立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Escalating an approval step

Approval steps can be automatically escalated once the specified timeout is exceeded. The request is presented to another approval body. The request is then further processed in the normal approval workflow.

To configure escalation of an approval step

  1. Open the approval workflow in the Workflow Editor.

  2. Add an additional approval level with one approval step for escalation.

  3. Connect the approval step that is going to be escalated when the time period is exceeded with the new approval step. Use the connection point for escalation to do this.

    Figure 9: Example of an approval workflow with escalation

  4. Configure the behavior for the approval step to be escalated when it times out.

    Table 48: Properties for escalation on timeout
    Property Meaning
    Timeout (minutes)

    Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

    The working hours of the respective approver are taken into account when the time is calculated.

    NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

    TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

    If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

    If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

    If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

    If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    Timeout behavior

    Action that is run if the timeout expires.

    • Escalation: The request process is escalated. The escalation approval level is called.

  5. (Optional) If the approval step still needs to be escalated but no approver be found and no fallback approver is assigned, set the Escalate if no approver found option.

    In this case, the request is escalated instead of being canceled or passed to the chief approval team.

In the event of an escalation, email notifications can be sent to the new approvers and requesters.

Related topics

Approvers cannot be established

You can specify a fallback approver if requests cannot be approved because no approvers are available. A request is then always assigned to the fallback approver for approval no approver can be found in an approval step in the specified approval procedure.

To specify fallback approvers, define application roles and assign these to an approval step. Different approval groups in the approval steps may also require different fallback approvers. Specify different application role for this, to which you can assign identities who can be determined as fallback approvers in the approval process. For more information, see the One Identity Manager Authorization and Authentication Guide.

To specify fallback approvers for an approval step

  • Enter the following data for the approval step.

    Table 49: Approval step properties for fallback approvers
    Property Meaning

    Fallback approver

    Application role whose members are authorized to approve requests if an approver cannot be determined through the approval procedure. Assign an application from the menu.

    To create a new application role, click . Enter the application role name and assign a parent application role. For more information, see the One Identity Manager Authorization and Authentication Guide.

    NOTE: The number of approvers is not applied to the fallback approvers. The approval step is considered approved the moment as soon as one fallback approver has approved the request.

Request sequence with fallback approvers

  1. No approver can be found for an approval step in an approval process. The request is assigned to all members of the fallback approver application role.

  2. Once a fallback approver has approved a request, it is presented to the approvers at the next approval level.

    NOTE: In the approval step, you can specify how many approvers must make a decision on this approval step. This limit is NOT valid for the chief approval team. The approval step is considered to be approved as soon as ONE fallback approver has approved the request.
  3. The request is canceled if no fallback approver can be found.

Fallback approvers can make approval decisions on requests for all manual approval steps. Fallback approvals are not permitted for approval steps using the CR, SB, CD, EX, and WC approval procedures or OC and OH approval procedures.

Related topics

Automatic approval on timeout

Requests can be automatically granted or denied approval once a specified time period has expired.

To configure automatic approval if the timeout expires

  • Enter the following data for the approval step.

    • Timeout (minutes):

      Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

      The working hours of the respective approver are taken into account when the time is calculated.

      NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

      If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

      If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

      If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    • Timeout behavior:

      Action, which is run if the timeout expires.

      • Approved: The request is approved in this approval step. The next approval level is called.

      • Deny: The request is denied in this approval step. The approval level for denying is called.

If a request is decided automatically, the requester can be notified by email.

Related topics

Halting a request on timeout

Requests can be automatically halted once a specified time period has been exceeded. The action halts when either a single approval step or the entire approval process has exceeded the timeout.

To configure halting after the timeout of a single approval step has been exceeded

  • Enter the following data for the approval step.

    • Timeout (minutes):

      Number of minutes to elapse after which the approval step is automatically granted or denied approval. The input is converted into working hours and displayed additionally.

      The working hours of the respective approver are taken into account when the time is calculated.

      NOTE: Ensure that a state, county, or both is entered into the identity's main data of determining the correct working hours. If this information is missing, a fallback is used to calculate the working hours. For more information about calculating identities' working hours, see the One Identity Manager Identity Management Base Module Administration Guide.

      TIP: Weekends and public holidays are taken into account when working hours are calculated. If you want weekends and public holidays to be dealt with in the same way as working days, set the QBM | WorkingHours | IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend configuration parameter. For more information about this, see the One Identity Manager Configuration Guide.

      If more than one approver was found, then an approval decision for the approval step is not automatically made until the timeout for all approvers has been exceeded. The same applies if an additional approver has been assigned.

      If an approver delegated approval, the time point for automatic approval is recalculated for the new approver. If this approval is rejected, the time point for automatic approval is recalculated for the original approver.

      If an approver is queried, the approval decision must be made within the defined timeout anyway. The time point for automatic approval is not recalculated.

      If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. The additional approvers must approve within the time frame that applies to the current approver.

    • Timeout behavior:

      Action that runs if the timeout expires.

      • Cancel: The approval step, and therefore the entire approval process for the request, is canceled.

To configure halting on timeout for the entire approval process

  • Enter the following data for the approval workflow.

    • System halt (days):

      Number of days to elapse after which the approval workflow, and therefore the system, automatically halts the entire approval process.

If a request is halted, the requester can be notified by email.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级