立即与支持人员聊天
与支持团队交流

Identity Manager 8.2.1 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Creating user account requests

To assign user accounts to employees, use One Identity Manager account definitions. You can request matching account definitions for existing user accounts linked to the employees through the IT Shop. To create these requests, you can use CreateITShopOrder (string CustomScriptName). This method can be used for all user account tables (for example, ADSAccount or SAPUser) and for the ADSContact, EX0MailBox, EX0MailContact, and EX0MailUser.

Prepare the IT Shop accordingly in order to create the requests.

To create requests for user accounts

  1. Create an account definition for the target system. Assign the account definition to the target system.

    This account definition is used for all user accounts where no account definition is entered. You can miss out this step if all the user accounts are already assigned an account definition.

  2. Prepare the account definition for use in the IT Shop.

  3. Assign the account definition to a shelf in the IT Shop.

  4. Link the user accounts to an employee, if there is no employee already linked.

  5. Add employee as customers to shops to which the account definition is assigned as product.

  6. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the task.

  7. Create a script that runs the method for the tables affected.

One Identity Manager creates requests for user accounts in the following way:

  1. Determine the valid account definition.

    If an account definition is already assigned to the user account, it will be used. Otherwise, the account definition of the target system is used.

  2. Determine the affected employees.

  3. Determine the shops to which employees and the account definition are assigned.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Assign employees to the product structure (entry in PersonInITShopOrg table).

  2. Transform any possible direct account definition assignments to indirect assignments (entry in PersonHasTSBAccountDef table).

Related topics

Creating workdesk requests

Requests for workdesks are created with CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName). Prepare the IT Shop such that requests can be created.

To create requests from assignments to workdesks

  1. Prepare the company resources (software, system role, or driver) for use in the IT Shop.

  2. Assign the company resources to a shelf in the IT Shop.

  3. Select an employee as requester for the assignment to workdesks.

    • Pass this employee's UID_Person as a uidPerson parameter to the task.

  4. Add the selected employee as a customer to the shops to which the company resources are assigned as products.

  5. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the task.

  6. Create a script to run CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName) for the affected tables.

One Identity Manager creates requests for workdesk requests in the following way:

  1. Determine workdesks and their assigned company resources.

  2. Determine requester from the uidPerson parameter.

  3. Determine shops assigned to company resources and requester.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Assign employees to the product structure (entry in PersonInITShopOrg table).

  2. Transform direct company resource assignments into indirect assignments to workdesks (for example, in the WorkDeskHasApp table).

TIP: To create an employee who can be used as a requester when creating a workstation, set the Hardware | Workdesk | WorkdeskAutoPerson configuration parameter in the Designer. The following properties are used for the employee object:

  • Last name: Name of the workdesk (Ident_Workdesk)

  • First name: Machine

  • Identity type: Machine identity (Machine)

When the workstation is deleted, the associated employee object is also deleted.

Related topics

Creating assignment requests

You can create assignment requests for existing company resource assignments to hierarchical roles and for memberships of employees, devices, or workdesks in hierarchical roles. The following methods are available.

Table 24: Methods for transforming direct assignments into assignment requests

Method

Description

CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership. This method can be applied to all tables which cannot be used to find a UID_Person.

CreateITShopOrder (string uidOrgProduct, string uidWorkdeskOrdered, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership and, in addition, saves a UID_WorkdeskOrdered with the request procedure.

Prepare the IT Shop accordingly in order to create the requests.

To create assignment requests from direct assignment to hierarchical roles and role memberships

  1. From the IT Shop > Identity & Access Lifecycle > Shelf: Identity Lifecycle shelf, select an assignment resource.

    • Pass the product's UID_ITShopOrg as the uidOrgProduct parameter to the method.

  2. From the customer node of the IT Shop | Identity & Access Lifecycle shop, select an employee as a requester for the assignment request.

    • Pass this employee's UID_Person as a uidPersonOrdered parameter to the method.

  3. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the method.

  4. Create a script to run the CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName) method for the affected tables.

TIP: You can also create your own assignment resource and assign it to a shelf in any shop. Select an employee as requester for the assignment request from this shop's customer node. For more information, see Customizing assignment requests.

One Identity Manager creates assignment requests from existing assignments to hierarchical roles as follows:

  1. Determine the hierarchical roles and their assigned company resources and employees (employees, devices, or workdesks).

  2. Determine the requester from the uidPersonOrdered parameter.

  3. Determine the assignment resource from the uidOrgProduct parameter.

  4. Determine shops assigned to the assignment resource and requester.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Transform direct company resource assignments to hierarchical roles into indirect assignments to workdesks (for example, in the DepartmentHasQERResource) table. Transform direct company memberships to hierarchical roles into indirect memberships (for example, in the PersonInDepartment) table.

If the assignment request is to be created for a workdesk, pass the method the workdesk's UID_WorkDesk as uidWorkdeskOrdered parameter. The method saves this UID as UID_WorkdeskOrdered in the request (PersonWantsOrg table).

Detailed information about this topic
Related topics

Adding system entitlements automatically to the IT Shop

The following steps can be used to automatically add system entitlements to the IT Shop. Synchronization ensures that the system entitlements are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor. New system entitlements created in One Identity Manager also are added automatically to the IT Shop.

To add system entitlements automatically to the IT Shop

  1. In the Designer, set the configuration parameter for automatically adding system entitlements to the IT Shop depending on existing modules.

    Example: QER | ITShop | AutoPublish | ADSGroup and QER | ITShop | AutoPublish | ADSGroup | ExcludeList

  2. Compile the database.

The system entitlements are added automatically to the IT Shop from now on.

The following steps are run to add a system entitlement to the IT Shop.

  1. A service item is determined for the system entitlement.

    The service item is tested for each system entitlement and modified if necessary. The name of the service item corresponds to the name of the system entitlement.

    • The service item is modified if the system entitlement has a service item.

    • System entitlements without a service item are allocated a new service item.

  2. The service item is assigned to one of the default service categories.

  3. An application role for product owners is determined and the service item is assigned. For more information, see the administration manuals for the respective target system connection.

    Product owners can approve requests for membership in these system entitlements.

  4. The system entitlement is labeled with the IT Shop option and assigned to the corresponding IT Shop shelf in the Identity & Access Lifecycle shop.

Subsequently, the shop's customers can request memberships in system entitlement through the Web Portal.

NOTE: When a system entitlement is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级