Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Product Change Notification

Product Change Notification

Employees can be notified when a product is replaced by another product on a fixed date. Email notification is automatically sent to the request recipient if notification procedures are in place and the task Change product... is run.

TIP:

To use different mail template that the default for this notification

  1. Open the process VI_ESS_PersonWantsOrg Send Mail Product Expires Soon in the Designer.
  2. Change the process properties in the pre-script for generating the UID_RichMail.
  3. Save the changes to the database using Database | Commit to database....

  4. Save the changes.
Detailed information about this topic

Default Mail Templates

Default Mail Templates

One Identity Manager supplies mail templates by default. These mail templates are available in English and German. If you require the mail body in other languages, you can add mail definitions for these languages to the default mail template.

To edit a default mail template

  • Select the category IT Shop | Basic configuration data | Mail templates | Predefined.
Related Topics

Bulk Delegation Notifications

Bulk Delegation Notifications

Table 94: Configuration Parameters for Notifying Delegates
Configuration parameter Meaning
QER\ITShop\MailTemplateIdents\InformRequestorAboutMassDelegationErrors This mail template is used to send a notification to a delegate if bulk delegation fails.

You have the option to delegate all your responsibilities to one person in the Web Portal. If you have a lot of responsibilities, it is possible that not all the delegations are carried out. A delegators can send a notification to themselves if an error occurs.

To send a notification if bulk delegation fails

  • Set the configuration parameter "QER\ITShop\MailTemplateIdents\InformRequestorAboutMassDelegationErrors" in the Designer.

    Notification with the mail template "Delegation - bulk delegation failed" is sent by default.

TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.
Related Topics

Approval by Mail

Approval by Mail

Table 95: Configuration Parameters for Approval by Mail
Configuration Parameter Meaning
QER\ITShop\MailApproval\Inbox This Microsoft Exchange mailbox is used for "Approval by mail" processes.
QER\ITShop\MailApproval\Account Name of user account for authentication of "Approval by mail" mailbox.
QER\ITShop\MailApproval\Domain Domain of user account for authentication of "Approval by mail" mailbox.
QER\ITShop\MailApproval\Password Password of user account for authentication of "Approval by mail" mailbox.
QER\ITShop\MailTemplateIdents\ITShopApproval Mail template used for requests made through "Approval by mail".
QER\ITShop\MailApproval\DeleteMode Specifies the way emails are deleted from the inbox.

You can set up approval by mail to provide an option for approvers, who are temporarily unable to access One Identity Manager tools, to make request decisions. In this way, approvers are notified by email when a request is pending approval. Approvers can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which approvers can state the reasons for their approval decision. This email is sent to a central Microsoft Exchange mailbox. The One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the request procedure correspondingly.

IMPORTANT: An approval is not possible by email, if multi-factor authorization is configured for the requested product. Approval emails for such requests produce an error message.

Prerequisites

  1. The Microsoft Exchange system is configured with
    • Microsoft Exchange Client Access Server version 2007, Service Pack 1 or later
    • Microsoft Exchange Web Service .NET API Version 1.2.1, 32 Bit
  2. The user account used by One Identity Manager to register with Microsoft Exchange requires full access to the mailbox given in the configuration parameter "QER\ITShop\MailApprovalInbox".
  3. The configuration parameter "QER\ITShop\MailTemplateIdents\RequestApproverByCollection" is not set.

To set up approval by email

  1. Set the configuration parameter "QER\ITShop\MailApprovalInbox" in the Designer and enter the mailbox to which to send the approval mails.
  2. Set up mailbox access.
    1. By default, One Identity Manager uses the One Identity Manager Service user account to register with Microsoft Exchange and to access the mailbox.

      – OR –

    2. You enter a separate user account for registering on the Microsoft Exchange Server for mailbox access. Enabled the following configuration parameters to do this.
      Table 96: Configuration Parameters for Logging onto a Microsoft Exchange Server
      Configuration Parameter Meaning
      QER\ITShop\MailApproval\Account User account name.
      QER\ITShop\MailApproval\Domain User account's user account.
      QER\ITShop\MailApproval\Password User account password.
  3. Set the configuration parameter "QER\ITShop\MailTemplateIdents\ITShopApproval" in the Designer.

    The mail template used to send the approval mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.

    TIP: Change the value of the configuration parameter in order to use custom mail templates for approval mails. Customize the script VI_MailApproval_ProcessMail in this case, as well.
  4. Assign the following mail templates to the approval steps:
    Table 97: Mail Template for Approval by Mail
    Property Mail template
    Mail template for demand IT Shop request- approval required (by mail)
    Mail template reminder IT Shop request- remind approver (by mail)
    Mail template for delegation IT Shop request- delegated/additional approval (by mail)
    Mail template for rejection IT Shop request- reject approval (by mail)
  5. Enable the schedule "Processes IT Shop mail approvals" in the Designer.

    Based on this schedule, the One Identity Manager regularly checks the mailbox after each for new approval mail. Based on this schedule, the regularly checks the mailbox every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

  • Set the configuration parameter "QER\ITShop\MailApproval\DeleteMode in the Designer and select the following values.
    Table 98: Cleaning up a Mailbox
    Value Method
    HardDelete Processed emails are deleted immediately
    MoveToDeletedItems Processed emails are moved to the "Deleted objects" folder in the mailbox.
    SoftDelete Processed emails are moved to the Active Directory trash but can be restored if necessary.

    NOTE: If you apply the method MoveToDeletedItems or SoftDelete you should empty the folder "Deleted objects" or the Active Directory trash at regular intervals.
Related Topics
Related Documents