Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 8.1.5 - IT Shop Administration Guide

Table of Contents

Setting up an IT Shop solution

One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products

Multi-request resources

Preparing products for requesting

Entering service items

General master data for a service item Pricing information Extended master data for a service item Default service items Additional tasks for managing service items

The service item overview Editing product dependencies for requests Defining hierarchy for service items Assigning hierarchical roles

Assigning organizations Assigning business roles

Assigning functional areas Assigning extended properties Displaying websites Changing products Adding and assigning tags Assigning object-dependent references

Specifying product dependencies Reports about service items

Overview of all assignments

Entering service categories

Service category master data Default service categories Additional tasks for managing service categories

The service category overview Assigning service items Assigning object-dependent references

Entering product-specific properties

Request property master data Additional tasks for managing request properties

The request properties overview Copy request properties

Products for requests with time restrictions Product request on customer or product relocation Non-requestable products Entering terms of use

Additional tasks for terms of use

The terms of use overview Assigning service items

Additional tasks for tags

The tags overview Assigning service items

Assigning and removing products

Assigning products to shelves Removing products from shelves Moving products to another shelf Replacing products

Preparing the IT Shop for multi-factor authentication

Using multi-factor authentication for requests

Assignment requests and delegating

Standard products for assignment requests and delegation Requesting memberships in business roles Requesting memberships in application roles Customizing assignment requests Preparing for delegation Canceling assignments and delegations Removing customers from a shop Setting up assignment resources

General master data for an assignment resource Default assignment resources Additional tasks for managing assignment resources

The assignment resource overview Adding assignment resources to the IT Shop Removing assignment resources from the IT Shop

Creating IT Shop requests from existing user accounts, assignments, and role memberships

Creating requests for employees Creating user account requests Creating workdesk requests Creating assignment requests

Adding Active Directory and SharePoint groups to the IT Shop automatically

Deleting unused application roles for product owners

Adding Privileged Account Management user groups to the IT Shop automatically

Approval processes for IT Shop requests

Approval policies for requests

General master data for approval policies Default approval policies Additional tasks for approval policies

The approval policy overview Adding to the IT Shop Validity checking Editing approval workflows

Approval workflows for requests

Working with the workflow editor Setting up approval workflows

Editing approval levels Editing approval steps Properties of an approval step Connecting approval levels

Additional tasks for approval workflows

The approval workflow overview Copying approval workflows

Deleting approval workflows Default approval workflows

Determining the effective approval policies Selecting responsible approvers

Default approval procedures

Self-service Using IT Shop structures to find approvers Using request recipients to find approvers Using specific roles to find approvers Using requested products to find approvers Using approval roles to find approvers Using cost centers to find approvers Using departments to find approvers Using requested roles to find approvers Waiting for further approval Calculated approval Approvals to be made externally Finding requesters

Setting up approval procedures

General master data for an approval procedure Queries for approver selection

Copying an approval procedure Deleting approval procedures Determining the responsible approvers

Request risk analysis Testing requests for rule compliance

Compliance checking requests Identifying rule violations Finding exception approvers Restricting exception approvers

Setting up exception approver restrictions

Explicit exception approval Rule checking for requests with self-service

Approving requests from an approver

Setting up approver restrictions

Automatically approving requests

Configuring automatic approval

Approval by peer group analysis

Configuring peer group analysis

Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes

Request sequence

The request overview

Displaying request details Displaying the approval sequence Displaying the approval history

Requesting products more than once Requests with limited validity period

Checking request validity periods

Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Notifications in the request process

Demanding an approval decision Reminding approvers Scheduled demand for approval Sequence for limited requests Approving or denying request approval Notifying delegates Canceling requests Escalating requests Delegating approvals Rejecting approvals Notifications with questions Using additional approvers to approve requests Unsubscribing approved requests Renewing approved requests Product change notifications Default mail templates Bulk delegation notifications

Approval by mail

Editing approval emails

Approval by Starling 2FA app Requests with limited validity period for changed role memberships Requests from permanently inactive employees Deleting requests

Managing an IT Shop

IT Shop base data

Processing status Standard reason for requests

Predefined standard reasons for requests

Role classes for the IT Shop Role types for the IT Shop Business partners Functional areas Chief approval team Product owners Attestors

Setting up IT Shop structures

Adding IT Shop structures General master data for IT Shop structures Custom master data for IT Shop structures Additional tasks for IT Shop structures

The IT Shop structure overview Assigning approval policies Assigning requestable products to shelves

Setting up a customer node

Adding customer nodes General master data for customer nodes Custom master data for customer nodes Additional tasks for customer nodes

The entitled customers overview Assigning employees directly Assigning employees through dynamic roles

Deleting IT Shop structures

Deleting customer nodes Deleting shelves Deleting shops Deleting shopping centers

Templates for automatically filling the IT Shop

Using shelf templates in an IT Shop solution Editing shelf templates General master data for a shelf template Custom master data for shelf templates Additional tasks for shelf templates

Assigning approval policies Assigning requestable products to shelf templates Shelf-filling wizard

Assigning shelf templates to shops and shopping center templates Deleting shelf templates

Custom mail templates for notifications

Creating and modifying IT Shop mail templates General properties of mail templates Creating and editing mail definitions

Using base object properties Use of hyperlinks to the Web Portal Default functions for creating hyperlinks Customize email signatures

Copying IT Shop mail templates Displaying IT Shop mail template previews Deleting IT Shop mail templates Custom notification processes

Request templates

Creating and modifying request templates General master data for a request template Cart items Deleting request templates

Resolving errors in the IT Shop

Timeout on saving requests Bulk delegation errors Process monitoring for requests

Configuration parameters for the IT Shop Request statuses Examples of request results

Editing approval levels

An approval level provides a method of grouping individual approval steps. All the approval steps in one approval level are executed in parallel. All the approval steps for different approval levels are executed one after the other. You use the connectors to specify the order of execution.

Specify the individual approval steps in the approval levels. At least one approval step is required per level. Enter the approval steps first before you add an approval level.

To add an approval level

Select the Toolbox | Approval levels | Add item.

This opens the properties dialog for the first approval step.
Enter the approval step properties.
Save the changes.

You can edit the properties of an approval level as soon as you have added an approval level with at least one approval step.

To edit approval level properties

Select the approval level.
Select the Toolbox | Approval levels | Edit item.
Enter a display name for the approval level.
Save the changes.

NOTE: You can define more than one approval step for each approval level. In this case, the approvers of an approval level can make a decision about a request in parallel rather than sequentially. The request cannot be presented to the approvers at the next approval level until all approval steps of an approval level have been completed within the approval procedure.

To add more approval steps to an approval level

Select the approval level.
Select the Toolbox | Approval levels | Add item.
Enter the approval step properties.
Save the changes.

Detailed information about this topic

Editing approval steps

To edit approval level properties

Select the approval step.
Select the Toolbox | Approval steps | Edit item.
Edit the approval step properties.
Save the changes.

Detailed information about this topic

Properties of an approval step

Properties of an approval step

On the General tab, enter the data described below. On the Mail templates tab, select the mail templates for generating mail notifications. If you add a new approval step, you must fill out the required fields.

Table 27: General properties of an approval step
Property	Meaning
Single step	Approval step name.
Approval procedure	Procedure to use for determining the approvers.
Processing status	Processing status of the success or failure case of the approval step. The processing status for the request is set according to the decision and whether it has been made positively or negatively. Define the processing status in the basic configuration data.
Role	Hierarchical role from which the approvers are to be determined using the default approval procedures OM and OR.
Fallback approver	Application role whose members are authorized to approve requests if an approver cannot be determined through the approval procedure. Assign an application from the menu. To create a new application role, click . Enter the application role name and assign a parent application role. For detailed information, see the One Identity Manager Authorization and Authentication Guide. NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.
Relevance for compliance	Specifies whether the approver is notified when a request leads to a rule violation. The following values are permitted: Not relevant: Information about rule violations is not relevant for approvers in this approval step. No additional information is displayed for the approver in the approval process. Information: Approvers in this approval step receive information during the approval process if the request causes a compliance rule violation. The approvers decided whether to grant or deny the request. Necessary measures: Approvers in this approval step receive information during the approval process if the request causes a compliance rule violation. The request is automatically denied.
Condition	Condition for calculating approval with approval procedures CD, EX, or WC. Comparison value for the risk index in the approval procedure RI. Enter a number in the range 0.1 to 1.0. 1.0. You can use , or . as a decimal point.
Number of approvers	Number of approval required to approve a request. Use this number to further restrict the maximum number of approvers of the implemented approval procedure. If there are several people allocated as approvers, then this number specifies how many people from this group have to approve a request. A request can only be passed on to the next level if this has been done. If not enough approvers can be found, the approval step is presented to the fallback approvers. The approval step is considered approved as soon as one fallback approver has approved the request. If you want approval decisions to be made by all the employees found using the applicable approval procedure, for example all members of a role (default approval procedure OR), enter the value -1. This overrides the maximum number of approvers defined in the approval procedure. The number of approvers defined in an approval step is not taken into account in the approval procedures CD, EX,or WC.
Description	Text field for additional explanation.
Approval reason	Reason entered in the request if approval is automatically granted. This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC.
Reject reason	Reason entered in the request and the approval history, if approval is automatically denied. This field is only shown for the approval procedures CD, CR, RI, SB, EX, and WC.
Reminder interval (hours)	Number of working hours to elapse after which the approver is notified by mail that there are still pending requests for approval. NOTE: Ensure that a state, county, or both is entered into the employee's master data for determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more detailed information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide. If more than one approver was found, each approver will be notified. The same applies if an additional approver has been assigned. If an approver delegated the approval, the time point for reminding the delegation recipient is recalculated. The delegation recipient and all the other approvers are notified. The original approver is not notified. If an approver has made an inquiry, the time point for reminding the queried employee is recalculated. As long as the inquiry has not been answered, only this employee is notified.
TimeOut (working hours)	Number of working hours to elapse after which the approval step is automatically granted or denied approval. The working hours of the respective approver are taken into account when the time is calculated. NOTE: Ensure that a state, county, or both is entered into the employee's master data for determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more detailed information about calculating employees' working hours, see the One Identity Manager Identity Management Base Module Administration Guide. If more than one approver was found, the an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned. If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver. If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.
Timeout behavior	Action that is executed if the timeout expires. Approved: The request is approved in this approval step. The next approval level is called. Deny: The request is denied in this approval step. The approval level for denying is called. Escalation: The request process is escalated. The escalation approval level is called. Abort: The approval step, and therefore the entire approval process for the request, is aborted.
Additional approver possible	Specifies whether a current approver is allowed to instruct another employee as an approver. This additional approver has parallel authorization to make approvals for the current request. The request is not passed on to the next approval level until both approvers have made a decision. This option can only be set for approval levels with a single, manual approval step.
Approval can be delegated	Specifies whether a current approver can delegate the approval of the request to another employee. This employee is added to the current approval step as the approver. This employee then makes the approval decision instead of the approver who made the delegation. This option can only be set for approval levels with a single, manual approval step.
Approval by affected employee	Specifies whether the employee who is affected by the approval decision can also approve this request. If this option is set, requester, and request recipients can approve the request. If this option is not set, use the QER \| ITShop \| PersonInsertedNoDecide, QER \| ITShop \| PersonOrderedNoDecide, QER \| ITShop \| PersonInsertedNoDecideCompliance, and QER \| ITShop \| PersonOrderedNoDecideCompliance configuration parameters to specify for all requests whether requester and request recipient can approve the request.
Do not show in approval history	Specifies whether or not the approval step should be displayed in the approval history. For example, this behavior can be applied to approval steps with the CD - calculated approval procedure, which are used only for branching in the approval workflow. It makes it easier to follow the approval history.
No automatic approval	Specifies whether the approval step is decided manually. The request is presented again to an approver even if they are the requester themselves or the request has been approved in a previous approval step. The setting of the DecisionOnInsert, ReuseDecision and AutoDecision configuration parameters is ignored in this approval step.

Detailed information about this topic

Related topics

Connecting approval levels

When you set up an approval workflow with several approval levels, you have to connect each level with another. You may create the following links.

Table 28: Links to approval levels
Link	Description
Approve	Link to next approval level if the current approval level was granted approval.
Deny	Link to next approval level if the current approval level was not granted approval.
Reroute	Link to another approval level to bypass the current approval. Approvers can let other approval levels make the approval decision, for example, if approval is required by a manager in an individual case. To do this, create a connection to the approval level to which the approval can be rerouted. This way, approvals can also be rerouted to a previous approval level, for example, if an approval decision is considered not to be well-founded. It is not possible to reroute approval steps with the approval procedures OC, OH, EX, CR, CD, SB, or WC.
Escalation	Link to another approval level when the current approval level is escalated after timing out.

If there are no further approval levels after the current approval level, the request is considered approved if the approval decision was to grant approval. If approval is not granted, the request is considered to be finally denied. The approval method is closed in both cases.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center