Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Modifying an Approval Mail

Table 99: Configuration Parameters for Approval by Mail
Configuration Parameter Meaning
QER\ITShop\MailApproval\ExchangeURI Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given.

The schedule "Processes IT Shop mail approvals" starts the process VI_ITShop_Process Approval Inbox This process runs the script VI_MailApproval_ProcessInBox, which searches the mailbox for new approval mails and updates the request procedures in the One Identity Manager database. Then the contents of the approval mail are processed.

NOTE: The validity of the email certificate is checked with the script VID_ValidateCertificate. You can customize this script to suit your security requirements. Take into account that this script is also used for attestations by mail.

If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.

TIP: The script VI_MailApproval_ProcessInBox finds the Exchange Web Service URL which uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.

If this is not possible, enter the URL in the configuration parameter "QER\ITShop\MailApproval\ExchangeURI".

Approval mails are processed with the script VI_MailApproval_ProcessMail. The script finds the matching approval, sets the option Approved and stores the reason for the approval decision with the request procedure. The approver is found through the sender address. Then the approval mail is removed from the mailbox depending on the selected clean up method.

NOTE: If you use a custom mail template for an approval mail, check the script and modify it as required. Take into account that this script is also used for IT Shop request approvals by mail.

Requests with Limited Validity Period for Challenged Role Memberships

Requests with Limited Validity Period for Challenged Role Memberships

Table 100: Configuration Parameter for Temporary Requests of Challenged Role Memberships
Configuration parameter Meaning
QER\ITShop\ChallengeRoleRemoval General configuration parameter for dealing with role assignments that are modified by data import. Removal of role memberships can be challenged with the help of temporary requests.
QER\ITShop\ChallengeRoleRemoval\DaysOfValidity This configuration parameter contains the validity period (in days) of temporary requests for challenged role memberships.
QER\ITShop\ChallengeRoleRemoval\ITShopOrg This configuration contains product node, which is assigned to assignment resource to be requested.
QER\ITShop\ChallengeRoleRemoval\Department Temporary requests of department memberships are supported.
QER\ITShop\ChallengeRoleRemoval\Department\Primary Temporary membership of the previous department is requested if changes are made to the primary membership in departments.
QER\ITShop\ChallengeRoleRemoval\Locality Temporary requests of location memberships are supported.
QER\ITShop\ChallengeRoleRemoval\ Locality\
Primary
Temporary membership of the previous location is requested if changes are made to the primary membership in locations.
QER\ITShop\ChallengeRoleRemoval\Org Temporary requests of business role memberships are supported.
QER\ITShop\ChallengeRoleRemoval\Org\Primary Temporary membership of the previous business role is requested if changes are made to the primary membership in business roles.
QER\ITShop\ChallengeRoleRemoval\ProfitCenter Temporary requests of cost center memberships are supported.
QER\ITShop\ChallengeRoleRemoval\ProfitCenter\Primary Temporary membership of the previous cost center is requested if changes are made to the primary membership in cost centers.

If an employee changes their primary department (business role, cost center or location), they loose all company resources and system entitlements inherited through it. However, it may be necessary for the employee to retain these company resources and system entitlements for a certain period. Use temporary requests to retain the state of the employee's current memberships. Inherited assignments are not removed until after the validity period for this request has expired. The employee can renew the request with the validity period.

Prerequisites

  • Employee master data is modified by import.
  • The import sets the session variable FullSync=TRUE.

To configure automatic requests for removal of role memberships

  1. Set the configuration parameter "QER\ITShop\ChallengeRoleRemoval" in the Designer.
  2. Set the configuration parameter "QER\ITShop\ChallengeRoleRemoval\DaysOfValidity" in the Designer and enter the validity period of the request.
  3. Set the configuration parameters under "QER\ITShop\ChallengeRoleRemoval" in the Designer for roles whose primary memberships need to remain intact when modified.
  4. Commit the changes to the database.

NOTE: The configuration parameters are set by default. The validity period is set to 7 days.

If employee master data is modified by importing, One Identity Manager checks whether a primary role (for example Person.UID_Department) was modified or deleted on saving. If this is the case, the script VI_CreateRequestForLostRoleMembership is executed. The script create a temporary assignment request for this role, which is granted approval automatically. Thus, the employee remains a members of the role and retains their company resources and system entitlements. The request is automatically canceled when the validity period expires.

The request can be renewed during the validity period. The request renewal must be approved by the role manager. The request becomes permanent if approval is granted. Role membership stays the same until the assignment is canceled.

TIP: The configuration parameter "QER\ITShop\ChallengeRoleRemoval\ITShopOrg" specifies which product nodes to use for a limited validity period request of modified role memberships. The product "Challenge loss of role membership" is provided by default on the "Identity & Access Lifecycle\Identity Lifecycle" shelf. You can also add this product to your own IT Shop solution.

To use the product "Challenge loss of role membership" in your own IT Shop solution

  1. Assign the assignment resource "Challenge loss of role membership" to your own shelf.
  2. Edit the configuration parameter "QER\ITShop\ChallengeRoleRemoval\ITShopOrg" in the Designer.
    • Enter the full name or the UID of the new product node.

Requests from Permanently Disabled Employees

Requests from Permanently Disabled Employees

Table 101: Configuration Parameter for Deleting Closed Requests
Configuration parameter Effect
QER\ITShop\AutoCloseInactivePerson The configuration parameter defines, whether employees are removed from all customer nodes, when they are permanently disabled.

By default permanently disabled employees remain members in all the customer nodes. This ensures that all pending request and resulting assignments are retained. One Identity Manager can be configured such that employees are automatically removed from all custom nodes once they are permanently disabled. This means that all pending requests are aborted and remaining assignments are removed.

To remove employees from all customer nodes if they are permanently disabled

  • Set the configuration parameter "QER\ITShop\AutoCloseInactivePerson" in the Designer.

Deleting Requests

Deleting Requests

Table 102: Configuration Parameter for Deleting Closed Requests
Configuration parameter Effect
Common\ProcessState\PropertyLog When this configuration parameter is set, changes to individual values are logged and shown in the process view.
QER\ITShop\DeleteClosed This configuration parameter specifies whether closed requests are deleted.
QER\ITShop\DeleteClosed\Aborted This configuration parameter specifies the maximum retention time (in days) of aborted requests.
QER\ITShop\DeleteClosed\Dismissed This configuration parameter specifies the maximum retention time (in days) of denied requests.
QER\ITShop\DeleteClosed\Unsubscribed This configuration parameter specifies the maximum retention time (in days) of canceled requests.

To limit request procedures in the One Identity Manager database, you can remove closed request procedures from the database. The request procedure properties are logged in the approval history at the same time. The requests are subsequently deleted. Only closed request with unexpired retention periods are kept in the database.

To delete attestation cases automatically

  1. Set the configuration parameter "QER\ITShop\DeleteClosed" in the Designer.
    1. To delete aborted requests, set the configuration parameter ""QER\ITShop\DeleteClosed\Aborted" and set the retention period in days.
    2. To delete denied requests, set the configuration parameter ""QER\ITShop\DeleteClosed\Dismissed" and set the retention period in days.
    3. To delete unsubscribed requests, set the configuration parameter ""QER\ITShop\DeleteClosed\Unsubscribed " and set the retention period in days.
  2. Set the configuration parameter "Common\ProcessState\PropertyLog" in the Designer.

    This activates logging for deleted request procedures and their approval history. For more detailed information about logging data changes tags, see the One Identity Manager Configuration Guide.

    NOTE: Ensure that the logged request procedures are archived for audit reasons. For more detailed information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.

Closed requests are deleted by the DBQueue Processor once the request's retention period has expired. The time at which the request was last changed, is used as the basis for calculating the retention period. The DBQueue Processor determines the requests to be deleted in the context of daily maintenance tasks. All request procedure properties are logged in the approval history.

Related Documents