Chat now with support
Chat with Support

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Queries for approver selection

The condition through which the approvers are determined is formulated as a database query. Several queries may be combined into one condition. This adds all identities determined by single queries to the group of approvers.

To edit the condition

  1. In the Manager, select the IT Shop > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

To create single queries

  1. Click Add.

    This inserts a new row in the table.

  2. Mark this row. Enter the query properties.
  3. Add more queries if required.
  4. Save the changes.

To edit a single query

  1. Select the query you want to edit in the table. Edit the query's properties.
  2. Save the changes.

To remove single queries

  1. Select the query you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Table 42: Query properties

Property

Description

Approver selection

Query identifier that determines the approvers.

Query

Database query for determining the approvers.

The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. Every query must return a value for UID_PWORulerOrigin. The query returns one or more identities to whom the request is presented for approval. If the query fails to a result, the request is canceled.

A query contains exactly one select statement. To combine several select statements, create several queries.

If a DBQueue Processor task is assigned, you cannot enter a query to determine approvers.

Query for recalculating

Database query for finding request procedures that require recalculation of their approvers.

You can, for example, determine predefined approvers with the query (example 1). The approver can also be found dynamically depending on the request to approve. To do this, access the request to be approved within the database query using the @UID_PersonWantsOrg variable (example 2).

Example 1

Requests should be approved by a specific approver.

Query:

select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='User, JB'

Example 2

Approval for requests should be granted or denied through the requester’s parent department. The approver is the cost center manager that is assigned to the requester‘s primary department. The requester is the identity that triggers a request (UID_PersonInserted when requesting for an employee, for example).

Query:
select pc.UID_PersonHead as UID_Person, null as UID_PWORulerOrigin from PersonWantsOrg pwo
   join Person p on pwo.UID_PersonInserted = p.UID_Person
   join Department d on p.UID_Department = d.UID_Department
   join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter
   where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg
Taking delegation into account

To include delegation when determining approvers, use the query to also determine the identities to whom a responsibility has been delegated. If the managers of hierarchical roles are to make the approval decision, determine the approvers from the HelperHeadOrg table. This table groups all hierarchical role managers, their deputy managers, and identities to whom a responsibility has been delegated. If the members of business or application roles are to make the approval decision, determine the approvers from the PersonInBaseTree table. This table groups all hierarchical role members and identities to whom a responsibility has been delegated.

Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the delegation has made a decision on a request and thus allow the Web Portal to show if the approver was originally delegated.

To determine the UID_PWORulerOrigin of the delegation

  • Determine the UID_PersonWantsOrg of the delegation and copy this value as UID_PWORulerOrigin to the query. Use the dbo.QER_FGIPWORulerOrigin table function to do this.

    select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin

Modified query from example 2:

select hho.UID_PersonHead as UID_Person, dbo.QER_FGIPWORulerOrigin(hho.XObjectkey) as UID_PWORulerOrigin from PersonWantsOrg pwo join Person p on pwo.UID_PersonInserted = p.UID_Person join Department d on p.UID_Department = d.UID_Department join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter join HelperHeadOrg hho on hho.UID_Org = pc.UID_ProfitCenter where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg

Copying an approval procedure

You can copy default approval procedures in order to customize them.

To copy an approval procedure

  1. In the Manager, select the IT Shop > Basic configuration data > Approval procedures category.

  2. Select an approval procedure in the result list. Select the Change main data task.

  3. Select the Create copy task.

  4. Confirm the security prompt with Yes.
  5. Enter the short name for the copy.

    The short name for an approval procedure consists of a maximum of two characters.

  6. Click OK to start copying.

    - OR -

    Click Cancel to cancel copying.

Deleting approval procedures

To delete an approval procedure

  1. Remove all assignments to approval steps.

    1. On the approval procedure overview form, check which approval steps are assigned to the approval procedure.

    2. Switch to the approval workflow and assign another approval procedure to the approval step.

  2. In the Manager, select the IT Shop > Basic configuration data > Custom defined > Approval procedures category.

  3. Select an approval procedure from the result list.

  4. Click .

  5. Confirm the security prompt with Yes.

Determining the responsible approvers

The DBQueue Processor calculates which identity is authorized as an approver and in which approval level. Once a request is triggered, the approvers are determined for every approval step of the approval workflow to be processed. Changes to responsibilities may lead to an identity no longer being authorized as an approver for a request that is not yet finally approved. In this case, approvers must be recalculated. The following changes can trigger a recalculation for as yet unapproved requests:

  • Approval policy, workflow, step, or procedure changes.

  • An authorized approver loses their responsibility in One Identity Manager, for example, if a change is made to the department manager, product owner, or target system manager.

  • An identity obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example as the manager of the request recipient.

  • An identity authorized as an approver is deactivated.

Once an identity's responsibilities have changed in One Identity Manager, an approver recalculation task is queued in the DBQueue. By default, all approval steps of the pending approval processes are recalculated at the same time. Approval steps that have already been approved remain approved, even if their approver has changed. Recalculating approvers may take a long time depending on the configuration of the system environment and the amount of data to be processed. To optimize this processing time, you can specify the approval steps for which the approvers are to be recalculated.

NOTE: The approver recalculation task is set for approval steps that implement default approval procedures. Approval steps with customized approval procedures are not recalculated automatically.

To configure recalculation of approvers

  • In the Designer, set the QER | ITShop | ReducedApproverCalculation configuration parameter and select one of the following options as the value.

    Table 43: Options for recalculating approvers
    Option Description

    No

    All approval steps are recalculated. This behavior also applies if the configuration parameter is not set.

    Advantage: All valid approvers are displayed in the approval process. The rest of the approval sequence is transparent.

    Disadvantage: Recalculating approvers may take a long time.

    CurrentLevel

    Only approvers for the approval level that is currently to be edited are recalculated. Once an approval level has been approved, the approvers are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating the approvers may be faster.

    TIP: Use this option if performance problems occur in your environment in connection with the recalculation of approvers.

    Disadvantage: The originally calculated approvers are still displayed in the approval sequence for each subsequent approval step, even though they may no longer have approval authorization. The rest of the approval sequence is not correctly represented.

    NoRecalc

    No recalculation of approvers The previous approvers remain authorized to approve the current approval levels. Once an approval level has been approved, the approvers are determined for the next approval level.

    Advantage: The number of approval levels to calculate is lower. Calculating the approvers may be faster.

    TIP: Use this option if performance problems occur in your environment in connection with the recalculation of approvers, even though the CurrentLevel option is used.

    Disadvantage: The originally calculated approvers are still displayed in the approval sequence for each subsequent approval step, even though they may no longer have approval authorization. The rest of the approval sequence is not correctly represented. Identities that are no longer authorized can approve the current approval level.

    In the worst-case scenario, the only attestors originally calculated here now have no access to One Identity Manager, for example, because they have left the company. The approval level cannot be approved.

    To see approval steps of this type through

    • Define a timeout and timeout behavior when you set up the approval workflows on the approval steps.

      - OR -

    • When setting up the IT Shop, assign members to the chief approval team. These can access open approval processes at any time.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating