A request raised on ServiceNow is routed to the manager for approval or follows self-service approval depending on how the configuration parameters are configured. If manager approval is configured, each requested item will be available for separate approval/rejection, provided that SOD check is not enabled. If SOD check is enabled, all requested items need to be approved/rejected in a single operation.
If manager approval is enabled, the request is routed to user’s ServiceNow/One Identity Manager’s manager for approval depending on the configuration parameter. Configure the following configuration parameters described below
||SNOW / ONEIM|
||“Fallback approver name” |
If manager_approval_authoritative_source has been configured to SNOW, the request will be routed to user’s ServiceNow manager and if one does not exist, it is routed to the configured fallback approver.
If manager_approval_authoritative_source has been configured to ONE IDENTITY MANAGER, the request will be routed to user’s One Identity Manager’s manager and if one does not exist, it is routed to the configured fallback approver.
NOTE: If the authoritative source is ServiceNow then system admin should make sure that the appropriate manager has approver role.
Self-Service approval in ServiceNow
To enable self-service approval in ServiceNow, configure the following configuration parameters with the value specified
Now the user requests will be automatically approved.
SOD rules configured in One Identity Manager can be checked and validated against at ServiceNow end by enabling the configuration parameter perform_sod_check (set the configuration parameter to true). SOD use cases are summarized below:
No SOD conflict for any of the requested item: The request is routed to the configured manager/fallback approver/self-service approval is performed.
SOD Conflict for some of the requested items and exception approver has been configured in the One Identity Manager SOD Rule: The request is routed to the compliance officer configured in ServiceNow (Configuration parameter: compliance_officer). If the compliance officer approves the request, the request is then routed to the configured manager/fallback approver/self-service approval is performed. If compliance officer rejects, the request is rejected
SOD Conflict for some of the requested items and exception approver has not been configured in the One Identity Manager SOD Rule: The request is automatically canceled.
Once the IT Shop Item is approved in the One Identity ServiceNow application, the request is then processed by the defined approval process in One Identity manager. Optionally ITShop approval policy could be configured in such a way that self-service approval takes place when the request has been raised and approved in ServiceNow while request raised from One Identity Manager goes over the regular approval process. This way approvals do not need to take place multiple times for request raised from ServiceNow.
For more information on IT Shop Request approval process please refer to the Identity Manager 8.1 - IT Shop Administration Guide.