Chat now with support
Chat with Support

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Standard products for assignment requests

You require special resources, so-called assignment resources, for assignment requests. Assignment resources are linked to service items and can thus be made available as products in the IT Shop.

One Identity Manager provides standard products for assignment requests. These are used to:

  • Request membership in business roles or organizations for which the logged-in One Identity Manager user is responsible.

  • Request system entitlement assignments or other company resources to system roles, business roles, or organizations for which the logged in One Identity Manager user is responsible.

Table 18: Standard products for assignment requests

Assignment resource

Service item

Shop | Shelf

Request

Members in roles

Members in roles

Identity & Access Lifecycle | Identity Lifecycle

Memberships in business roles, application roles, and organizations

Role entitlement assignments

Role entitlement assignments

Assignment of company resources to business roles and organizations

System role assignments

System role assignments

Assignment of company resources to system roles

In the default installation, all active One Identity Manager database identities are customers of the Identity & Access Lifecycle shop. This allows all active identities to request memberships and assignments. The assignment requests are automatically approved by self-service.

You can add standard products for assignment requests to your own IT Shop.

Assignments can only be requested from and for customers of this shop. This means, the manager of the hierarchical roles as well as the identities that are also members of these roles, must be customers in the shop.

TIP: Assignment requests can also be made for custom assignment tables (many-to-many tables), if they have an XOrigin column. The properties for this column must correspond to the column definition for XOrigin columns in the One Identity Manager data model.
Example for an assignment request

Jo User1 is the project X project leader. A business role (Project X) is added in the Manager to ensure that all the project staff obtain the necessary entitlements. Jo User1 is assigned as manager of this business role. All project staff have a user account in the Active Directory domain P.

Jo User1 can request memberships in the Project X business role in the Web Portal because they are a manager. Jo User1 requests memberships for themselves and all project staff.

Furthermore, Jo User1 wants all project staff to obtain their entitlements in Active Directory through the Project X AD permissions Active Directory group. To this, they request Project X AD permissions in the Web Portal for the Project X business role.

The user accounts of all project staff become members in the Project X AD permissions Active Directory group through internal inheritance processes.

For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics

Requesting memberships in business roles

NOTE: This function is only available if the Business Roles Module is installed.

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable business role. The business role is automatically part of the request in an assignment resource request. If the request has been approved, the requester becomes a member of the application role.

Each requestable business role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single business roles

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the Create assignment resource task.

    This starts a wizard that takes you through the steps for adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This creates a new assignment resource with the following custom properties:

      • Table: Org

      • Object: Full name of business role

    2. Enter the service item properties to allocate to the assignment resource.

      • Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.

      A new service item is created and linked to the assignment resource.

  4. Assign the assignment resource to an IT Shop shelf as a product.

  5. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item main data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the identity for whom it was requested becomes a member of the associated business role through internal inheritance processes. For more information about requesting assignment resources, see the One Identity Manager Web Designer Web Portal User Guide.

The assignment resource cannot be used to request the assignment of company resources to this business role. Instead, use the Role entitlement assignment default assignment resource.

Related topics

Requesting memberships in application roles

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable application role. The application role then automatically becomes part of the assignment resource request. If the request is approved, the requester becomes a member of the application role.

Each requestable application role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single application roles

  1. In the Manager, select an application role in the One Identity Manager Administration category.

  2. Select the Create assignment resource task.

    This starts a wizard that takes you through the steps for adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This creates a new assignment resource with the following custom properties:

      • Table: AERole

      • Object: Full name of application role

    2. Enter the service item properties to allocate to the assignment resource.

      • Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.

      A new service item is created and linked to the assignment resource.

  3. Assign the assignment resource to an IT Shop shelf as a product.

  4. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item main data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the identity for whom it was requested becomes a member of the associated application role through internal inheritance processes. For more information about requesting assignment resources, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics

Customizing assignment requests

Assignment requests with standard products are automatically approved through self-service. If assignment requests are going to be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means that assignment requests also go through the defined approval process.

To approve assignment requests through an approver

  • Assign separate approval policies to the default assignment resources service items.

    - OR -

  • Assign any approval policy to the Identity Lifecycle shelf.

Sometimes assignment requests should be subject to various approval processes depending on the object requested. For example, a department manager should approve department assignment, but department membership should be approved by the identity’s manager. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.

NOTE: To use these assignment resources, you must make more modifications to the Web Designer configuration.

To configure custom assignment requests

  1. Create a new assignment resource.

    1. In the Manager, select the Entitlements > Assignment resources for IT Shop category.

    2. Click in the result list.

    3. Select the Change main data task.

    4. Enter the assignment resource name.

    5. Assign a new service item.

    6. Save the changes.
  2. Assign the assignment resource to an IT Shop shelf as a product.

    1. Select the Add to IT Shop task.

    2. In the Add assignments pane, assign a shelf.

    3. Save the changes.
  3. Assign an approval policy to the shelf or the assignment resource’s service item.

  4. In the Web Designer, configure usage of the assignment resource.

    For more information, see the One Identity Manager Web Designer Reference Guide.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating