立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Canceling requests

Assignments, like all other products, can be canceled through Web Portal or requested for a limited time period. These requests are automatically canceled when the validity period expires. For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic

Removing customers from a shop

If a customer has requested assignment through a shop and later they are removed from the shop, then the assignment request is closed and the assignment is revoked. In this case, however, assignments to roles should be retained if required.

To prevent the assignment from being revoked

  1. In the Designer, set the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter.

  2. (Optional) Enable the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter in the Designer.

    • In the Value field, enter the UID_Person of the identity that should be used as the fallback if no other request recipient can be found.

      This identity must be a customer in all shops in which which assignments can be requested.

  3. Save the changes.
  4. In the Manager, select the Entitlements > Assignment resources for IT Shop category.

  5. In the result list, select an assignment resource and select the Change main data task.

  6. Set the Keeps requested assignment resource option.

  7. Save the changes.

This option is enabled by default for the Role entitlement assignment default assignment resource. These configuration parameters are disabled by default.

If this option is enabled and the request recipient is removed from the customer node, then the request is updated according to the following rules:

  1. If the service item

    • Has the Retain service item assignment on relocation option set
    • The request recipient and service item are available in another shop

    The assignment request is transferred into this shop. The request recipient remains the same.

  2. If by doing this the request recipient does not remain the same, then a new request recipient is determined.

    1. The manager of the business role or organization that has been requested (PersonWantsOrg.ObjectKeyOrgUsedInAssign).

    2. A member of the business role or organization that has been requested.

    3. A member of the chief approval team.

    4. The identity given in the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback configuration parameter.

These rules are applied in the order given. The identity that is found must be a customer in the shop.

If no authorized approver can be found or the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU configuration parameter is disabled, then the assignment request is converted into a direct assignment. If direct assignment for the assigned product is not permitted to the requested business role or organization, the request is canceled and the assignment is removed.

NOTE: This option does not influence membership requests in roles or delegation.

Membership assignments are not removed, if the requester is removed from the customer node. They are removed when the recipient of the assignment request is deleted from the customer node.

Delegation ends when the delegate is deleted from the customer node.

Related topics

Setting up assignment resources

To edit an assignment resource

  1. In the Manager, select the Entitlements > Assignment resources for IT Shop category.

  2. In the result list, select an assignment resource and run the Change main data task.

  3. Edit the assignment resource's main data.

  4. Save the changes.

To create an assignment resource

  1. In the Manager, select the Entitlements > Assignment resources for IT Shop category.

  2. Click in the result list.

  3. Edit the assignment resource's main data.

  4. Save the changes.
Detailed information about this topic

General main data for assignment resources

Enter the following main data of an assignment resource.

Table 19: Main data for an assignment resource
Property Description

Assignment resource

Name for the assignment resource.

Resource type

Resource type for grouping assignment resources.

For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

IT Shop

Specifies whether the assignment resource can be requested through the IT Shop. The assignment resource can be requested through the Web Portal and allocated by defined approval processes.

This option cannot be disabled.

Only for use in IT Shop

Specifies whether the assignment resource can be requested through the IT Shop. The assignment resource can be requested through the Web Portal and allocated by defined approval processes. The assignment resource cannot be directly assigned to roles outside the IT Shop.

This option cannot be disabled.

Service item

Service item through which you can request the assignment resource in the IT Shop. Assign an existing service item or add a new one.

Table

Table where the assignment should be made.

Assignment requests can be limited to a specific hierarchical role. Choose the table from which the role should be selected.

Object

Specific hierarchical role that identities can request. Only one assignment resource can be created per role.

Description

Text field for additional explanation.

Risk index

Value for evaluating the risk of assigning the assignment resource to identities. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For more information, see the One Identity Manager Risk Assessment Administration Guide.

Requested assignments remain intact.

If this option is set, requested role assignments are converted into direct assignments if the request recipient is removed from the customer node of the associate shops.

The option can only be edited as long as there is a request has not been assigned with this assignment resource.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Detailed information about this topic
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级