立即与支持人员聊天
与支持团队交流

Identity Manager 8.1.4 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests and delegating Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding Active Directory and SharePoint groups to the IT Shop automatically Adding Privileged Account Management user groups to the IT Shop automatically
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining the effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Cancel request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Templates for automatically filling the IT Shop Custom mail templates for notifications Request templates
Resolving errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Process monitoring for requests

For more detailed information about process monitoring in One Identity Manager, see the One Identity Manager Configuration Guide.

To configure process monitoring for requests

  1. In the Designer, check whether the Common | ProcessState configuration parameter is set. If not, set the configuration parameter.

    If this configuration parameter is set, a process monitoring entry (DialogProcess table) is created when the request is created.

  2. In the Designer, check the Common | ProcessState | UseGenProcIDFromPWO configuration parameter.

    If this configuration parameter is set, the GenProcID of an IT Shop request is retained for the entirety of the approval process.

    If the configuration parameter is not set, a new GenProcID is used for each approval decision.

Configuration parameters for the IT Shop

Additional configuration parameters for the IT Shop are available in One Identity Manager. The following table contains a summary of all applicable configuration parameters for the IT Shop.

Table 84: Overview of configuration parameters

Configuration parameter

Description

QER | ITShop

Preprocessor relevant configuration parameter to control the component parts for the IT Shop. If the parameter is set, the IT Shop components are available. Changes to this parameter require the database to be recompiled.

QER | ITShop | AutoCloseInactivePerson

This configuration parameter defines whether employees are removed from all customer nodes when they are permanently disabled.

QER | ITShop | AutoDecision

This configuration parameter controls automatic approval of IT Shop requests over several approval levels.

QER | ITShop | ChallengeRoleRemoval

General configuration parameter for dealing with role assignments that are modified by data import. Removal of role memberships can be challenged with the help of temporary requests.

QER | ITShop | ChallengeRoleRemoval | DaysOfValidity

This configuration parameter contains the validity period (in days) of temporary requests for challenged role memberships.

QER | ITShop | ChallengeRoleRemoval | Department

Temporary requests of department memberships are supported.

QER | ITShop | ChallengeRoleRemoval | Department | Primary

Temporary membership of the previous department is requested if changes are made to the primary membership in departments.

QER | ITShop | ChallengeRoleRemoval | ITShopOrg

This configuration parameter contains the product node that is assigned to the requested assignment resource.

QER | ITShop | ChallengeRoleRemoval | Locality

Temporary requests of location memberships are supported.

QER | ITShop | ChallengeRoleRemoval | Locality |
Primary

Temporary membership of the previous location is requested if changes are made to the primary membership in locations.

QER | ITShop | ChallengeRoleRemoval | Org

Temporary requests of business role memberships are supported.

QER | ITShop | ChallengeRoleRemoval | Org | Primary

Temporary membership of the previous business role is requested if changes are made to the primary membership in business roles.

QER | ITShop | ChallengeRoleRemoval | ProfitCenter

Temporary requests of cost center memberships are supported.

QER | ITShop | ChallengeRoleRemoval | ProfitCenter | Primary

Temporary membership of the previous cost center is requested if changes are made to the primary membership in cost centers.

QER | ITShop | DecisionOnInsert

This configuration parameter controls approval of a request the moment is it added.

QER | ITShop | DefaultSenderAddress

This configuration parameter contains the sender email address for automatically generated messages within the IT Shop.

QER | ITShop | Delegation

Preprocessor relevant configuration parameter for controlling model components for delegation and role membership. Changes to the parameter require recompiling the database. If the parameter is set, delegation components are available.

QER | ITShop | DeleteClosed

This configuration parameter specifies whether closed requests are deleted.

QER | ITShop | DeleteClosed | Aborted

This configuration parameter specifies the maximum retention time (in days) of aborted requests.

QER | ITShop | DeleteClosed | Dismissed

This configuration parameter specifies the maximum retention time (in days) of denied requests.

QER | ITShop | DeleteClosed | Unsubscribed

This configuration parameter specifies the maximum retention time (in days) of canceled requests.

QER | ITShop | GapBehavior

Defines behavior when checking the validity period of new requests.

QER | ITShop | GapBehavior | GapDefinition

This configuration parameter specifies which requests are checked.

QER | ITShop | GapBehavior | GapFitting

This configuration parameter specifies whether validity periods of two or more pending requests can overlap.

QER | ITShop | GroupAutoPublish

Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to this parameter require the database to be recompiled.

QER | ITShop | LimitOfNodeCheck

Maximum number of product nodes that can be generated or deleted by a DBQueue Processor run. Once this number is exceeded, a task for generating the rest of the nodes is queued in the DBQueue.

QER | ITShop | MailApproval | Inbox

Microsoft Exchange mailbox used for "Approval by mail" processes.

QER | ITShop | MailApproval | Account

Name of user account for authentication of "Approval by mail" mailbox.

QER | ITShop | MailApproval | DeleteMode

Specifies the way emails are deleted from the inbox.

QER | ITShop | MailApproval | Domain

Domain of user account for authentication of "Approval by mail" mailbox.

QER | ITShop | MailApproval | ExchangeURI

Specifies the Exchange Web Service URL. AutoDiscover mode is used to find the URL if it is not given.

QER | ITShop | MailApproval | Password

Password of user account for authentication of "Approval by mail" mailbox.

QER | ITShop | MailTemplateIdents | AnswerToApprover

This mail template is used to send a notification with an answer to a question from an approver.

QER | ITShop | MailTemplateIdents | InformAddingPerson

This mail template is used to notify approvers that an approval decision has been made for the step they added.

QER | ITShop | MailTemplateIdents | InformDelegatingPerson

This mail template is used to notify approvers that an approval decision has been made for the step they delegated.

QER | ITShop | MailTemplateIdents | ITShopApproval

Mail template used for requests made through "Approval by mail".

QER | ITShop | MailTemplateIdents | QueryFromApprover

This mail template is used to send a notification with a question from an approver to an employee.

QER | ITShop | MailTemplateIdents | RequestApproverByCollection

This mail template is used for generating an email when there are pending requests for an approver. If this configuration parameter is not set, a "Mail template demand" or "Mail template reminder" for single approval steps can be entered to send an email for each request. If this configuration parameter is set, single mails are not sent.

QER | ITShop | OnWorkflowAssign

This configuration parameter specifies how pending orders are handled when an approval, change, or cancellation workflow is reassigned to the approval policy.

QER | ITShop | OnWorkflowUpdate

This configuration parameter specifies how pending orders are handled when the approval workflow is changed.

QER | ITShop | PeerGroupAnalysis

This configuration parameter allows automatic approval of requests by peer group analysis.

QER | ITShop | PeerGroupAnalysis | ApprovalThreshold

This configuration parameter defines a threshold for peer group analysis between 0 and 1. The default value is 0.9.

QER | ITShop | PeerGroupAnalysis | CheckCrossfunctionalAssignment

This configuration parameter specifies whether functional areas should be take into account in peer group analysis. If the parameter is set, the request is only approved if the request's recipient and the requested product belong to the same functional area.

QER | ITShop | PeerGroupAnalysis | IncludeManager

This configuration parameter specifies whether employees can be added to the peer group who have the same manager as the request's recipient.

QER | ITShop | PeerGroupAnalysis | IncludePrimaryDepartment

This configuration parameter determines whether employees who are primary members of the primary department of the request's recipient are included in the peer group.

QER | ITShop | PeerGroupAnalysis | IncludeSecondaryDepartment

This configuration parameter determines whether employees who are a secondary members of the primary or secondary department of the request's recipient are included in the peer group.

QER | ITShop | PersonInsertedNoDecide

This configuration parameter specifies whether the employee that triggered the request may approve it.

QER | ITShop | PersonOrderedNoDecide

This configuration parameter specifies whether the employee for whom the request was triggered, may approve it.

QER | ITShop | PersonInsertedNoDecideCompliance

This configuration parameter specifies whether the employee who initiated the request can issue exception if compliance rules are violated by the request.

QER | ITShop | PersonOrderedNoDecideCompliance

This configuration parameter specifies whether the employee for whom the request was initiated can issue exception if compliance rules are violated by the request.

QER | ITShop | ReducedApproverCalculation

This configuration parameter specifies, which approval steps are recalculated if the IT Shop approver must be recalculated.

QER | ITShop | ReplaceAssignmentRequestOnLeaveCU

If an employee leaves a customer node, all assigned requests are canceled and assignment requests are converted to direct assignments. If this parameter is set, then assignment requests can be transferred to the manager or central approver group, and to the UID_PersonFallback if necessary. (Note: These employees must have approval authorization for this assignment).

QER | ITShop | ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback

UID_Person is an employee who is set as the fallback if no other request recipient can be found for an assignment request. This employee must be a customer in all shops in which assignments can be requested.

QER | ITShop | ReuseDecision

This configuration parameter specifies if approval granted by one approver to all approval steps of an approval process is transferred. If the parameter is set, the current step is approved if an approval step is reached in the approval process for which an employee with approval authorization has already granted approval. If the parameter is not set, the approver must separately approve each step for which they have approval authorization. If approval has not been granted, it is not transferred.

QER | ITShop | ShoppingCartPattern

This configuration parameter specifies whether request templates can be used in the IT Shop.

QER | ITShop | ShoppingCartPattern | AutoQualified

This configuration parameter specifies whether public request templates are automatically labeled as "shared" or whether they have to be manually shared by a manager.

QER | ITShop | ShowClosedAssignmentOrders

This configuration parameter specifies whether the manager of an organization or business role can view completed assignment requests for their organization or business role.

If this parameter is not set, the manager can only view open assignment requests for their organization or business role.

QER | ITShop | Templates

Preprocessor relevant configuration parameter for controlling the database model components for the Shelf Filling Wizard. Changes to the parameter require recompiling the database. Shelf templates can be used. Changes to this parameter require the database to be recompiled.

QER | ITShop | Templates | DeleteRecursive

This configuration parameter specifies whether the recursive deletion is allowed from shelf templates. This configuration parameter is disabled by default.

QER | ComplianceCheck | DisableSelfExceptionGranting

Excludes rule violators from becoming exception approvers. If this parameter is set, no one can approve their own rule violations.

QER | ComplianceCheck | EnableITSettingsForRule

IT Shop properties for the compliance rule are visible and can be edited.

QER | Person | Defender

This configuration parameter specifies whether classic Starling Two-Factor Authentication integration is supported.

QER | Person | Starling

This configuration parameter specifies whether One Identity Starling Cloud is supported.

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling Cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.

QER | Person | Starling | UseApprovalAnywhere

This configuration parameter defines whether requests can be approved by Starling 2FA app.

QER | WebPortal

General configuration parameter for Web Portal settings.

QER | WebPortal | BaseURL

Web Portal URL. This address is used in mail templates to add hyperlinks to the Web Portal.

QER | WebPortal | DisplayName

This configuration parameter contains the display name of the Web Portal. This name is used in mail templates.

QER | WebPortal | PasswordResetURL

Password Reset Portal URL. This address is used to navigate within the Web Portal.

QER | WebPortal | PersonChangeWorkdesk

This configuration parameter specifies whether Web Portal users can change their default workdesk. If the configuration parameter is set, users can relocate their workdesk through the Web Portal.

QER | WebPortal | ShowProductImages

This configuration parameter specifies whether pictures of products are displayed in the Web Portal.

Some general configuration parameters are also relevant for the IT Shop.

Table 85: Additional configuration parameters

Configuration parameter

Description

Common | MailNotification | Signature

Data for the signature in email automatically generated from mail templates.

Common | MailNotification | Signature | Caption

Signature under the salutation.

Common | MailNotification | Signature | Company

Company name.

Common | MailNotification | Signature | Link

Link to company website.

Common | MailNotification | Signature | LinkDisplay

Display text for the link to the company's website.

Common | ProcessState

If this configuration parameter is set, a process monitoring entry (DialogProcess table) is created when the request is created.

Common | ProcessState | PropertyLog

When this configuration parameter is set, changes to individual values are logged and shown in the process view.

Common | ProcessState | UseGenProcIDFromPWO

If this configuration parameter is set, the GenProcID of an IT Shop request is retained for the entirety of the approval process. If the configuration parameter is not set, a new GenProcID is used for each approval decision.

Request statuses

The following table gives an overview of all statuses a request can have.

Table 86: Request statuses

Status

Description

New

A product was requested. The request was added in the database.

Request

The request is currently in the approval process. An approval decision has not yet been reached.

Approved

The approval process is complete. The request is granted approval.

Pending

The request is granted approval. A valid from date was given in the request. This date has not been reached yet.

Assigned

The request was granted approval and assigned.

Renewal

The request with limited validity was assigned. A renewal has been applied for and is in the approval process. An approval decision has not yet been reached.

Canceled

This product was canceled. The cancellation is currently in the approval process. An approval decision has not yet been reached.

Unsubscribed

The approval process is complete. The cancellation was granted approval.

Denied

The approval process is complete. The request was denied.

Aborted

The request was aborted by a user or for technical reasons.

Pending requests

Requests with the status request, renewal, canceled.

Approved requests

Requests with the status approved, pending, assigned, renewal, canceled.

Assigned requests

Requests with the status assigned, renewal, canceled.

Closed requests

Requested with the status canceled, denied, aborted.

Examples of request results

Request results differ depending on whether a simple or multiple request resource or an assignment is requested. The following figures illustrate the differences.

Figure 13: Request for a single request resource

Figure 14: Request for a multi-request resource

Figure 15: Request for a requestable/unsubscribable resource

Figure 16: Request for a department membership

Figure 17: Request for assignment of an Active Directory group to a department

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级