Chat now with support
Chat with Support

Identity Manager 9.3 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results Example of defining request properties

Replacing products

A product can be replaced by another product at a specified time. All identities who have requested this product are notified by an email telling them to request a replacement product.

To replace a product with another one

  1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service categories > <service category> category.

    - OR -

    In the Manager, select the IT Shop > Service catalog > Hierarchical by service categories > Singles category.

  2. Select the product's service item to replace in the result list.

  3. Select the Change product task.

  4. Enter the following data:

    • Expiry date: Date on which the product is replaced by a different product.

    • Alternative product: Service item that can be requested instead.

  5. Click OK.
Related topics

Preparing the IT Shop for multi-factor authentication

You can use multi-factor authentication for specific security-critical resource requests, which requires every approver for the request approval to authenticate themselves again. Define which products require this authentication in your service items.

One Identity Manager uses OneLogin for multi-factor authentication. Usable authentication modes are determined through the OneLogin user accounts linked to the identities.

Prerequisites

In OneLogin:

  • At least one authentication method is configured on all user accounts that are going to use multi-factor authentication.

In One Identity Manager:

  • The OneLogin Module is installed.

  • Synchronization with a OneLogin domain is set up and has been run at least once.

  • Identities linked to OneLogin user accounts.

  • The API Server and the web application are configured as required.

For more information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.

To use multi-factor authentication in the IT Shop

  • In the Manager, create service items for the product that can only be requested with multi-factor authentication.

    • Enable the Approval by multi-factor authentication option.

Once the Approval by multi-factor authentication option is enabled on a service item, additional authentication is requested in each approval step of the approval process. Approvers can select any one of the authentication methods assigned to their OneLogin user accounts.

IMPORTANT: An approval cannot be sent by email if multi-factor authentication is configured for the requested product. Approval mails for such requests produce an error message.

For more information about requesting products requiring multi-factor authentication and about canceling products, see the One Identity Manager Web Portal User Guide.

Related topics

Assignment requests

You can also use One Identity Manager to request hierarchical roles, like departments, or business roles, through the IT Shop and assign them to identities, devices, and workdesks. This allows any number of assignments to be made through IT Shop requests. The advantage of this method is that any assignments can be authorized using an approval process. Assignment renewals and assignment recall are also subject to an approval process in the same way. The request history makes it possible to follow which assignments were requested, renewed, or canceled, why, when, and by whom.

The managers of business roles, organizations, and system roles can make assignments requests for their roles.

In the Web Portal, managers of business roles, organizations, and system roles can see assignments requests for roles under their supervision. Use the QER | ITShop | ShowClosedAssignmentOrders configuration parameter to specify whether all assignment requests are displayed or only open ones. By default, pending as well as closed assignment requests are displayed.

To only display a manager's pending assignment requests in the Web Portal

  • Disable the QER | ITShop| ShowClosedAssignmentOrders configuration parameter in the Designer.

Standard products for assignment requests

You require special resources, so-called assignment resources, for assignment requests. Assignment resources are linked to service items and can thus be made available as products in the IT Shop.

One Identity Manager provides standard products for assignment requests. These are used to:

  • Request membership in business roles or organizations for which the logged-in One Identity Manager user is responsible.

  • Request system entitlement assignments or other company resources to system roles, business roles, or organizations for which the logged in One Identity Manager user is responsible.

Table 18: Standard products for assignment requests

Assignment resource

Service item

Shop | Shelf

Request

Members in roles

Members in roles

Identity & Access Lifecycle | Identity Lifecycle

Memberships in business roles, application roles, and organizations

Role entitlement assignments

Role entitlement assignments

Assignment of company resources to business roles and organizations

System role assignments

System role assignments

Assignment of company resources to system roles

In the default installation, all active One Identity Manager database identities are customers of the Identity & Access Lifecycle shop. This allows all active identities to request memberships and assignments. The assignment requests are automatically approved by self-service.

You can add standard products for assignment requests to your own IT Shop.

Assignments can only be requested from and for customers of this shop. This means, the manager of the hierarchical roles as well as the identities that are also members of these roles, must be customers in the shop.

TIP: Assignment requests can also be made for custom assignment tables (many-to-many tables), if they have an XOrigin column. The properties for this column must correspond to the column definition for XOrigin columns in the One Identity Manager data model.
Example for an assignment request

Jo User1 is the project X project leader. A business role (Project X) is added in the Manager to ensure that all the project staff obtain the necessary entitlements. Jo User1 is assigned as manager of this business role. All project staff have a user account in the Active Directory domain P.

Jo User1 can request memberships in the Project X business role in the Web Portal because they are a manager. Jo User1 requests memberships for themselves and all project staff.

Furthermore, Jo User1 wants all project staff to obtain their entitlements in Active Directory through the Project X AD permissions Active Directory group. To this, they request Project X AD permissions in the Web Portal for the Project X business role.

The user accounts of all project staff become members in the Project X AD permissions Active Directory group through internal inheritance processes.

For more information, see the One Identity Manager Web Portal User Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating