Chat now with support
Chat with Support

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Recommendations and tips for transporting IT Shop components with the Database Transporter

For detailed about working with change labels and about transporting changes with the Database Transporter, see the One Identity Manager Operational Guide.

To transport IT Shop components with the Database Transporter, take the following into account:

  • In one transport package, only include a maximum of one shop with shelves and customer nodes including the dynamic roles and, if necessary, associated approval policies.

  • You should not transport products that reference target system entitlements. Target system entitlements are loaded into the database by synchronization and obtain different UIDs in different databases. This means that references to these entitlements do not match up in the products.

  • Approval policies, approval workflows, approval steps, and approval procedures should be transported together. If necessary, mail templates and mail definitions must be transported as well.

  • If IT Shop components reference application or business roles, they must also be transported along with their child roles.

  • Transport translations if required.

  • If you want to group several objects and dependencies and other changes into a transport package, work with change labels where possible. In the Database Transporter, you can export change labels to a transport package. You can import the transport package with the Database Transporter.

  • Alternatively, you can transport a single object with its dependencies by creating an export in transport format. Then you can import the export with the Database Transporter.

Troubleshooting errors in the IT Shop

Timeout on saving requests

If new requests are saved in bulk in the database a timeout may occur, after importing data, for example.

Probable reason

By default, the approvers responsible are determined during saving. This delays the saving process. No more actions can take place in One Identity Manager until all requests are saved and, therefore, all approvers have been found. Depending on the system configuration, this may cause a timeout to occur when large amounts of data are being processed.

Solution
  • In the Designer, disable the QER | ITShop | DecisionOnInsert configuration parameter.

Effect
  • The requests are saved and a calculation task for determining approvers is queued in the DBQueue. Approvers responsible are determined outside the save process.

  • If the requester is also the approver, the approval step is not automatically granted approval. Approvers must explicitly approve their own requests. For more information, see Automatically approving requests.

  • Automatic approval decisions are also met if necessary, but are delayed. This affects requests with self-service, for example.

Bulk delegation errors

You have the option to delegate all your responsibilities to an identity in the Web Portal. If you have a lot of responsibilities, it is possible that not all the delegations are carried out. A delegator can send a notification to themselves if an error occurs.

Probable reason

An error occurred processing delegations. VI_ITShop_Person Mass Delegate was stopped, although only a fraction of the delegations has been applied.

Solution
  1. Configure the notification procedure.

  2. Run all remaining delegations again in the Web Portal.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating