Chat now with support
Chat with Support

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Finding exception approvers

Requests that may cause a rule violation can still be approved by exception approval.

To allow exception approval for request with rule violations

  1. Enable the Exception approval allowed option for the compliance rule and assign an exception approver.

    For more information, see theOne Identity Manager Compliance Rules Administration Guide.

  2. Enter an approval step in the approval workflow with the OC or OH procedure. Connect this approval level with the compliance checking approval level at the connection point for denying this approval decision.

    NOTE:

    • Only apply this approval procedure immediately after an approval level with the CR approval procedure.

    • For each approval workflow, only one approval step can be defined using the OC or OH approval procedure.

  3. If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is set, you can use the rule's IT Shop properties to configure which rule violations are presented to an exception approver. Set or unset Explicit exception approval to do this.

    For more information, see Explicit exception approval.

Table 46: Approval procedures for exception approval
Approval procedure Description

OC (Exception approvers for violated rules)

The approval decision is agreed on by the exception approvers of the violated rule. As it may be possible that several rule are broken with one request, the request is presented to all the exception approvers in parallel. If one of the exception approvers rejects the exception, the request is rejected.

OH (exception approver for worst rule violation)

The approval decision is agreed on by the rule's exception approver which poses the highest threat. In this way, you can accelerate the exception approval procedure for a request that violates several rules.

Ensure the following apply for this approval procedure:

  • The severity level is set in the assessment criteria for all compliance rules.

  • The exception approver for the worst rule violation in all affected rules is one of the exception approvers.

Example

Four different compliance rules are violated by a request for Active Directory group membership. The target system manager of the Active Directory domain is entered as exception approver for all the compliance rules.

Using the OC approval procedure, the target system manger must grant approval exceptions for all four compliance rules.

Using the OH approval procedure, the target system manager is presented with the request only for the compliance rule with the highest severity code. The manager's decision is automatically passed on to the other violated rules.

Figure 8: Example of an approval workflow with compliance checking and exception approval

Sequence of compliance checking with exception approval

  1. If a rule violation is detected during compliance checking, the request is automatically not granted approval. The request is passed on to the approver of the next approval level for approval.

  2. Exception approvers are found according to the given approval procedure.

  3. If exception approval is granted, the request is approved and assigned.

  4. If exception approval is not granted, the request is denied.

Important: If the QER | ITShop | ReuseDecision configuration parameter is set and the exception approver has already approved as the request an approver in a previous approval step, exception approval is automatically granted. For more information, see Automatically approving requests.
NOTE:
  • As opposed to the manager/deputy principle normally in place, an exception approver’s deputy is NOT permitted to grant exception approval alone.

  • You cannot determine fallback approvers for exception approvers. The request is canceled if no exception approver can be established.

  • The chief approval team cannot grant exception approvals.

Restricting exception approvers

By default, exception approvers can also make approval decisions about requests in which they are themselves requester (UID_PersonInserted) or recipient (UID_PersonOrdered). To prevent this, you can specify the desired behavior in the following configuration parameter and in the approval step:

  • QER | ComplianceCheck | DisableSelfExceptionGranting configuration parameter

  • QER | ITShop | PersonOrderedNoDecideCompliance configuration parameter

  • QER | ITShop | PersonInsertedNoDecideCompliance configuration parameter

  • Approval by affected identity option in the approval step for finding exception approvers

If the requester or approver is not allowed to grant approval exceptions, their main identity and all sub identities are removed from the circle of exception approvers.

Summary of configuration options

Requesters can grant exception approval for their own requests, if:

  • PersonInsertedNoDecideCompliance configuration parameter is not set.

- OR -

  • Approval by affected identity option is set.

Recipients can grant exception approval for their own requests, if:

  • DisableSelfExceptionGranting configuration parameter is not set.

    PersonOrderedNoDecideCompliance configuration parameter is not set.

- OR -

  • DisableSelfExceptionGranting configuration parameter is not set.

    Approval by affected identity option is set.

Requesters cannot grant exception approval, if:

  • PersonInsertedNoDecideCompliance configuration parameter is set.

    Approval by affected identity option is not set.

Recipients cannot grant exception approval, if:

  • DisableSelfExceptionGranting configuration parameter is set.

- OR -

  • PersonOrderedNoDecideCompliance configuration parameter is set.

    Approval by affected identity option is not set.

Related topics

Setting up exception approver restrictions

To prevent recipients of request becoming exception approvers

  • In the Designer, disable the QER | ComplianceCheck | DisableSelfExceptionGranting configuration parameter.

    This configuration parameter takes effect:

    • When requests are granted approval exception.

    • During cyclical rule checking. For more information about cyclical rule checking, see the One Identity Manager Compliance Rules Administration Guide.

    - OR -

  • In the Designer, enable the QER | ITShop | PersonOrderedNoDecideCompliance configuration parameter.

    This configuration parameter takes effect:

    • When requests are granted approval exception.

    • If the Approval by affected identity option is disabled in the approval step.

To prevent requesters becoming exception approvers

  • In the Designer, set the QER | ITShop | PersonInsertedNoDecideCompliance configuration parameter.

    This configuration parameter takes effect:

    • When requests are granted approval exception.

    • If the Approval by affected identity option is disabled in the approval step.

For individual approval workflows, you can allow exceptions to the general rule in the PersonInsertedNoDecide and PersonOrderedNoDecide configuration parameters. Use these options if the requester or recipient of requests is allowed to grant themselves exception approval only for certain requests.

To allow request recipients or requesters to become exception approvers in certain cases

  • In the approval step for determining exception approvers, enable the Approval by affected identity option.

Related topics

Explicit exception approval

If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is set, properties can be added to compliance rules that are taken into account when rule checking requests.

Use the Explicit exception approval IT Shop property to specify whether the reoccurring rule violation should be presented for exception approval or whether an existing exception approval can be reused.

Table 47: Permitted values

Option is

Description

Enabled

A known rule violation must always be presented for exception approval, even if there is an exception approval from a previous violation of the rule.

Not set

A known rule violation is not presented again for exception approval if there is an exception approval from a previous violation of the rule. This exception approval is reused and the known rule violation is automatically granted exception.

If several rules are violated by a request and Explicit exception approval is set for one of the rules, the request is presented for approval to all exception approvers for this rule.

Rules that have Explicit exception approval set result in a renewed exception approval if:

  • A rule check is carried out within the approval process for the current request.

    - AND -

    1. The rule is violated by the current request.

      - OR -

    2. The IT Shop customer has already violated the rule.

In case (a), the request for the IT Shop customer is presented to the exception approver. If the request is approved, case (b) applies to the next request. In case (b), every request for the IT Shop customer must be decided by the violation approver, even when the request itself does not result in a rule violation. The result you achieve is that assignments for identities that have been granted an exception, are verified and reapproved for every new request.

For more information about exception approvals, see the One Identity Manager Compliance Rules Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating