立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Default approval workflows

One Identity Manager provides approval workflows by default. These approval workflows are used in the Identity & Access Lifecycle shop approval processes. Each default approval workflow is linked to a default approval policy. You can edit different properties of the approval step, for example, to configure notifications in the request process.

To edit default approval workflows

  • In the Manager, select the IT Shop | Basic configuration data | Approval workflows | Predefined category.

Determining the effective approval policies

You can apply approval policies to different IT Shop structures and service items. If you have several approval policies within your IT Shop, which policy is to be used is based on the rules that are specified.

Effective approval policies are defined in the following way:

  1. The effective approval policy is the one assigned to the requested service item.

  2. If there is no approval policy assigned to the service item, the approval policy from the service category is used.

  3. If there is no approval policy assigned to the service item, the approval policy assigned to the requested product’s shelf is used.

  4. If there is no approval policy assigned to the shelf, one of the approval policies assigned to the shop is used.

  5. If there is no approval policy assigned to the shop, one of the approval policies assigned to the shopping center is used.

An approval policy found by one of these methods is applied under the following conditions:

  • The approval policy is not assigned a role type.

    - OR -

  • The assigned role type corresponds to the shelf role type.

If more several effective approval policies are identified by the rules, the effective approval policy is determined by the following criteria (in the given order).

  1. The approval policy has the highest priority (alphanumeric sequence).

  2. The approval policy has the lowest number of approval steps.

  3. The first approval policy found is taken.

If no approval policy can be found, a request cannot be started. If no approver can be determined for one level of an approval policy, the request can be neither approved nor denied. Pending requests are rejected and closed. Canceled products remain assigned. Products for renewal remain assigned until the valid until date is reached.

NOTE: If an approval workflow for pending requests changes, you must decide how to proceed with these requests. Configuration parameters are used to define the desired procedure.

For more information, see Changing approval workflows of pending requests.

Selecting responsible approvers

One Identity Manager can make approvals automatically in an approval process or through approvers. An approver is an employee or a group of employees who can grant or deny approval for a request (renewal or cancelation) within an approval process. It takes several approval procedures to grant or deny approval. You specify in the approval step which approval procedure should be used.

If several people are determined to be approvers by an approval procedure, the number given in the approval step specifies how many people must approve the step. Only then is the request presented to the approvers in the next approval level. The request is aborted if an approver cannot be found for an approval step.

One Identity Manager provides approval procedures by default. You can also define your own approval procedures.

The DBQueue Processor calculates which employee is authorized as an approver and in which approval level. Take into account the special cases for each approval procedure when setting up the approval workflows to determine those authorized to grant approval.

Default approval procedures

The following approval procedures are defined to select the responsible approvers by default.

Table 29: Approval procedures for IT Shop requests

Approval procedure name

Responsible approvers

BR - Back to recipient

Employee who receives the request

For more information, see Finding requesters.

BS - Back to requester

Employee who trigger the request

For more information, see Finding requesters.

CD - Calculated approval

-

For more information, see Calculated approval.

CM - Recipient's manager

Manager

For more information, see Using request recipients to find approvers.

CR - Compliance check (simplified)

-

For more information, see Compliance checking requests.

D0 - Manager of shelf's department

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

D1 - Manager of shop's department

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

D2 - Manager of shopping center's department

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

DI - Named (IT) approvers of department provided in request

All members of the assigned application role

For more information, see Using departments to find approvers.

DM - Manager of recipient's department

Manager and deputy manager

For more information, see Using request recipients to find approvers.

DP - Manager of department provided in request

Manager and deputy manager

For more information, see Using departments to find approvers.

DR - Named approvers of department provided in request

All members of the assigned application role

For more information, see Using departments to find approvers.

EX - Approvals to be made externally

-

For more information, see Approvals to be made externally.

H0 - Shelf owner

Owner and deputy

For more information, see Using IT Shop structures to find approvers.

H1 - Shop owner

Owner and deputy

For more information, see Using IT Shop structures to find approvers.

H2 - Shopping center owner

Owner and deputy

For more information, see Using IT Shop structures to find approvers.

ID - Named (IT) approvers of recipient's department

All members of the assigned application role

For more information, see Using approval roles to find approvers.

IL - Named (IT) approvers of recipient's location

All members of the assigned application role

For more information, see Using approval roles to find approvers.

IO - Named (IT) approvers of recipient's primary role

All members of the assigned application role

For more information, see Using approval roles to find approvers.

IP - Named (IT) approvers of recipient's cost center

All members of the assigned application role

For more information, see Using approval roles to find approvers.

MS - Manager of the requested business role or organization

Manager and deputy of the business role, department, cost center or location requested by assignment request.

For more information, see Using requested roles to find approvers.

OA - product owner

All members of the assigned application role

For more information, see Using requested products to find approvers.

OC - Exception approver for violated rules

All members of the assigned application role

For more information, see Finding exception approvers .

OH - Exception approver for worst rule violation

All members of the assigned application role

For more information, see Finding exception approvers .

OM - Manager of a specific role

Manager of the role selected in the approval workflow.

For more information, see Using specific roles to find approvers.

OR - Members of a certain role

All employees assigned to a secondary business role.

For more information, see Using specific roles to find approvers.

P0 - Manager of shelf's cost center

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

P1 - Manager of shop's cost center

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

P2 - Manager of shopping center's cost center

Manager and deputy manager

For more information, see Using IT Shop structures to find approvers.

PA - Additional owner of the Active Directory group

All employees to be found through the additional owner of the requested Active Directory group.

For more information, see Using requested products to find approvers.

PG - owners of the requested privileged access request

All employees who can be determined as an owner of the requested privileged access request.

For more information, see Using requested products to find approvers.

PI - Named (IT) approvers of cost center provided in request

All members of the assigned application role

For more information, see Using cost centers to find approvers.

PM - Manager of recipient's cost center

Manager and deputy manager

For more information, see Using request recipients to find approvers.

PP - Manager of cost center provided in request

Manager and deputy manager

For more information, see Using cost centers to find approvers.

PR - Named approvers of cost center provided in request

All members of the assigned application role

For more information, see Using cost centers to find approvers.

RD - Named approvers of cost center provided in request

All members of the assigned application role

For more information, see Using approval roles to find approvers.

RI - Employee's risk index

-

For more information, see Request risk analysis.

RL - Named approvers of recipient's location

All members of the assigned application role

For more information, see Using approval roles to find approvers.

RO - Named approvers of recipient's primary role

All members of the assigned application role

For more information, see Using approval roles to find approvers.

RP - Named approvers of recipient's cost center

All members of the assigned application role

For more information, see Using approval roles to find approvers.

SB - Self-service

-

For more information, see Self-service.

TO - Target system manager of the requested system entitlement

All members of the assigned application role

For more information, see Using requested products to find approvers.

WC - Waiting for further approval

-

For more information, see Waiting for further approval.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级