Chat now with support
Chat with Support

Identity Manager 9.3 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results Example of defining request properties

Standard products for delegation

One Identity Manager provides standard products for delegations.

Table 20: Standard products for delegation

Service item

Shop | Shelf

Type of delegation

Deputy (temporary)

Identity & Access Lifecycle | Identity Lifecycle

Deputize

Delegation

Single delegations

In the default installation, all active One Identity Manager database identities are customers of the Identity & Access Lifecycle shop. This allows all enabled identities to delegate responsibilities.

Related topics

Preparing single delegations

Single delegations temporarily assign responsibilities for a specific role or memberships in a specific business or application role to any identity. This identity may further delegate responsibility or membership as needed.

To run single delegation in One Identity Manager

  • In the Designer, set the QER | ITShop | Delegation configuration parameter.

    If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

The following objects in the default installation can be delegated.

  • Responsibilities for:

    • Departments

    • Cost centers

    • Locations

    • Business roles

    • Identities

    • IT Shop Structures (owner)

  • Membership in:

    • Business roles

    • Application roles

TIP: Specify the role classes associated to business roles for which memberships can be delegated. This option is available when the Business Roles Module is installed.

To permit single delegation of a role class

  1. In the Manager, select the Business roles > Basic configuration data > Role classes category.

  2. Select the role class in the result list.

  3. Select the Change main data task.

  4. Set Delegable.

  5. Save the changes.

Use the Web Portal to delegate roles or responsibilities. For more information, see the One Identity Manager Web Portal User Guide and the One Identity Manager Business Roles Administration Guide.

Related topics

Allowing delegation approvals

Delegations are automatically approved after a compliance check. If delegations are going to be approved by an approver, assign a suitable approval policy to the default service item. This means that delegation also go through the defined approval process.

To approve deputization by an approver

  1. In the Manager, select the IT Shop > Service catalog > Predefined category.

  2. In the result list, select the Deputy (temporary) service item then select the Change main data task.

  3. In the Approval policy field, select an approval policy.

  4. Save the changes.

To approve single delegation by an approver

  1. In the Manager, select the IT Shop > Service catalog > Predefined category.

  2. In the result list, select the Delegation service item and select the Change main data task.

  3. In the Approval policy field, select an approval policy.

  4. Save the changes.
Related topics

Creating IT Shop requests from existing user accounts, assignments, and role memberships

You can create One Identity Manager requests for existing user accounts, membership in system entitlements, assignments to identities, and hierarchical roles when IT Shop goes into operation. One Identity Manager provides several methods to implement this. Using these methods, requests are created that are completed and approved. These requests can therefore be canceled at a later date. In addition to the initial request data, you can run a custom script from each method that sets other custom properties for a request.

Table 21: Methods for transforming direct assignments into requests

Method

Description

CreateITShopOrder (string CustomScriptName)

Creates a request from a direct assignment. This method can be applied to all tables used to find a UID_Person.

CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership. This method can be applied to all tables that cannot be used to find a UID_Person.

CreateITShopOrder (string uidOrgProduct, string uidWorkdeskOrdered, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership and, in addition, saves a UID_WorkdeskOrdered with the request procedure.

CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName)

Creates a request for a workdesk from a direct assignment. This method can be applied to the WorkDeskHasApp, WorkDeskHasESet and WorkDeskHasDriver tables.

To run the methods

  1. Create a script in the Designer with the Script Editor to call the desired method.

    You can find an example script for calling a Customizer method in VB syntax on the One Identity Manager installation medium in the Modules\QBM\AddOn\SDK\ScriptSamples\03 Using database objects\11 Call database object methods.vb directory. You can use this example script as a template to create a script for call the methods described here.

  2. Run the script.

    You can use the script test from the Script Editor to do this.

For more information about creating scripts, see the One Identity Manager Configuration Guide.

If a custom script is included in the method call, then this script will be run immediately before the request is saved in the database.

An example of a custom script
Public Sub CCC_AddCustomPropToRequest(ByRef dbSource As IEntity, ByRef dbPWO As IEntity)
'Populate values in PWO:
dbPWO.PutValue("OrderReason", "Group membership assignment converted to IT Shop request automatically.")
End Sub
  • dbSource: Refers to the source object. For example, ADSAccountInADSGroup, if memberships in Active Directory groups are to be converted in requests.
  • dbPWO: Refers to the request to be generated.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating