Chat now with support
Chat with Support

We are currently experiencing an our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 8.1.4 - Web Application Configuration Guide

About this guide Configuring the Web Portal WebAuthn security keys Starling Two-Factor Authentication Password Reset Portal Recommendations for secure operation of web applications

Approval decisions about URL links

Table 9: Configuration parameter for approval decisions about URL links

Configuration parameter

Description

Meaning

VI_ITShop_Approvals
_InteractiveApproval

Requires consultation with the user before approval. This key is a SQL filter condition on the "AccProduct" table.

Product fulfills filter condition

Approval is not done directly. Displays form for confirming the approval decision.

Product does not fulfill filter condition

Approval decision is made when the page is called. Approvers receive a message that the approval decision has been entered into the system.

An approval decision about a request can be made by opening a URL that is sent in an email, for example.

Cases that use this type of messaging for request approvals are special service items, which are required for informing the user about the approval decision. Approvals through these service items are not permitted without prior consultation.

To prevent a approval by URL link

  1. Open the Web Designer.
  2. Open a module and search for "VI_ITShop_Approvals_InteractiveApproval".
  3. Select the configuration parameter "VI_ITShop_Approvals_InteractiveApproval".
  4. In the Node editor, set the value to true.

Displaying user-specific processes in the Web Portal

A user-specific process is a process that is specifically configured for tracing by the user. It enables status tracking and confirmation of a processing result to the Web Portal.

A user who is logged on to the Web Portal can see all processes that they have initiated. The value in the XUserInserted column corresponds to the user who is currently logged on. A process can only be generated from within a session of the current logged on user if it is to be identified as a user-specific process.

The user-specific processes are displayed in the Web Portal in the My Processes view. For more detailed information, see the One Identity Manager Web Portal User Guide.

This section only covers the configuration for displaying the process information in the Web Portal. For more detailed information about process monitoring, recording process information, and the configuration of processes and process steps, see the One Identity Manager Configuration Guide.

Configuration recommendations for the recording of user-specific processes
  • In the Designer, check the Common | ProcessState configuration parameter. The configuration parameter must be set.
  • In the Designer, check the Common | ProcessState | JobHistory configuration parameter. The configuration parameter must be set. As a value for the configuration parameter, select ERRORorSELECTED or SELECTED.

    NOTE: The value ALL also takes into account the notifications from the process history. However, this setting can lead to an extremely large data volume.

  • In the Designer, check the Common | ProcessState | ProgressView configuration parameter. The configuration parameter must be set and should have the value 2.
  • In the Designer, check the Common | ProcessState | ProgressView | LifeTime and Common | ProcessState | JobHistory | LifeTime configuration parameters. These configuration parameters define the retention time of the process information and notifications in the process history. The configuration parameters must be set. Adjust the retention times if necessary. By default, the information is stored for 30 days before it is removed from the One Identity Manager database.
  • In the Designer, configure the processes and process steps for recording process information.
    • In the Process information property for a process, select the value Web Portal tracking.
    • In the Process information property for the process steps, select the value Web Portal tracking. Enable the Process history option.
    • Use user-friendly informative display values for the processes and process steps. To do this, enter the formatting rules for the process information of processes and process steps.

Configuring self-registration of new users

Users who are not yet registered have the option to register themselves to use the Web Portal. Users who self-register, receive a verification email with a link to a verification page. On this page, users can complete registration themselves and then set their initial login password.

NOTE: To user this functionality, new users must supply an email address, otherwise the verification email cannot be sent.

NOTE: For detailed information about self-registration of new users in the Web Portal and associated attestation process, see the One Identity Manager Attestation Administration Guide.

To configure self-registration

  1. Start the Designer.

  2. Configure the following configuration parameters:

    NOTE: See the One Identity Manager Configuration Guide, to find out how to edit configuration parameters in the Designer.

    • QER | WebPortal | PasswordResetURL: Specify the Password Reset Portal's web address. This URL is used, for example, in the email notification to new users.

    • QER | Attestation | MailTemplateIdents | NewExternalUserVerification:

      By default, the verification message and link is sent with the Attestation - new external user verification link mail template.

      To use another template for this notification, change the value in the configuration parameter.

      TIP: In the Designer, you can configure the current mail template in the Mail templates | Person category. For more information about mail templates, see the One Identity Manager Operational Guide.

    • QER | Attestation | ApproveNewExternalUsers: Specify whether self-registered users must be attested before they are activated. A manager then decides whether to approve the new user's registration.

    • QER | Attestation | NewExternalUserTimeoutInHours: For new self-registered users, specify the duration of the verification link in hours.

    • QER | Attestation | NewExternalUserFinalTimeoutInHours: Specify the duration in hours, within which self-registration must be successfully completed.

  3. Assign at least one employee to the Identity & Access Governance | Attestation | Attestor for external users application role.

Configuring the four eyes principle for issuing a passcode.

You can control whether passcodes generated by the help desk are divided into two parts. One half of the passcode is issued to the help desk staff and the other half is sent to the employee's manager. The employee must ask the manager for the second half of the passcode. This procedure increases the security for issuing passcodes.

To configure the four eye principle for issuing passcodes

  1. Start the Designer.

  2. Set the QER | Person | PasswordResetAuthenticator | PasscodeSplit configuration parameter.

    NOTE: See the One Identity Manager Configuration Guide, to find out how to edit configuration parameters in the Designer.

  3. Set the QER | WebPortal | MailTemplateIdents | InformManagerAboutSecondHalfOfPasscode configuration parameter.

    By default, the second half of the passcode is sent with the Employee - manager half of passcode for password reset mail template.

    To use another template for this notification, change the value in the configuration parameter.

    TIP: In the Designer, you can configure the current mail template in the Mail templates | Person category. For more information about mail templates, see the One Identity Manager Operational Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating