立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Using multi-factor authentication for requests

Multi-factor authentication can be implemented for requests as well as for request approvals.

Once the Approval by multi-factor authentication option is enabled for a service item, a security code is requested in every decision step of the approval process. This means that every approver who makes approval decisions about this product must have a Starling 2FA token.

To enable the requester to use multi-factor authentication, you can assign terms of use to the service item, as well. The requester must enter the security code when they confirm the terms of use. The request recipient must also enter a security code if the approval workflow is accordingly configured. For more information, see Approving requests with terms of use.

Table 16: Variations of multi-factor authentication for making requests in the IT Shop

Active approval policy

Terms of use

Security code is requested from

Requester

Approver

Self-service

None

 

 

Self-service

Assigned

x

 

No self-service

None

 

x

No self-service

Assigned

x

x

Related topics

Assignment requests and delegating

You can also use One Identity Manager to request hierarchical roles, like departments, or business roles, through the IT Shop and assign them to employees, devices, and workdesks. This allows any number of assignments to be made through IT Shop requests. The advantage of this method is that any assignments can be authorized using an approval process. Assignment renewals and assignment recall are also subject to an approval process in the same way. The request history makes it possible to follow which assignments were requested, renewed, or canceled, why, when, and by whom.

Managers of hierarchical roles can make assignment requests for their roles.

Delegation is a special type of assignment request. This allows an employee to pass on a role assignment to another person for a limited period of time. Delegations are also subject to a fixed approval process.

Hierarchical role managers can view the role assignment requests they manage in the Web Portal. Use the QER | ITShop | ShowClosedAssignmentOrders configuration parameter to specify whether all assignment requests are displayed or only open ones. By default, pending as well as closed assignment requests are displayed.

To only display a manager's pending assignment requests in the Web Portal

  • Disable the QER | ITShop| ShowClosedAssignmentOrders configuration parameter in the Designer.

Standard products for assignment requests and delegation

You require special resources for assignment requests and delegation, also called assignment resources. Assignment resources are linked to service items and can thus be made available as products in the IT Shop.

One Identity Manager provides standard products for assignment requests and delegation. These are used to:

  • Request membership in business roles or organizations for which the logged-in One Identity Manager user is responsible.

  • Order assignments of system entitlements or other company resources to business roles or organizations for which the logged in One Identity Manager user is responsible.

  • Delegate responsibilities or memberships in hierarchical roles.

Table 17: Standard products for assignment requests and delegation

Assignment resource

Service item

Shop | Shelf

Request

Members in roles

Members in roles

Identity & Access Lifecycle | Identity Lifecycle

Memberships in business roles, application roles and organizations

Role entitlement assignments

Role entitlement assignments

Assignment of company resources to business roles and organizations

Delegation

Delegation

Delegations

In the default installation, all active One Identity Manager database employees are customers of the Identity & Access Lifecycle shop. This allows all active employees to request memberships and assignments or delegate roles. Assignment requests with default products are automatically approved through self-service and delegation.

You can add default products for assignment requests and delegations to your own IT Shop.

Assignments can only be requested from and for customers of this shop. This means, the manager of the hierarchical roles as well as the employees that are also members of these roles, must be customers in the shop. The same applies to delegation.

TIP: Assignment requests can also be made for custom assignment tables (many-to-many tables), if they have an XOrigin column. The properties for this column must correspond to the column definition for XOrigin columns in the One Identity Manager data model.
Example for an assignment request

Clara Harris is the project X project leader. A business role (Project X) is added in the Manager to ensure that all the project staff obtain the necessary entitlements. Clara Harris is assigned as manager of this business role. All project staff have a user account in the Active Directory domain P.

Clara Harris can request memberships in the Project X business role in the Web Portal because she is a manager. Clara Harris requests memberships for herself and all project staff.

Furthermore, Clara Harris wants all project staff to obtain their entitlements in Active Directory through the Project X AD permissions Active Directory group. To this, she requests Project X AD permissions in the Web Portal for the Project X business role.

The user accounts of all project staff become members in the Project X AD permissions Active Directory group through internal inheritance processes.

For more detailed information, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic
Related topics

Requesting memberships in business roles

Installed modules: Business Roles Module

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable business role. The business role is automatically part of the request in an assignment resource request. If the request has been approved, the requester becomes a member of the application role.

Each requestable business role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single business roles

  1. In the Manager, select Business roles | <role class> category.

  2. Select the business role in the result list.

  3. Select the Create assignment resource task.

    This starts a wizard that takes you through the steps for adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This creates a new assignment resource with the following custom properties:

      • Table: Org

      • Object: Full name of business role

    2. Enter the service item properties to allocate to the assignment resource.

      • Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.

      A new service item is created and linked to the assignment resource.

  4. Assign the assignment resource to an IT Shop shelf as a product.

  5. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item master data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee for whom it was requested becomes a member of the associated business role through internal inheritance processes. For more detailed information about requesting assignment resources, see the One Identity Manager Web Portal User Guide.

The assignment resource cannot be used to request the assignment of company resources to this business role. Instead, use the Role entitlement assignment default assignment resource.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级