Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.3 - IT Shop Administration Guide

Table of Contents

Setting up an IT Shop solution

One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products

Multi-request resources

Preparing products for requesting

Entering service items

General main data for service items Pricing for service items Extended main data for service items Default service items Specifying dependencies between products Editing product dependencies for requests Defining hierarchy for service items Assigning hierarchical roles to service items

Assigning organizations to service items Assigning business roles to service items

Assigning functional areas to service items Assigning extended properties to service items Displaying websites for service items Changing products for service items Adding tags and assigning them to service items Displaying the service item overview Reports about service items

Overview of all assignments

Entering service categories

Main data for service categories Default service categories Assigning service items to service categories Displaying the service category overview

Entering product-specific request properties

Request property and request parameter settings Copy request properties Displaying the request properties overview

Products for requests with time restrictions Product request on customer or product relocation Non-requestable products Entering terms of use for service items

Assigning files to terms of use Displaying the terms of use overview

Assigning service items to tags Displaying the tags overview

Assigning and removing products

Assigning products to shelves Removing products from shelves Moving products to another shelf Replacing products

Preparing the IT Shop for multi-factor authentication Assignment requests

Standard products for assignment requests Requesting memberships in business roles Requesting memberships in application roles Customizing assignment requests Canceling requests Removing customers from a shop Setting up assignment resources

General main data for assignment resources Default assignment resources Displaying assignment resource overviews Adding assignment resources to the IT Shop Removing assignment resources from the IT Shop

Standard products for delegation Preparing single delegations Allowing delegation approvals

Creating IT Shop requests from existing user accounts, assignments, and role memberships

Creating requests for identities Creating user account requests Creating workdesk requests Creating assignment requests

Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners

Approval processes for IT Shop requests

Approval policies for requests

General main data of approval policies Default approval policies Adding to the IT Shop Validity checking Editing approval workflows Copying approval policies The approval policy overview

Approval workflows for requests

Working with the Workflow Editor Setting up approval workflows

Editing approval levels Editing approval steps Properties of an approval step Connecting approval levels

Copying approval workflows Deleting approval workflows The approval workflow overview Default approval workflows

Determining effective approval policies

Approvers for renewals Approvers for unsubscriptions

Selecting responsible approvers

Default approval procedures

Determining request recipients as approvers Determining managers or members of a role as approvers Determining owners as approvers

Determining approvers via products requested by request parameter

Determining special approvers

Determining approvers via approval roles

Determining target system managers as approvers Determining requester or recipients Determining special identities as approvers Automatic approvals

Waiting for further approval Calculated approval Approvals to be made externally

Setting up approval procedures

General main data of an approval procedure Queries for determining approver

Copying an approval procedure Deleting approval procedures Determining the responsible approvers

Request risk analysis Testing requests for rule compliance

Compliance checking requests Identifying rule violations Determining exception approvers Restricting exception approvers

Setting up exception approver restrictions

Explicit exception approval Rule checking for requests with self-service

Approving requests from an approver

Setting up approver restrictions

Automatically approving requests

Configuring automatic approval

Approval by peer group analysis

Configuring peer group analysis for requests

Approval recommendations for requests

Criteria for approval recommendations for requests Configuring approval recommendations for requests

Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes

Request sequence

The request overview

Displaying request details Displaying the approval sequence Displaying the approval history

Requesting products more than once Requests with limited validity period

Renewing requests Canceling or unsubscribing requests Checking request validity periods

Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process

Requesting approval Reminding approvers Scheduled request for approval Sequence for limited requests Approving or denying request approval Notifying delegates Canceling requests Escalating requests Delegating approvals Rejecting approvals Notifications with questions Using additional approvers to approve requests Unsubscribing approved requests Renewing approved requests Product change notifications Default mail templates Bulk delegation notifications

Approval by mail

Editing approval emails

Adaptive cards approval

Using adaptive cards for approvals Adding and deleting recipients and channels Creating, editing, and deleting adaptive cards for requests Creating, editing, and deleting adaptive cards templates for requests General main data for adaptive cards Deploying and evaluating adaptive cards for requests Disabling adaptive cards

Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations

Managing an IT Shop

IT Shop base data

Processing status Standard reason for requests

Predefined standard reasons for requests

Role classes for the IT Shop Role types for the IT Shop Business partners Functional areas Chief approval team Product owners Attestors

Setting up IT Shop structures

Adding IT Shop structures General main data of IT Shop structures Custom main data of IT Shop structures Assigning approval policies Assigning requestable products to shelves The IT Shop structure overview

Setting up a customer node

Adding customer nodes General main data of customer nodes Custom main data of customer nodes Assigning identities directly Assigning identities through dynamic roles The entitled customers overview

Deleting IT Shop structures

Deleting customer nodes Deleting shelves Deleting shops Deleting shopping centers

Restructuring the IT Shop

Moving shops to other shopping centers Moving shelves to other shops Moving products to another shelf

Templates for automatically filling the IT Shop

Using shelf templates in an IT Shop solution Editing shelf templates General main data of a shelf template Custom main data of shelf templates Assigning approval policies Assigning requestable products to shelf templates Shelf-filling wizard Assigning shelf templates to shops and shopping center templates Deleting shelf templates

Custom mail templates for notifications

Creating and modifying IT Shop mail templates General properties of mail templates Creating and editing mail definitions

Using base object properties Use of hyperlinks to the Web Portal Default functions for creating hyperlinks Customize email signatures

Copying IT Shop mail templates Displaying IT Shop mail template previews Deleting IT Shop mail templates Custom notification processes

Product bundles

Creating and modifying product bundles General main data of a product bundle Cart items Deleting product bundles

Recommendations and tips for transporting IT Shop components with the Database Transporter

Troubleshooting errors in the IT Shop

Timeout on saving requests Bulk delegation errors Process monitoring for requests

Configuration parameters for the IT Shop Request statuses Examples of request results Example of defining request properties

Determining managers or members of a role as approvers

Managers can be assigned to identities and hierarchical roles If these managers can approve requests, you can use the following approval procedures. In addition, members with a specified hierarchical role can be determined as approvers.

Closed

D0 - Manager of shelf's department

Closed

D1 - Manager of shop's department

Closed

D1 - Manager of shopping center's department

Closed

DP - Manager of department given in the request

Closed

P0 - Manager of shelf's cost center

Closed

P1 - Manager of shop's cost center

Closed

P2 - Manager of shopping center's cost center

Closed

PP - Manager of cost center given in the request

Closed

MS - Manager of the role to request

Closed

OM - Manager of a specific role

Closed

OR - Members of a certain role

Related topics

Determining owners as approvers

Special owners are assigned to various objects in One Identity Manager. Different approval procedures can be used to determine these owners as approvers.

Closed

H0 - Shelf owner

Closed

H1 - Shop owner

Closed

H2 - Shopping center owner

Closed

OA - Product owner

Closed

KA - Product owner and additional owner of the Active Directory Group

Closed

PA - Additional owner of the Active Directory group

Closed

PG - owners of the requested privileged access request

Closed

BA - Owner of the application

Closed

OX - Owner of the object in any request parameter of the request properties

Related topics

Default approval procedures

Determining approvers via products requested by request parameter

If the object to request is given as a request parameter in the request and the owners of the object are going to be determined as approvers, use the OX approval procedure.

The approval procedure determines the owner (application role) of an object specified in a request parameter to be the approver. The application role is assigned to the object through a foreign key column. The name of the request parameter is given on the approval step and the name of the table column that references the application role. The approval procedure can be used for all products that are assigned a request property that uses this request parameter.

To use the OX approval procedure

Create a multi requestable/unsubscribable resource for use in the IT Shop.
Create a service item for this resource and assign a request property to it.
Define the request parameters for this request property. At least one parameter must have the following settings:
- Parameter name: Name of the parameter
- Data source: Table
- Table column (value query): Object key (XObjectKey) of the table containing the requested objects.
Create an approval workflow with an approval step that uses the OX approval procedure.
- Parameter name: Parameter name of the previously defined request parameter.
- Column name: Name of the column that refers to the application role from the table selected in the request parameter.
Create an approval policy and assign it to the approval workflow.
Assign this approval policy to the service item.

Example: Requesting Microsoft Entra ID role eligibilities

Managers can request Microsoft Entra ID role eligibilities for their employees. When making a request, the specific Microsoft Entra ID role is given as request parameter. Members of the application role assigned to this role as owners are determined as approvers.

One Identity Manager provides the following objects for such requests as default:

A multi requestable/unsubscribable resource: Microsoft Entra ID role eligibility
A service item for this resource to which the Microsoft Entra ID role eligibility request property is assigned
The AADRole request parameter (Microsoft Entra ID role) with the AADRole - XObjectKey column.
The Approval of Microsoft Entra ID role eligibility requests approval policy
The Approval of Microsoft Entra ID role eligibilities approval workflow with the Owner of Microsoft Entra ID role approval step
Approval step properties
- Approval procedure: OX
- Parameter name: AADRole
- Column name: UID_AERoleOwner

The OX approval procedure determines all members of the application role entered in the UID_AERoleOwner column for the Microsoft Entra ID role given in the request.

Related topics

Default approval procedures

Determining special approvers

Special approvers are assigned to various objects in One Identity Manager. Different approval procedures can be used to determine these special approvers as approvers.

Closed

DR - Role approvers of the department given in the request

Closed

DI - Role approvers (IT) of the department given in the request

Closed

PR - Role approvers of the cost center given in the request

Closed

PI - Role approvers (IT) of the cost center given in the request

Closed

RD - Role approvers of the recipient's primary department

Closed

RL - Role approvers of the recipient's primary location

Closed

RO - Role approvers of the recipient's primary business role

Closed

RP - Role approvers of the recipient's primary cost center

Closed

ID - Role approvers (IT) of recipient's department

Closed

IL - Role approvers (IT) of recipient's location

Closed

IO - Role approvers (IT) of the recipient's primary business role

Closed

IP - Role approvers (IT) of recipient's cost center

Closed

BE - Approver of the application entitlement

Closed

OT - Attestor of the service item to assign

Closed

OC - Exception approvers for violated rules

Closed

OH - Exception approver for worst rule violation

Related topics

Default approval procedures

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center