Chat now with support
Chat with Support

Identity Manager 8.0 - IT Shop Administration Guide

Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop Putting the IT Shop into Operation Requestable Products Preparing Products for Requesting Assigning and Removing Products Preparing the IT Shop for Multi-factor Authentication Assignment Requests and Delegating Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships Adding Groups Automatically to the IT Shop
Approval Processes for IT Shop Requests
Editing Approval Policies Approval Workflows Determining Effective Approval Policies Selecting Responsible Approvers Request Risk Analysis Testing Requests for Rule Compliance Approving Requests from an Approver Automatic Request Approval Obtaining Other Information about Requests by an Approver Appointing Other Approvers Setting up an Approval Step Approvers cannot be Established Automatic Approval on Timeout Abort Request on Timeout Approval through Chief Approval Team Approving Requests with Terms of Use Using Default Approval Processes
Request Sequence Managing an IT Shop
IT Shop Base Data Setting up IT Shop Structures Setting Up a Customer Node Deleting IT Shop Structures Templates for Automatically Filling the IT Shop Creating Custom Mail Templates for Notifications request templates
Default Solution for Requesting System Entitlements Error Handling Appendix: Configuration Parameters for the IT Shop Appendix: Request Statuses Appendix: Example of Request Results

Bulk Delegation Failure

You have the option to delegate all your responsibilities to one person in the Web Portal. If you have a lot of responsibilities, it is possible that not all the delegations are carried out. A delegators can send a notification to themselves if an error occurs.

Probable reason

An error occurred processing delegations. The process VI_ITShop_Person Mass Delegate was aborted, although only a proportion of the delegations has been applied.

Solution
  1. Configure the notification procedure.

    For more information, see Bulk Delegation Notifications.

  2. Run all remaining delegations again in the Web Portal.

Appendix: Configuration Parameters for the IT Shop

Appendix: Configuration Parameters for the IT Shop

Additional configuration parameters for the IT Shop are available in the One Identity Manager. Some general configuration parameters are also relevant for the IT Shop. The following table contains a summary of all applicable configuration parameters for IT Shop.

Table 138: Overview of Configuration Parameters
Configuration parameter Description
QER\ITShop Preprocessor relevant configuration parameter to control the component parts for the IT Shop. If the parameter is set, the IT Shop components are available. Changes to the parameter require recompiling the database.
QER\ITShop\AutoDecision This configuration parameter controls automatic approval of IT Shop request over several approval levels.
QER\ITShop\ChallengeRoleRemoval General configuration parameter for dealing with role assignments that are modified by data import. Removal of role memberships can be challenged with the help of temporary requests.
QER\ITShop\ChallengeRoleRemoval\DaysOfValidity This configuration parameter contains the validity period (in days) of temporary requests for challenged role memberships.
QER\ITShop\ChallengeRoleRemoval\Department Temporary requests of department memberships are supported.
QER\ITShop\ChallengeRoleRemoval\Department\Primary Temporary membership of the previous department is requested if changes are made to the primary membership in departments.
QER\ITShop\ChallengeRoleRemoval\ITShopOrg This configuration contains product node, which is assigned to assignment resource to be requested.
QER\ITShop\ChallengeRoleRemoval\Locality Temporary requests of location memberships are supported.
QER\ITShop\ChallengeRoleRemoval\ Locality\
Primary
Temporary membership of the previous location is requested if changes are made to the primary membership in locations.
QER\ITShop\ChallengeRoleRemoval\Org Temporary requests of business role memberships are supported.
QER\ITShop\ChallengeRoleRemoval\Org\Primary Temporary membership of the previous business role is requested if changes are made to the primary membership in business roles.
QER\ITShop\ChallengeRoleRemoval\ProfitCenter Temporary requests of cost center memberships are supported.
QER\ITShop\ChallengeRoleRemoval\ProfitCenter\Primary Temporary membership of the previous cost center is requested if changes are made to the primary membership in cost centers.
QER\ITShop\DecisionOnInsert This configuration parameter controls approval of a request the moment is it added.
QER\ITShop\DefaultSenderAddress This configuration parameter contains the sender email address for automatically generated messages within the IT Shop.
QER\ITShop\Delegation Preprocessor relevant configuration parameter for controlling model components for delegation and role membership. Changes to the parameter require recompiling the database. If the parameter is set, delegation components are available.
QER\ITShop\DeleteClosed This configuration parameter specifies whether closed requests are deleted.
QER\ITShop\DeleteClosed\Aborted This configuration parameter specifies the maximum retention time (in days) of aborted requests.
QER\ITShop\DeleteClosed\Dismissed This configuration parameter specifies the maximum retention time (in days) of denied requests.
QER\ITShop\DeleteClosed\Unsubscribed This configuration parameter specifies the maximum retention time (in days) of canceled requests.
QER\ITShop\GapBehavior Defines behavior when checking the validity period of new requests.
QER\ITShop\GapBehavior\GapDefinition This configuration parameter specifies which requests are checked.
QER\ITShop\GapBehavior\GapFitting This configuration parameter specifies whether validity periods of two or more pending requests can overlap.

QER\ITShop\GroupAutoPublish

Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to the parameter require recompiling the database.

QER\ITShop\LimitOfNodeCheck Maximum number of product nodes that can be generated by a DBQueue Processor run. Once this number has been exceeded, a task for generating the rest of the nodes is queued in the DBQueue.
QER\ITShop\MailApproval\Inbox Microsoft Exchange mailbox used for "Approval by mail" processes.
QER\ITShop\MailApproval\Account Name of user account for authentication of "Approval by mail" mailbox.
QER\ITShop\MailApproval\DeleteMode Specifies the way emails are deleted from the inbox.
QER\ITShop\MailApproval\Domain Domain of user account for authentication of "Approval by mail" mailbox.
QER\ITShop\MailApproval\ExchangeURI Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given.
QER\ITShop\MailApproval\Password Password of user account for authentication of "Approval by mail" mailbox.
QER\ITShop\MailTemplateIdents\AnswerToApprover This mail template is used to send a notification with an answer to a question from an approver.
QER\ITShop\MailTemplateIdents\InformAddingPerson This mail template is used to notify approvers that an approval decision has been made for the step they added.
QER\ITShop\MailTemplateIdents\InformDelegatingPerson This mail template is used to notify approvers that an approval decision has been made for the step they delegated.
QER\ITShop\MailTemplateIdents\InformRecipientAboutUnsubscribe Mail template, which is used to notify a request recipient that a request was unsubscribed by another person.
QER\ITShop\MailTemplateIdents\ITShopApproval Mail template used for requests made through "Approval by mail".
QER\ITShop\MailTemplateIdents\QueryFromApprover This mail template is used to send a notification with a question from an approver to an employee.
QER\ITShop\MailTemplateIdents\RequestApproverByCollection

This mail template is used for generating an email when there are pending requests for an approver. If this configuration parameter is not set, a "Mail template demand" or "Mail template reminder" for single approval steps can be entered to send an email for each request. If this configuration parameter is set, single mails are not sent.

QER\ITShop\PersonInsertedNoDecide The configuration parameter specifies whether the employee that trigger the request may approve it.
QER\ITShop\PersonOrderedNoDecide This configuration parameter specifies whether the employee that the request was triggered for, may approve it.
QER\ITShop\PersonInsertedNoDecideCompliance This configuration parameter specifies whether the employee that initiated the request can also approve it in cases of compliance violation.
QER\ITShop\PersonOrderedNoDecideCompliance This configuration parameter specifies whether the employee for whom a request has been initiated, can also approve it in cases of compliance violation.
QER\ITShop\ReducedApproverCalculation This configuration parameter specifies, which approval steps are recalculated if the IT Shop approver must be recalculated.
QER\ITShop\ReuseDecision This configuration parameter specifies whether the approval decision of an approver should be applied to all approval steps in the procedure which are made by him or her.
QER\ITShop\ShoppingCartPattern This configuration parameter specifies whether request templates can be used in IT Shop.
QER\ITShop\ShoppingCartPattern\AutoQualified This configuration parameter specifies whether public request templates are automatically labeled as "shared" or whether they have to be manually shared by a manager.
QER\ITShop\ShowClosedAssignmentOrders

This configuration parameter specifies whether the Manager of an organization or business role can view completed assignment requests for their organization or business role.

If this parameter is not set, the manager can only view open assignment requests for their organization or business role.

QER\ITShop\Templates Preprocessor relevant configuration parameter for controlling the database model components for the Shelf Filling Wizard. Changes to the parameter require recompiling the database. Shelf templates can be used. Changes to the parameter require recompiling the database.
QER\ITShop\Templates\DeleteRecursive This configuration parameter specifies whether the recursive deletion is allowed from shelf templates. The configuration parameters is disabled by default.
Common\MailNotification\Signature Data for the signature in email automatically generated from mail templates.
Common\MailNotification\Signature\Caption Signature under the salutation.
Common\MailNotification\Signature\Company Company name.
Common\MailNotification\Signature\Link Link to company website.
QER\ComplianceCheck\DisableSelfExceptionGranting Excludes rule violators from becoming exception approvers. If this parameter is set, no one can approve their own rule violations.
QER\ComplianceCheck\EnableITSettingsForRule IT Shop properties for the compliance rule are visible and can be edited.
QER\Person\Defender This configuration parameter specifies whether Starling Two-Factor Authentication is supported.

QER\Person\Defender\ApiEndpoint

This configuration parameter contains the URL of the Starling 2FA API end point used to register new users.

QER\Person\Defender\ApiKey This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface.

QER\Person\Defender\DisableForceParameter

This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA.

QER\WebPortal General configuration parameter for Web Portal settings.
QER\WebPortal\BaseURL Web Portal URL This address is used in mail templates to add hyperlinks to the Web Portal.
QER\WebPortal\DisplayName This configuration parameter contains the Web Portal display name. This name is used in mail templates.
QER\WebPortal\PersonChangeWorkdesk This configuration parameter specifies whether Web Portal users can change their default workdesk. If the configuration parameter is set, users can relocate their workdesk through the Web Portal.
QER\WebPortal\ShowProductImages This configuration parameter specifies whether picture of products are displayed in the Web Portal.

Appendix: Request Statuses

Appendix: Request Statuses

The following table gives an overview of all statuses a request can have.

Table 139: Request Statuses
Status Description
New A product was requested. The request was added in the database.
Request The request is currently in the approval process. An approval decision has not yet been reached.
Approved The approval process is complete. The request is grated approval.
Pending The request is grated approval. A valid from date was given in the request. This date has not been reached yet.
Assigned The request was granted approval and assigned.
Renewal The request with limited validity was assigned. A renewal has been applied for and is in the approval process. An approval decision has not yet been reached.
Canceled This product was canceled. The cancellation is currently in the approval process. An approval decision has not yet been reached.
Unsubscribed The approval process is complete. The cancellation was granted approval.
Denied The approval process is complete. The request was denied approval.
Aborted The request was aborted by a user or for technical reasons.
Pending requests: Requests with the status new, request, approved, pending, assigned, renewal, canceled.
Approved requests: Requests with the status approved, pending, assigned, renewal, canceled.
Assigned requests: Requests with the status assigned, renewal, canceled.
Closed requests: Requested with the status unsubscribed, denied, aborted.

Appendix: Example of Request Results

Request results differ depending on whether a simple or multiple request resource, or an assignment is requested. The following graphics clarify the differences:

Figure 14: Request for a single request resource

Figure 15: Request for a multi request resource

Figure 16: Request for a requestable/unsubscribable resource

Figure 17: Request for a department membership

Figure 18: Request for assignment of an Active Directory group to a department

Related Documents