Chat now with support
Chat with Support

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Rule checking for requests with self-service

Self-service (SB approval procedure) is always defined as a one-step procedure. That means you cannot set up more approval steps in addition to a self-service approval step.

To realize compliance checking for requests with self-service

Approving requests from an approver

By default, approvers can make approval decisions about requests in which they are themselves requester (UID_PersonInserted) or recipient (UID_PersonOrdered). To prevent this, you can specify the desired behavior in the following configuration parameter and in the approval step.

  • QER | ITShop | PersonOrderedNoDecide configuration parameter

  • QER | ITShop | PersonInsertedNoDecide configuration parameter

  • Approval by affected identity option in the approval step.

If the requester or approver is not allowed to make approval decisions, their main identity and all subidentities are removed from the group of approvers.

NOTE:

  • The configuration parameter setting also applies for fallback approvers; it does not apply to the chief approval team.

  • This configuration parameter does not affect the BS and BR approval procedures. These approval procedures also find the requester and the request recipient if the configuration parameter is not set. For more information, see Finding requesters.

Summary of configuration options

Requesters can approve their own requests if:

  • The PersonInsertedNoDecide configuration parameter is not set.

- OR -

  • The Approval by affected identity option is set.

Recipients can approve their own requests if:

  • The PersonOrderedNoDecide configuration parameter is not set.

- OR -

  • The Approval by affected identity option is set.

Requesters cannot approve if:

  • The PersonInsertedNoDecide configuration parameter is set.

    The Approval by affected identity option is not set.

Recipients cannot approve if:

  • The PersonOrderedNoDecide configuration parameter is set.

    The Approval by affected identity option is not set.

Example

A department manager places a request for an employee. Both of them are found to be approvers by the approval procedure. To prevent the department manager from approving the request, set the QER | ITShop | PersonInsertedNoDecide parameter. To prevent the employer from approving the request, set the QER | ITShop | PersonOrderedNoDecide parameter.

Approving requests from an exception approver

Similarly, you specify whether exception approvers are allowed to approve their own requests if compliance rules are violated by a request. For more information, see Restricting exception approvers.

Related topics

Setting up approver restrictions

To prevent recipients of requests becoming approvers

  • In the Designer, set the QER | ITShop | PersonOrderedNoDecide configuration parameter.

    This configuration parameter takes effect if the Approval by affected identity option is not set on the approval step.

To prevent requesters becoming approvers

  • In the Designer, set the QER | ITShop | PersonInsertedNoDecide configuration parameter.

    This configuration parameter takes effect if the Approval by affected identity option is not set on the approval step.

For individual approval workflows, you can allow exceptions to the general rule in the PersonInsertedNoDecide and PersonOrderedNoDecide configuration parameters. Use these options to allow the requester or recipient of requests to make approval decisions themselves in single approval steps.

To allow request recipients or requesters to become approvers in certain cases

  • On the approval step, enable the Approval by affected identity option.

Related topics

Automatically approving requests

Approvers may be involved in an approval process more than once, for example, if they are also requesters or determined as approvers in various approval steps. In such cases, the approval process can be speeded up with automatic approval.

NOTE: Automatic approvals apply to all fallback approvers but not to the chief approval team.

Use configuration parameters to specify when automatic approvals are used. You can specify exceptions from default behavior for individual approval steps. Specify the behavior you expect in the following configuration parameters and approval steps.

  • QER | ITShop | DecisionOnInsert configuration parameter

  • QER | ITShop | AutoDecision configuration parameter

  • QER | ITShop | ReuseDecision configuration parameter

  • No automatic approval option in the approval step

Summary of configuration options

Approval steps are automatically approved or denied if:

  • The QER | ITShop | DecisionOnInsert configuration parameter is set.

    The No automatic approval option is not set.

    - OR -

  • The QER | ITShop | AutoDecision configuration parameter is set.

    The No automatic approval option is not set.

    - OR -

  • The QER | ITShop | ReuseDecision configuration parameter is set.

    The No automatic approval option is not set.

Requests are manually approved or denied if:

  • The QER | ITShop | DecisionOnInsert configuration parameter is not set.

    - OR -

  • The QER | ITShop | AutoDecision configuration parameter is not set.

    - OR -

  • The QER | ITShop | ReuseDecision configuration parameter is not set.

    - OR -

  • The No automatic approval option is set.

Detailed information about this topic
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating