立即与支持人员聊天
与支持团队交流

Identity Manager On Demand - Starling Edition Hosted - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Default approval procedures

The following approval procedures are defined to select the responsible approvers by default.

Table 30: Approval procedures for IT Shop requests

Approval procedure name

Responsible approvers

BA - Owner of the application

All members of the application role assigned for owners

For more information, see Using requested products to find approvers.

BE - Approver of application entitlement

All members of the application roles assigned for approvers and additional approvals

For more information, see Using requested products to find approvers.

BR - Back to recipient

Identity that receives the request

For more information, see Finding requesters.

BS - Back to requester

Identity that trigger the request

For more information, see Finding requesters.

CD - Calculated approval

-

For more information, see Calculated approval.

CM - Recipient's manager

Manager

For more information, see Using request recipients to find approvers.

CR - Compliance check (simplified)

-

For more information, see Compliance checking requests.

D0 - Manager of shelf's department

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

D1 - Manager of shop's department

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

D2 - Manager of shopping center's department

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

DI - Named (IT) approvers of department provided in request

All members of the assigned application role

For more information, see Using departments to find approvers.

DM - Manager of recipient's department

Manager and deputy manager

For more information, see Using request recipients to find approvers.

DP - Manager of department provided in request

Manager and deputy manager

For more information, see Using departments to find approvers.

DR - Named approvers of department provided in request

All members of the assigned application role

For more information, see Using departments to find approvers.

EX - Approvals to be made externally

-

For more information, see Approvals to be made externally.

H0 - Shelf owner

Owner and deputy

For more information, see Using IT Shop structures to find approvers.

H1 - Shop owner

Owner and deputy

For more information, see Using IT Shop structures to find approvers.

H2 - Shopping center owner

Owner and deputy

For more information, see Using IT Shop structures to find approvers.

ID - Named (IT) approvers of recipient's department

All members of the assigned application role

For more information, see Using approval roles to find approvers.

IL - Named (IT) approvers of recipient's location

All members of the assigned application role

For more information, see Using approval roles to find approvers.

IO - Named (IT) approvers of recipient's primary role

All members of the assigned application role

For more information, see Using approval roles to find approvers.

IP - Named (IT) approvers of recipient's cost center

All members of the assigned application role

For more information, see Using approval roles to find approvers.

KA - Product owner and additional owner of the Active Directory Group

Product owner and additional owner of the Active Directory group, if Active Directory groups or group memberships are attested.

For more information, see Using requested products to find approvers.

MS - Manager of the requested business role or organization

Manager and deputy of the business role, department, cost center or location requested by assignment request.

For more information, see Using requested roles to find approvers.

OA - product owner

All members of the assigned application role

For more information, see Using requested products to find approvers.

OC - Exception approver for violated rules

All members of the assigned application role

For more information, see Finding exception approvers.

OH - Exception approver for worst rule violation

All members of the assigned application role

For more information, see Finding exception approvers.

OM - Manager of a specific role

Manager of the role selected in the approval workflow.

For more information, see Using specific roles to find approvers.

OR - Members of a certain role

All identities assigned to a secondary business role.

For more information, see Using specific roles to find approvers.

OT - Attestor of assigned service item

All members of the assigned application role

For more information, see Using requested products to find approvers.

OX - Owner of the object in any request parameter of the request properties

All members of the application role that is assigned as the owner to the object given in the request parameter.

For more information, see Using products requested by request parameter to find approvers.

P0 - Manager of shelf's cost center

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

P1 - Manager of shop's cost center

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

P2 - Manager of shopping center's cost center

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

PA - Additional owner of the Active Directory group

All identities to be found through the additional owner of the requested Active Directory group.

For more information, see Using requested products to find approvers.

PG - owners of the requested privileged access request

All identities that can be determined as an owner of the requested privileged access request.

For more information, see Using requested products to find approvers.

PI - Named (IT) approvers of cost center provided in request

All members of the assigned application role

For more information, see Using cost centers to find approvers.

PM - Manager of recipient's cost center

Manager and deputy manager

For more information, see Using request recipients to find approvers.

PP - Manager of cost center provided in request

Manager and deputy manager

For more information, see Using cost centers to find approvers.

PR - Named approvers of cost center provided in request

All members of the assigned application role

For more information, see Using cost centers to find approvers.

RD - Named approvers of cost center provided in request

All members of the assigned application role

For more information, see Using approval roles to find approvers.

RI - Identity's risk index

-

For more information, see Request risk analysis.

RL - Named approvers of recipient's location

All members of the assigned application role

For more information, see Using approval roles to find approvers.

RO - Named approvers of recipient's primary role

All members of the assigned application role

For more information, see Using approval roles to find approvers.

RP - Named approvers of recipient's cost center

All members of the assigned application role

For more information, see Using approval roles to find approvers.

SB - Self-service

-

For more information, see Self-service.

TO - Target system manager of the requested system entitlement

All members of the assigned application role

For more information, see Using requested products to find approvers.

WC - Waiting for further approval

-

For more information, see Waiting for further approval.

Self-service

Use the SB (self-service) approval procedure to approve requests automatically. You do not have to specify approvers for this approval procedure. A self-service request is always granted immediate approval. Always define an approval workflow with the approval procedure SB as a one-step workflow. That means you cannot set up more approval steps in addition to a self-service approval step.

The approval workflow and the Self-service approval policy are available by default and assigned to the Identity & Access Lifecycle shop.

Using IT Shop structures to find approvers

Use the following approval procedures to establish an IT Shop structure owner, an IT Shop structure department manager or an IT Shop structure cost center manager as approver.

Table 31: Approval procedures for determining approvers for IT Shop structures

Approval procedure

Approver

The IT Shop structure from which the request comes is assigned an owner or a deputy.

H0

H1

H2

Owner and deputy of the shelf

Owner and deputy of the shop

Owner and deputy of the shopping center

A department is assigned to the IT Shop structure from which the request is made.

The department is assigned a manager or a deputy manager.

D0

D1

D2

Manager and deputy manager of the department's shelf

Manager and deputy manager of the department's shop

Manager and deputy manager of the department's shopping center

A cost center is assigned to the IT Shop structure from which the request is made.

The cost center is assigned a manager or a deputy manager.

P0

P1

P2

Manager and deputy manager of the cost center's shelf

Manager and deputy manager of the cost center's shop

Manager and deputy manager of the cost center's shopping center

Using request recipients to find approvers

Use the following approval procedure if you want to determine the manager of the request recipient to be approver.

Table 32: Approval procedures for determining approvers for request recipients

Approval procedure

Approver

The request recipient is assigned a manager.

CM

Request recipient's manager

The request recipient is assigned to a department.

The department is assigned a manager or a deputy manager.

DM

Manager and deputy manager of the request recipient's department.

The request recipient is assigned a cost center.

The cost center is assigned a manager or a deputy manager.

PM

Manager and deputy manager of the request recipient's cost center.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级