Chat now with support
Chat with Support

Identity Manager 9.3 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results Example of defining request properties

Adding system entitlements automatically to the IT Shop

The following steps can be used to automatically add system entitlements to the IT Shop. Synchronization ensures that the system entitlements are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor. New system entitlements created in One Identity Manager also are added automatically to the IT Shop.

To add system entitlements automatically to the IT Shop

  1. In the Designer, set the configuration parameter for automatically adding system entitlements to the IT Shop depending on existing modules.

    Example: QER | ITShop | AutoPublish | ADSGroup and QER | ITShop | AutoPublish | ADSGroup | ExcludeList

    ClosedList of relevant configuration parameters

  2. Compile the database.

The system entitlements are added automatically to the IT Shop from now on.

The following steps are run to add a system entitlement to the IT Shop.

  1. A service item is determined for the system entitlement.

    The service item is tested for each system entitlement and modified if necessary. The name of the service item corresponds to the name of the system entitlement.

    • The service item is modified if the system entitlement has a service item.

    • System entitlements without a service item are allocated a new service item.

  2. The service item is assigned to one of the default service categories.

  3. An application role for product owners is determined and the service item is assigned. For more information, see the administration manuals for the respective target system connection.

    Product owners can approve requests for membership in these system entitlements.

  4. The system entitlement is labeled with the IT Shop option and assigned to the corresponding IT Shop shelf in the Identity & Access Lifecycle shop.

Subsequently, the shop's customers can request memberships in system entitlement through the Web Portal.

NOTE: When a system entitlement is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics

Deleting unused application roles for product owners

The list of product owner application roles can quickly become confusing when groups are automatically added to the IT Shop. This is because an application role is added for each account manager. These application roles are no longer required when a groups are deleted.

Redundant application roles for product owners can be deleted through a scheduled process task. This deletes all the application role from the database for which the following applies:

  • The parent application role is Request & Fulfillment | IT Shop | Product owner.

  • The application role is not assigned to a service item.

  • The application role is not assigned to a service category.

  • The application role does not have members.

To display no longer required application roles with members

  • In the Manager, select the IT Shop > Troubleshooting > Orphaned product owners category.

To delete application roles automatically

  • In the Designer, configure and enable the Cleans up application role "Request & Fulfillment | IT Shop | Product owners” schedule.

NOTE: If you have set up your own application roles under the Request & Fulfillment | IT Shop | Product Owner application role that you use for custom use cases (tables), then check whether these can be deleted automatically. Otherwise, disable the Clean up application role "Request & Fulfillment\IT Shop\Product owners" schedule.

Related topics

Approval processes for IT Shop requests

All IT Shop requests are subject to a defined approval process. During this approval process, authorized identities grant or deny approval for the product assignments. You can configure this approval process in various ways and therefore customize it to meet your company policies.

You define approval policies and approval workflows for approval processes. Specify which approval workflows are going to be used for the request in the approval policies. Use approval workflows to specify which identity is authorized to grant or deny approval for the request at the time it was placed. An approval workflow can contain a number of approval levels, and this can, in turn, contain several approval steps, for example, when several management hierarchy layers need to give approval for a request. A special approval procedure is used to determine the approvers in each approval procedure.

In the default installation, different default approval policies are assigned to the Identity & Access Lifecycle shop. Therefore, requests from this shop are run through predefined approval processes. Assign an approval policy to the shop, the shelf or the service item of the Identity & Access Lifecycle shelf if requests from this shop should go through customized approval process.

Detailed information about this topic

Approval policies for requests

One Identity Manager uses approval policies to determine the approver for each request process.

To edit an approval policy

  1. In the Manager, select the IT Shop > Basic configuration data > Approval policies category.

  2. Select an approval policy in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the approval policy main data.

  4. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating