Setting up an IT Shop Solution
One Identity Manager Users in the IT Shop
Putting the IT Shop into Operation
Requestable Products
Preparing Products for Requesting
Approval Processes for IT Shop Requests
Entering Service Items
Assigning and Removing Products
Preparing the IT Shop for Multi-factor Authentication
General Master Data for a Service Item
Pricing Information
Extended Master Data for a Service Item
Default Service Items
Additional Tasks for Managing Service Items
Entering Service Categories
Service Item Overview
Editing Product Dependencies for Requests
Assign Hierarchical Roles
Assign Function Areas
assign extended properties
Displaying Websites
Changing Products
Assign Tag
Assign Object Dependent References
Specifying Products Dependencies
Reports about Service Items
Service Category Master Data
Default Service Categories
Additional Tasks for Managing Service Categories
Entering Product Specific Request Properties
Products with a Limited Request Period
Product Request on Customer or Product Relocation
Non-Requestable Products
Entering Terms of Use
Entering Tags
Editing Table Properties
Preparing Starling 2FA Token Requests
Using Multi-Factoring for Requests
Requesting a Security Code
Assignment Requests and Delegating
Standard Products for Assignment Requests and Delegation
Requesting Single Business Roles
Customizing Assignment Requests
Preparing for Delegation
Notifying Delegates
Canceling Assignments and Delegations
Removing a Customer from a Shop
Setting up Assignment Resources
Creating IT Shop Requests from Existing User Accounts, Assignments and Role Memberships
Creating Requests for Employees
Creating User Account Requests
Creating Requests for Workdesks
Creating Assignment Requests
Adding Groups Automatically to the IT Shop
Editing Approval Policies
Request Sequence
General Master Data for Approval Policies
Default Approval Policies
Additional Tasks for Approval Policies
Approval Workflows
Working with the Workflow Editor
Setting Up Approval Workflows
Additional Tasks for Approval Workflows
Deleting Approval Workflows
Default Approval Workflows
Determining Effective Approval Policies
Selecting Responsible Approvers
Default Approval Procedures
Request Risk Analysis
Testing Requests for Rule Compliance
Approving Requests from an Approver
Automatic Request Approval
Obtaining Other Information about Requests by an Approver
Appointing Other Approvers
Setting up an Approval Step
Approvers cannot be Established
Automatic Approval on Timeout
Abort Request on Timeout
Approval through Chief Approval Team
Approving Requests with Terms of Use
Using Default Approval Processes
Self-Service
Using IT Shop Structures to Find Approvers
Using the Request Recipient to find Approvers
Using a Specific Role to find Approvers
Using the Requested Product to Find Approvers
Using an Approval Role to Find Approvers
Using a Cost Center to Find Approvers
Using a Department to Find Approvers
Using a Requested Role to find Approvers
Deferred Request Approval
Calculated approval
Making External Approvals
Finding Requesters
Setting up Approval Procedures
Deleting Approval Procedures
Determining Approvers
Requests Overview
Multiple Requests for one Product
Requests with Limited Validity Period
Relocating a Customer or Product to another Shop
Requests for Employees
Request Change of Manager for an Employee
Canceling a Request
Notifications in the Request Process
Managing an IT Shop
Demands for Approval
Remind Approver
Scheduled Approval Demands
Limited Period Request Sequence
Request Granting or Denying Approval
Request Abort
Escalating a Request
Self-Service
Approval Rejection
Notifications with Questions
Request Approval through Additional Approvers
Unsubscribing an Approved Request
Product Change Notification
Default Mail Templates
Bulk Delegation Notifications
Approval by Mail
Requests with Limited Validity Period for Challenged Role Memberships
Requests from Permanently Disabled Employees
Deleting Requests
IT Shop Base Data
Default Solution for Requesting System Entitlements
Role Types
Processing status
Role Classes
Attestors
Product owners
Chief approval team
Business Partners
Functional areas
Standard Reasons
Setting up IT Shop Structures
General Master Data for a IT Shop Structure
User Defined Data for a IT Shop Structure
Additional Tasks for IT Shop Structures
Setting Up a Customer Node
General Master Data for a Customer Node
General Master Data for a Customer Node
Additional Tasks for Customer Nodes
Deleting IT Shop Structures
Templates for Automatically Filling the IT Shop
Implementing Shelf Templates in a IT Shop Solution
Editing Shelf Templates
Creating Custom Mail Templates for Notifications
General Master Data for a Shelf Template
User Defined Master Data for a Shelf Template
Additional Tasks for Shelf Templates
Assigning Shelf Templates to Shops and Shopping Center Templates
Deleting Shelf Templates
General Properties of a Mail Template
Creating and Editing an Email Definition
Custom Notification Processes
request templates
Adding an SharePoint Group
Adding an Active Directory Group
Modifying an Active Directory Group
Deleting an Active Directory Group
Requesting Groups Memberships
Error Handling
Appendix: Configuration Parameters for the IT Shop
Appendix: Request Statuses
Appendix: Example of Request Results
Bulk Delegation Failure
You have the option to delegate all your responsibilities to one person in the Web Portal. If you have a lot of responsibilities, it is possible that not all the delegations are carried out. A delegators can send a notification to themselves if an error occurs.
Probable reason
An error occurred processing delegations. The process VI_ITShop_Person Mass Delegate was aborted, although only a proportion of the delegations has been applied.
Solution
- Configure the notification procedure.
- Run all remaining delegations again in the Web Portal.
Appendix: Configuration Parameters for the IT Shop
Appendix: Configuration Parameters for the IT Shop
Appendix: Configuration Parameters for the IT Shop
Additional configuration parameters for the IT Shop are available in the One Identity Manager. Some general configuration parameters are also relevant for the IT Shop. The following table contains a summary of all applicable configuration parameters for IT Shop.
| Configuration parameter | Description |
|---|---|
| QER\ITShop | Preprocessor relevant configuration parameter to control the component parts for the IT Shop. If the parameter is set, the IT Shop components are available. Changes to the parameter require recompiling the database. |
| QER\ITShop\AutoDecision | This configuration parameter controls automatic approval of IT Shop request over several approval levels. |
| QER\ITShop\ChallengeRoleRemoval | General configuration parameter for dealing with role assignments that are modified by data import. Removal of role memberships can be challenged with the help of temporary requests. |
| QER\ITShop\ChallengeRoleRemoval\DaysOfValidity | This configuration parameter contains the validity period (in days) of temporary requests for challenged role memberships. |
| QER\ITShop\ChallengeRoleRemoval\Department | Temporary requests of department memberships are supported. |
| QER\ITShop\ChallengeRoleRemoval\Department\Primary | Temporary membership of the previous department is requested if changes are made to the primary membership in departments. |
| QER\ITShop\ChallengeRoleRemoval\ITShopOrg | This configuration contains product node, which is assigned to assignment resource to be requested. |
| QER\ITShop\ChallengeRoleRemoval\Locality | Temporary requests of location memberships are supported. |
| QER\ITShop\ChallengeRoleRemoval\ Locality\ Primary |
Temporary membership of the previous location is requested if changes are made to the primary membership in locations. |
| QER\ITShop\ChallengeRoleRemoval\Org | Temporary requests of business role memberships are supported. |
| QER\ITShop\ChallengeRoleRemoval\Org\Primary | Temporary membership of the previous business role is requested if changes are made to the primary membership in business roles. |
| QER\ITShop\ChallengeRoleRemoval\ProfitCenter | Temporary requests of cost center memberships are supported. |
| QER\ITShop\ChallengeRoleRemoval\ProfitCenter\Primary | Temporary membership of the previous cost center is requested if changes are made to the primary membership in cost centers. |
| QER\ITShop\DecisionOnInsert | This configuration parameter controls approval of a request the moment is it added. |
| QER\ITShop\DefaultSenderAddress | This configuration parameter contains the sender email address for automatically generated messages within the IT Shop. |
| QER\ITShop\Delegation | Preprocessor relevant configuration parameter for controlling model components for delegation and role membership. Changes to the parameter require recompiling the database. If the parameter is set, delegation components are available. |
| QER\ITShop\DeleteClosed | This configuration parameter specifies whether closed requests are deleted. |
| QER\ITShop\DeleteClosed\Aborted | This configuration parameter specifies the maximum retention time (in days) of aborted requests. |
| QER\ITShop\DeleteClosed\Dismissed | This configuration parameter specifies the maximum retention time (in days) of denied requests. |
| QER\ITShop\DeleteClosed\Unsubscribed | This configuration parameter specifies the maximum retention time (in days) of canceled requests. |
| QER\ITShop\GapBehavior | Defines behavior when checking the validity period of new requests. |
| QER\ITShop\GapBehavior\GapDefinition | This configuration parameter specifies which requests are checked. |
| QER\ITShop\GapBehavior\GapFitting | This configuration parameter specifies whether validity periods of two or more pending requests can overlap. |
|
QER\ITShop\GroupAutoPublish |
Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to the parameter require recompiling the database. |
| QER\ITShop\LimitOfNodeCheck | Maximum number of product nodes that can be generated by a DBQueue Processor run. Once this number has been exceeded, a task for generating the rest of the nodes is queued in the DBQueue. |
| QER\ITShop\MailApproval\Inbox | Microsoft Exchange mailbox used for "Approval by mail" processes. |
| QER\ITShop\MailApproval\Account | Name of user account for authentication of "Approval by mail" mailbox. |
| QER\ITShop\MailApproval\DeleteMode | Specifies the way emails are deleted from the inbox. |
| QER\ITShop\MailApproval\Domain | Domain of user account for authentication of "Approval by mail" mailbox. |
| QER\ITShop\MailApproval\ExchangeURI | Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given. |
| QER\ITShop\MailApproval\Password | Password of user account for authentication of "Approval by mail" mailbox. |
| QER\ITShop\MailTemplateIdents\AnswerToApprover | This mail template is used to send a notification with an answer to a question from an approver. |
| QER\ITShop\MailTemplateIdents\InformAddingPerson | This mail template is used to notify approvers that an approval decision has been made for the step they added. |
| QER\ITShop\MailTemplateIdents\InformDelegatingPerson | This mail template is used to notify approvers that an approval decision has been made for the step they delegated. |
| QER\ITShop\MailTemplateIdents\InformRecipientAboutUnsubscribe | Mail template, which is used to notify a request recipient that a request was unsubscribed by another person. |
| QER\ITShop\MailTemplateIdents\ITShopApproval | Mail template used for requests made through "Approval by mail". |
| QER\ITShop\MailTemplateIdents\QueryFromApprover | This mail template is used to send a notification with a question from an approver to an employee. |
| QER\ITShop\MailTemplateIdents\RequestApproverByCollection |
This mail template is used for generating an email when there are pending requests for an approver. If this configuration parameter is not set, a "Mail template demand" or "Mail template reminder" for single approval steps can be entered to send an email for each request. If this configuration parameter is set, single mails are not sent. |
| QER\ITShop\PersonInsertedNoDecide | The configuration parameter specifies whether the employee that trigger the request may approve it. |
| QER\ITShop\PersonOrderedNoDecide | This configuration parameter specifies whether the employee that the request was triggered for, may approve it. |
| QER\ITShop\PersonInsertedNoDecideCompliance | This configuration parameter specifies whether the employee that initiated the request can also approve it in cases of compliance violation. |
| QER\ITShop\PersonOrderedNoDecideCompliance | This configuration parameter specifies whether the employee for whom a request has been initiated, can also approve it in cases of compliance violation. |
| QER\ITShop\ReducedApproverCalculation | This configuration parameter specifies, which approval steps are recalculated if the IT Shop approver must be recalculated. |
| QER\ITShop\ReuseDecision | This configuration parameter specifies whether the approval decision of an approver should be applied to all approval steps in the procedure which are made by him or her. |
| QER\ITShop\ShoppingCartPattern | This configuration parameter specifies whether request templates can be used in IT Shop. |
| QER\ITShop\ShoppingCartPattern\AutoQualified | This configuration parameter specifies whether public request templates are automatically labeled as "shared" or whether they have to be manually shared by a manager. |
| QER\ITShop\ShowClosedAssignmentOrders |
This configuration parameter specifies whether the Manager of an organization or business role can view completed assignment requests for their organization or business role. If this parameter is not set, the manager can only view open assignment requests for their organization or business role. |
| QER\ITShop\Templates | Preprocessor relevant configuration parameter for controlling the database model components for the Shelf Filling Wizard. Changes to the parameter require recompiling the database. Shelf templates can be used. Changes to the parameter require recompiling the database. |
| QER\ITShop\Templates\DeleteRecursive | This configuration parameter specifies whether the recursive deletion is allowed from shelf templates. The configuration parameters is disabled by default. |
| Common\MailNotification\Signature | Data for the signature in email automatically generated from mail templates. |
| Common\MailNotification\Signature\Caption | Signature under the salutation. |
| Common\MailNotification\Signature\Company | Company name. |
| Common\MailNotification\Signature\Link | Link to company website. |
| QER\ComplianceCheck\DisableSelfExceptionGranting | Excludes rule violators from becoming exception approvers. If this parameter is set, no one can approve their own rule violations. |
| QER\ComplianceCheck\EnableITSettingsForRule | IT Shop properties for the compliance rule are visible and can be edited. |
| QER\Person\Defender | This configuration parameter specifies whether Starling Two-Factor Authentication is supported. |
|
QER\Person\Defender\ApiEndpoint |
This configuration parameter contains the URL of the Starling 2FA API end point used to register new users. |
| QER\Person\Defender\ApiKey | This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface. |
|
QER\Person\Defender\DisableForceParameter |
This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA. |
| QER\WebPortal | General configuration parameter for Web Portal settings. |
| QER\WebPortal\BaseURL | Web Portal URL This address is used in mail templates to add hyperlinks to the Web Portal. |
| QER\WebPortal\DisplayName | This configuration parameter contains the Web Portal display name. This name is used in mail templates. |
| QER\WebPortal\PersonChangeWorkdesk | This configuration parameter specifies whether Web Portal users can change their default workdesk. If the configuration parameter is set, users can relocate their workdesk through the Web Portal. |
| QER\WebPortal\ShowProductImages | This configuration parameter specifies whether picture of products are displayed in the Web Portal. |
Appendix: Request Statuses
Appendix: Request Statuses
Appendix: Request Statuses
The following table gives an overview of all statuses a request can have.
| Status | Description |
|---|---|
| New | A product was requested. The request was added in the database. |
| Request | The request is currently in the approval process. An approval decision has not yet been reached. |
| Approved | The approval process is complete. The request is grated approval. |
| Pending | The request is grated approval. A valid from date was given in the request. This date has not been reached yet. |
| Assigned | The request was granted approval and assigned. |
| Renewal | The request with limited validity was assigned. A renewal has been applied for and is in the approval process. An approval decision has not yet been reached. |
| Canceled | This product was canceled. The cancellation is currently in the approval process. An approval decision has not yet been reached. |
| Unsubscribed | The approval process is complete. The cancellation was granted approval. |
| Denied | The approval process is complete. The request was denied approval. |
| Aborted | The request was aborted by a user or for technical reasons. |
| Pending requests: | Requests with the status new, request, approved, pending, assigned, renewal, canceled. |
| Approved requests: | Requests with the status approved, pending, assigned, renewal, canceled. |
| Assigned requests: | Requests with the status assigned, renewal, canceled. |
| Closed requests: | Requested with the status unsubscribed, denied, aborted. |
Appendix: Example of Request Results
Appendix: Example of Request Results
Request results differ depending on whether a simple or multiple request resource, or an assignment is requested. The following graphics clarify the differences:
Figure 14: Request for a single request resource
Figure 15: Request for a multi request resource
Figure 16: Request for a requestable/unsubscribable resource
Figure 17: Request for a department membership
Figure 18: Request for assignment of an Active Directory group to a department
