立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Creating IT Shop requests from existing user accounts, assignments, and role memberships

You can create One Identity Manager requests for existing user accounts, membership in system entitlements, assignments to identities, and hierarchical roles when IT Shop goes into operation. One Identity Manager provides several methods to implement this. Using these methods, requests are created that are completed and approved. These requests can therefore be canceled at a later date. In addition to the initial request data, you can run a custom script from each method that sets other custom properties for a request.

Table 21: Methods for transforming direct assignments into requests

Method

Description

CreateITShopOrder (string CustomScriptName)

Creates a request from a direct assignment. This method can be applied to all tables used to find a UID_Person.

CreateITShopOrder (string uidOrgProduct, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership. This method can be applied to all tables that cannot be used to find a UID_Person.

CreateITShopOrder (string uidOrgProduct, string uidWorkdeskOrdered, string uidPersonOrdered, string CustomScriptName)

Creates an assignment request from an assignment or membership and, in addition, saves a UID_WorkdeskOrdered with the request procedure.

CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName)

Creates a request for a workdesk from a direct assignment. This method can be applied to the WorkDeskHasApp, WorkDeskHasESet and WorkDeskHasDriver tables.

To run the methods

  1. Create a script in the Designer with the Script Editor to call the desired method.

    You can find an example script for calling a Customizer method in VB syntax on the One Identity Manager installation medium in the Modules\QBM\AddOn\SDK\ScriptSamples\03 Using database objects\11 Call database object methods.vb directory. You can use this example script as a template to create a script for call the methods described here.

  2. Run the script.

    You can use the script test from the Script Editor to do this.

For more information about creating scripts, see the One Identity Manager Configuration Guide.

If a custom script is included in the method call, then this script will be run immediately before the request is saved in the database.

An example of a custom script
Public Sub CCC_AddCustomPropToRequest(ByRef dbSource As IEntity, ByRef dbPWO As IEntity)
'Populate values in PWO:
dbPWO.PutValue("OrderReason", "Group membership assignment converted to IT Shop request automatically.")
End Sub
  • dbSource: Refers to the source object. For example, ADSAccountInADSGroup, if memberships in Active Directory groups are to be converted in requests.
  • dbPWO: Refers to the request to be generated.

Creating requests for identities

You can create requests for identities or memberships in system entitlements with CreateITShopOrder (string CustomScriptName). Prepare the IT Shop accordingly in order to create the requests.

To create requests from direct assignments to identities or memberships in system entitlements

  1. Prepare the company resources or system entitlements for use in the IT Shop.

  2. Assign the company resources or system entitlements to a shelf in the IT Shop.

  3. Link each user account for whose memberships requests are to be created with an identity.

  4. Add identities as customers to shops to which the company resources or system entitlements are assigned as products.

  5. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the task.

  6. Create a script to run CreateITShopOrder (CustomScriptName string) for the affected tables.

One Identity Manager creates requests from direct assignments for user accounts in the following way:

  1. Determine identities and their assigned company resources.

  2. Determine shops assigned to company resources and identities.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Assign identities to the product structure (entry in PersonInITShopOrg table).

  2. Transform direct company resource assignments into indirect assignments to identities (for example, in the PersonHasQERResource table).

One Identity Manager creates requests for memberships in system entitlements in the following way:

  1. Establish the user accounts and their memberships.

  2. Determine the affected identities.

  3. Determine the shops to which identities and the system entitlements are assigned.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Assign identities to the product structure (entry in PersonInITShopOrg table).

  2. Transform direct company memberships into indirect memberships for affected user accounts (for example, in the ADSAccountInADSGroup table).

Related topics

Creating user account requests

To assign user accounts to identities, use One Identity Manager account definitions. You can request matching account definitions for existing user accounts linked to the identities through the IT Shop. To create these requests, you can use CreateITShopOrder (string CustomScriptName). This method can be used for all user account tables (for example, ADSAccount or SAPUser) and for the ADSContact, EX0MailBox, EX0MailContact, and EX0MailUser.

Prepare the IT Shop accordingly in order to create the requests.

To create requests for user accounts

  1. Create an account definition for the target system. Assign the account definition to the target system.

    This account definition is used for all user accounts where no account definition is entered. You can miss out this step if all the user accounts are already assigned an account definition.

  2. Prepare the account definition for use in the IT Shop.

  3. Assign the account definition to a shelf in the IT Shop.

  4. Link the user accounts to an identity, if there is no identity already linked.

  5. Add identity as customers to shops to which the account definition is assigned as product.

  6. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the task.

  7. Create a script that runs the method for the tables affected.

One Identity Manager creates requests for user accounts in the following way:

  1. Determine the valid account definition.

    If an account definition is already assigned to the user account, it will be used. Otherwise, the account definition of the target system is used.

  2. Determine the affected identities.

  3. Determine the shops to which identities and the account definition are assigned.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Assign identities to the product structure (entry in PersonInITShopOrg table).

  2. Transform any possible direct account definition assignments to indirect assignments (entry in PersonHasTSBAccountDef table).

Related topics

Creating workdesk requests

Requests for workdesks are created with CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName). Prepare the IT Shop accordingly in order to create the requests.

To create requests from assignments to workdesks

  1. Prepare the company resources (software, system role, or driver) for use in the IT Shop.

  2. Assign the company resources to a shelf in the IT Shop.

  3. Select an identity as requester for the assignment to workdesks.

    • Pass this identity's UID_Person as a uidPerson parameter to the task.

  4. Add the selected identity as a customer to the shops to which the company resources are assigned as products.

  5. (Optional): Create a script that populates other properties of the requests.

    • Pass the script name as a CustomScriptName parameter to the task.

  6. Create a script to run CreateITShopWorkdeskOrder (string uidPerson, string CustomScriptName) for the affected tables.

One Identity Manager creates requests for workdesk requests in the following way:

  1. Determine workdesks and their assigned company resources.

  2. Determine requester from the uidPerson parameter.

  3. Determine shops assigned to company resources and requester.

  1. Create the requests with initial data.
  2. Run custom scripts.
  3. Save the requests (entry in the PersonWantsOrg table).
  1. Assign identities to the product structure (entry in PersonInITShopOrg table).

  2. Transform direct company resource assignments into indirect assignments to workdesks (for example, in the WorkDeskHasApp table).

TIP: To create an identity that can be used as a requester when creating a workstation, set the Hardware | Workdesk | WorkdeskAutoPerson configuration parameter in the Designer. The following properties are used for the identity:

  • Last name: Name of the workdesk (Ident_Workdesk)

  • First name: Machine

  • Identity type: Machine identity (Machine)

When the workstation is deleted, the associated identity is also deleted.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级