立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Creating assignment requests

You can create assignment requests for existing company resource assignments to hierarchical roles and for memberships of employees, devices, or workdesks in hierarchical roles. The following methods are available.

Table 20: Methods for transforming direct assignments into assignment requests

Method

Description

CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership. This method can be applied to all tables which cannot be used to find a UID_Person.

CreateITShopOrder (string uidOrgProduct, string uidWorkdeskOrdered, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership and, in addition, saves a UID_WorkdeskOrdered with the request procedure.

Prepare the IT Shop accordingly in order to create the requests.

To create assignment requests from direct assignment to hierarchical roles and role memberships

  1. Select an assignment resource from the IT Shop | Identity & Access Lifecycle | Shelf: Identity Lifecycle shelf.

    • Pass the product's UID_ITShopOrg as the uidOrgProduct parameter to the method.

  2. Select an employee from the customer node of the IT Shop | Identity & Access Lifecycle shop as a requester for the assignment request.

    • Pass this employee's UID_Person as a uidPersonOrdered parameter to the method.

  3. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the method.

  4. Create a script to run the CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName) method for the affected tables.

TIP: You can also create your own assignment resource and assign it to a shelf in any shop. Select an employee as requester for the assignment request from this shop's customer node. For more information, see Customizing assignment requests.

One Identity Manager creates assignment requests from existing assignments to hierarchical roles as follows:

  1. Determine the hierarchical roles and their assigned company resources and employees (employees, devices, or workdesks).

  2. Determine the requester from the uidPersonOrdered parameter.

  3. Determine the assignment resource from the uidOrgProduct parameter.

  4. Determine shops assigned to the assignment resource and requester.

  1. Create the requests with initial data.
  2. Execute custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Transform direct company resource assignments to hierarchical roles into indirect assignments to workdesks (for example, in the DepartmentHasQERResource) table. Transform direct company memberships to hierarchical roles into indirect memberships (for example, in the PersonInDepartment) table.

If the assignment request is to be created for a workdesk, pass the method the workdesk's UID_WorkDesk as uidWorkdeskOrdered parameter. The method saves this UID as UID_WorkdeskOrdered in the request (PersonWantsOrg table).

Detailed information about this topic
Related topics

Adding Active Directory and SharePoint groups to the IT Shop automatically

Table 21: Configuration parameter for automatically add groups in the IT Shop
Configuration parameter Description

QER | ITShop | GroupAutoPublish

Preprocessor-relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to this parameter require the database to be recompiled.

In effect in modules: SharePoint Module, Active Directory Module, Active Roles Module

QER | ITShop | GroupAutoPublish | ADSGroupExcludeList

This configuration parameter contains a list of all Active Directory groups for which automatic IT Shop assignment should not take place. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

In effect in modules: Active Directory Module, Active Roles Module

TargetSystem | ADS | ARS_SSM

Preprocessor-relevant configuration parameter for controlling the database model components for Active Roles Self-Service Management in the One Identity Manager IT Shop. If the parameter is set, Self-Service Management components are available. Changes to this parameter require recompilation of the database.

In effect in module: Active Roles Module

To add groups automatically to the IT Shop

  1. In the Designer, set the configuration parameter for automatically adding groups to the IT Shop depending on existing modules.

  2. Compile the database.

The groups are added automatically to the IT Shop from now on.

  • Synchronization ensures that the groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor.

  • New groups created in One Identity Manager are added to the IT Shop.

The following steps are run to add a group to the IT Shop.

  1. A service item is determined for the group.

    The service item is tested and modified for each group as required. The service item name corresponds to the name of the group. The service item is assigned to one of the default service categories.

    • The service item is modified for groups with service items.

    • Groups without service items are allocated new service items.

  2. An application role for product owners is determined and the service item is assigned. Product owners can approve requests for membership in these groups. By default, the group's account manager or owner is established as the product owner.

    NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
    • If the account manager or owner of the group is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the group.

    • If the account manager or owner of the group is not yet a member of an application role for product owners, a new application role is created. The name of the application corresponds to the name of the account manager or owner.

      • If the account manager or owner is a user account, the user account's employee is added to the application role.

      • If it is a group of account managers or owners, the employees of all this group's user accounts are added to the application role.

    • If the group does not have an account manager or owner, the Request & Fulfillment | IT Shop | Product owner | Without owner in AD/SharePoint default application role is used.

  3. The group is labeled with the IT Shop option and assigned to the Active Directory Groups or SharePoint Groups IT Shop shelf in the Identity & Access Lifecycle shop.

Then the shop customers can request group memberships through the Web Portal.

NOTE: When a One Identity Manager group is irrevocably deleted from the database, the associated service item is also deleted.
Related topics

Deleting unused application roles for product owners

The list of product owner application roles can quickly become confusing when groups are automatically added to the IT Shop. This is because an application role is added for each account manager. These application roles are no longer required when a groups are deleted.

Redundant application roles for product owners can be deleted through a scheduled process task. This deletes all the application role from the database for which the following applies:

  • The parent application role is Request & Fulfillment | IT Shop | Product owner.

  • The application role is not assigned to a service item.

  • The application role is not assigned to a service category.

  • The application role does not have members.

To delete application roles automatically

  • In the Designer, configure and enable the Cleans up application role "Request & Fulfillment | IT Shop | Product owners” schedule.

Related topics

Adding Privileged Account Management user groups to the IT Shop automatically

Using the following steps, you can add local PAM user groups to the IT Shop automatically. Synchronization ensures that the user groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor.

NOTE: Directory group are not added to the IT Shop automatically.

To add local PAM user groups to the IT Shop automatically

  1. In the Designer, set the QER | ITShop | PAGUsrGroupAutoPublish configuration parameter.

    From this time on, local PAM user groups are added to the IT Shop automatically.

  2. In order not to add local PAM user groups to the IT Shop automatically, in the Designer, set the QER | ITShop | PAGUsrGroupAutoPublish | PAGUsrGroupExcludeList configuration parameter.

    This configuration parameter contains a listing of all PAM user groups that should not be allocated to the IT Shop automatically.

    You can extend this list if required. To do this, enter the name of the user groups in the configuration parameter using a pipe (|) delimited list.

  3. Assign the employees that are allowed to make approval decisions about local user group request to the Request & Fulfillment | IT Shop | Product owners | PAM user groups application role.

    The Approval of PAM user group membership requests approval policy establishes product owners of the user groups as approvers. If no product owners are found, the requests are presented to the target system managers for approval.

The following steps are executed to add a local PAM user group to the IT Shop automatically.

  1. A service item is determined for the user group.

    The service item is tested for each user groups and modify is required. The service item name corresponds to the name of the group.

    • The service item is modified for groups with service items.

    • Groups without service items are allocated new service items.

  2. The service item is assigned to the PAM user groups service category by default.

  3. The Request & Fulfillment | IT Shop | Product owners | PAM user groups application role is assigned to the service item as the product owner.

  4. The user group is labeled with the IT Shop option and assigned to the PAM user groups IT Shop shelf in the Identity & Access Lifecycle shop.

Then the shop customers can request group memberships through the Web Portal.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级