|Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given.|
The schedule "
NOTE: The validity of the email certificate is checked with the script VID_ValidateCertificate. You can customize this script to suit your security requirements. Take into account that this script is also used for
If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.
TIP: The script VI_MailApproval_ProcessInBox finds the Exchange Web Service URL which uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.
If this is not possible, enter the URL in the configuration parameter "
|NOTE: If you use a custom mail template for an |
|QER\ITShop\ChallengeRoleRemoval||General configuration parameter for dealing with role assignments that are modified by data import. Removal of role memberships can be challenged with the help of temporary requests.|
|QER\ITShop\ChallengeRoleRemoval\DaysOfValidity||This configuration parameter contains the validity period (in days) of temporary requests for challenged role memberships.|
|QER\ITShop\ChallengeRoleRemoval\ITShopOrg||This configuration contains product node, which is assigned to assignment resource to be requested.|
|QER\ITShop\ChallengeRoleRemoval\Department||Temporary requests of department memberships are supported.|
|QER\ITShop\ChallengeRoleRemoval\Department\Primary||Temporary membership of the previous department is requested if changes are made to the primary membership in departments.|
|QER\ITShop\ChallengeRoleRemoval\Locality||Temporary requests of location memberships are supported.|
|Temporary membership of the previous location is requested if changes are made to the primary membership in locations.|
|QER\ITShop\ChallengeRoleRemoval\Org||Temporary requests of business role memberships are supported.|
|QER\ITShop\ChallengeRoleRemoval\Org\Primary||Temporary membership of the previous business role is requested if changes are made to the primary membership in business roles.|
|QER\ITShop\ChallengeRoleRemoval\ProfitCenter||Temporary requests of cost center memberships are supported.|
|QER\ITShop\ChallengeRoleRemoval\ProfitCenter\Primary||Temporary membership of the previous cost center is requested if changes are made to the primary membership in cost centers.|
If an employee changes their primary department (business role, cost center or location), they loose all company resources and system entitlements inherited through it. However, it may be necessary for the employee to retain these company resources and system entitlements for a certain period. Use temporary requests to retain the state of the employee's current memberships. Inherited assignments are not removed until after the validity period for this request has expired. The employee can renew the request with the validity period.
To configure automatic requests for removal of role memberships
|NOTE: The configuration parameters are set by default. The validity period is set to 7 days.|
If employee master data is modified by importing, One Identity Manager checks whether a primary role (for example Person.UID_Department) was modified or deleted on saving. If this is the case, the script VI_CreateRequestForLostRoleMembership is executed. The script create a temporary assignment request for this role, which is granted approval automatically. Thus, the employee remains a members of the role and retains their company resources and system entitlements. The request is automatically canceled when the validity period expires.
The request can be renewed during the validity period. The request renewal must be approved by the role manager. The request becomes permanent if approval is granted. Role membership stays the same until the assignment is canceled.
TIP: The configuration parameter "QER\ITShop\ChallengeRoleRemoval\ITShopOrg" specifies which product nodes to use for a limited validity period request of modified role memberships. The product "Challenge loss of role membership" is provided by default on the "Identity & Access Lifecycle\Identity Lifecycle" shelf. You can also add this product to your own IT Shop solution.
To use the product "Challenge loss of role membership" in your own IT Shop solution
|QER\ITShop\AutoCloseInactivePerson||The configuration parameter defines, whether employees are removed from all customer nodes, when they are permanently disabled.|
By default permanently disabled employees remain members in all the customer nodes. This ensures that all pending request and resulting assignments are retained. One Identity Manager can be configured such that employees are automatically removed from all custom nodes once they are permanently disabled. This means that all pending requests are aborted and remaining assignments are removed.
To remove employees from all customer nodes if they are permanently disabled
Set the configuration parameter "QER\ITShop\AutoCloseInactivePerson" in the Designer.
|Common\ProcessState\PropertyLog||When this configuration parameter is set, changes to individual values are logged and shown in the process view.|
|QER\ITShop\DeleteClosed||This configuration parameter specifies whether closed requests are deleted.|
|QER\ITShop\DeleteClosed\Aborted||This configuration parameter specifies the maximum retention time (in days) of aborted requests.|
|QER\ITShop\DeleteClosed\Dismissed||This configuration parameter specifies the maximum retention time (in days) of denied requests.|
|QER\ITShop\DeleteClosed\Unsubscribed||This configuration parameter specifies the maximum retention time (in days) of canceled requests.|
To limit request procedures in the One Identity Manager database, you can remove closed request procedures from the database. The request procedure properties are logged in the approval history at the same time. The requests are subsequently deleted. Only closed request with unexpired retention periods are kept in the database.
To delete attestation cases automatically
This activates logging for deleted request procedures and their approval history. For more detailed information about logging data changes tags, see the One Identity Manager Configuration Guide.
||NOTE: Ensure that the logged request procedures are archived for audit reasons. For more detailed information about the archiving process, see the One Identity Manager Data Archiving Administration Guide.|
Closed requests are deleted by the DBQueue Processor once the request's retention period has expired. The time at which the request was last changed, is used as the basis for calculating the retention period. The DBQueue Processor determines the requests to be deleted in the context of daily maintenance tasks. All request procedure properties are logged in the approval history.