

      - OR -

    3. Assignment of a company resource to a hierarchical role.
  2. The request goes through the assigned approval process.
  3. If the request has been granted approval and the Valid from date has been reached:
    1. The product is assigned to the customer. The company resource connected with the product is indirectly assigned to the customer

      - OR -

    2. The customer becomes secondary member in the hierarchical role.

      - OR -

    3. The company resource is assigned to the hierarchical role.

    The request contains the status "Assigned" (PersonWantsOrg.OrderState = 'Assigned').

    The product/membership/assignment remains until it is canceled.

Requests and the resulting assignments are displayed in the following table:

Requests PersonWantsOrg
Product assignments PersonInITShopOrg
Company resource assignments for example:

PersonHasQERResource

ADSAccountInADSGroup

Hierarchical role assignments For example, PersonInDepartment
Hierarchical role assignments For example, DepartmentHasADSGroup

General Cancellation Sequence

  1. A customer cancels a product/membership/assignment in the Web Portal.

    - OR -

    A requested product/requested membership/requested assignment is automatically unsubscribed.

  2. The cancellation goes through the assigned approval process.
  3. If cancellation was granted approval and the expiry date has been reached:
    1. The product's assignment is removed. The product's assigned to the associated company resource is also removed.

      - OR -

    2. The customer's membership in the hierarchical role is removed.

      - OR -

    3. The company resource's assignment to the hierarchical role is removed.

    The request contains the status "Unsubscribed" (PersonWantsOrg.OrderSTate = 'Unsubscribed').

If a customer is removed from a shop, existing requests for this are closed. The products are unsubscribed and assignments are removed. If the customer changes to another shop, the product requests can be retained under certain circumstances. If the request is an assignment request, it can also be retained under certain circumstances.

Related Topics

For more detailed information about requesting products, see the One Identity Manager Web Portal User Guide.

Related Documents