立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Requesting memberships in application roles

You have the option to limit assignment requests to single business roles. To do this, an assignment resource is created for a fixed requestable application role. The application role then automatically becomes part of the assignment resource request. If the request is approved, the requester becomes a member of the application role.

Each requestable application role of this kind can have its own approval process defined. The service items connected with the assignment resources are assigned separate approval policies in order to do this.

To limit assignment requests to single application roles

  1. In the Manager, select an application role in the One Identity Manager Administration category.

  2. Select the Create assignment resource task.

    This starts a wizard, which takes you through adding an assignment resource.

    1. Enter a description and allocate a resource type.

      This creates a new assignment resource with the following custom properties:

      • Table: AERole

      • Object: Full name of application role

    2. Enter the service item properties to allocate to the assignment resource.

      • Assign a service category so that the assignment resource in the Web Portal can be ordered using the service category.

      A new service item is created and linked to the assignment resource.

  3. Assign the assignment resource to an IT Shop shelf as a product.

  4. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item master data can be processed later on if required.

The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee for whom it was requested becomes a member of the associated application role through internal inheritance processes. For more detailed information about requesting assignment resources, see the One Identity Manager Web Portal User Guide.

Related topics

Customizing assignment requests

Assignment requests with standard products are automatically approved through self-service. If assignment requests are going to be approved by an approval supervisor, assign a suitable approval policy to the default assignment resource. This means that assignment requests also go through the defined approval process.

To approve assignment requests through an approver

  • Assign separate approval policies to the default assignment resources service items.

    - OR -

  • Assign any approval policy to the Identity Lifecycle shelf.

Sometimes assignment requests should be subject to various approval processes depending on the object requested. For example, a department manager should approve department assignment, but department membership should be approved by the employee’s manager. You can define assignment resources to do this. You can assign these assignment resources to any shelf in your IT Shop.

NOTE: To use these assignment resources, you must make more modifications to the Web Designer configuration.

To configure custom assignment requests

  1. Create a new assignment resource.

    1. In the Manager, select the Entitlements | Assignment resource for IT Shop category.

    2. Click in the result list.

    3. Select the Change master data task.

    4. Enter the assignment resource name.

    5. Assign a new service item.

    6. Save the changes.
  2. Assign the assignment resource to an IT Shop shelf as a product.

    1. Select the Add to IT Shop task.

    2. In the Add assignments pane, assign a shelf.

    3. Save the changes.
  3. Assign an approval policy to the shelf or the assignment resource’s service item.

  4. In the Web Designer, configure usage of the assignment resource.

    For more detailed information, see the One Identity Manager Web Designer Reference Guide.

Detailed information about this topic
Related topics

Preparing for delegation

Delegation is a special type of assignment request. It allows an employee to temporarily pass on responsibilities or a role assignment to another person.

To run delegation in One Identity Manager

  • In the Designer, set the QER | ITShop | Delegation configuration parameter.

Delegations are also subject to a fixed approval process. For delegations, you need a separate Delegation assignment resource. In the standard installation, this already exists as a product in the Identity Lifecycle shop on Identity Lifecycle shelf.

The following objects in the standard installation can be delegated.

Membership in:

Business roles

Application roles

Responsibilities for:

Departments

Cost centers

Locations

Business roles

Employees

IT Shop Structures (owner)

TIP: Specify the role classes associated to business roles for which memberships can be delegated. This option is available when the Business Roles Module is installed.

Delegation only takes effect if the delegated membership or responsibility does not yet exist.

Example

Jenny Basset is member of the Project X business role. She delegates this membership to Jan Bloggs. Jan Bloggs is also a member of this business role. The delegation is saved but is not yet in effect. After Jan Bloggs loses his membership in the business role, delegation takes effect. This way Jan Bloggs remains a member in the business role. After delegation is canceled, Jan Bloggs is removed from the business role.

To permit delegation of a role class

  1. Select the Business roles | Basic configuration data | Role classes category.

  2. Select the role class in the result list.

  3. Select the Change master data task.

  4. Set Delegable.

  5. Save the changes.

Use the Web Portal to delegate roles or responsibilities. For detailed information, see the One Identity Manager Web Portal User Guide and the One Identity Manager Business Roles Administration Guide.

Canceling assignments and delegations

Assignments and delegations can, like all other products, be canceled through the Web Portal. You should limit the delegation time period when you make the request. These requests are automatically canceled when the validity period expires. For more detailed information, see the One Identity Manager Web Portal User Guide.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级