立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Approval by the chief approval team

Sometimes, approval decisions cannot be made for requests because the approver is not available or does not have access to One Identity Manager tools. To complete these requests, you can define a chief approval team whose members are authorized to intervene in the approval process at any time.

The chief approval team is authorized to approve, deny, or cancel requests in special cases or to authorize other approvers.

IMPORTANT:

  • The four-eye principle can be broken like this because chief approval team members can make approval decisions for requests at any time. Specify, on a custom basis, in which special cases the chief approval team may intervene in the approval process.

  • The chief approval team members may always approval their own requests. The settings for the QER | ITShop | PersonInsertedNoDecide and QER | ITShop | PersonOrderedNoDecide configuration parameters do not apply for the chief approval team.

  • Approvals made by the chief approval team are not automatically transferred to other approval levels. Settings for the QER | ITShop | DecisionOnInsert, QER | ITShop | AutoDecision and QER | ITShop | ReuseDecision configuration parameters do not apply to the chief approval team.

  • In the approval step, you can specify how many approvers must make a decision on this approval step.

    • If an approval decision is made by the chief approval team, it overrides the approval decision of just one regular approver. This means, if three approvers must approve an approval step and the chief approval team makes a decision, two more are still required.

    • The number of approvers is not taken into account if the request is assigned to fallback approvers. The chief approval team can also approve in this case. The approval decision is considered to be made as soon as one member of the chief approval team has made an approval decision about the request.

  • If a regular approver has added an additional approver, the chief approval team can approve for both the regular and the additional approvers. If both approvals are pending, a chief approver first replaces the regular approver's approval only. Only a second approval of the chief approval team can replace the approval of the additional approver.

The chief approval team can approve requests for all manual approval steps. The following applies:

  • Chief approval team decisions are not permitted for approval steps using the CR, SB, CD, EX, and WC approval procedures or the OC and OH procedures.

  • If a member of the chief approval team is identified as a regular approver for an approval step, they can only make an approval decision for this step as a regular approver.

  • The chief approval team can also make an approval decision if a regular approver has submitted a query and the request is in hold status.

To add members to the chief approval team

  1. In the Manager, select the IT Shop > Basic configuration data > Chief approval team category.

  2. Select the Assign identities task.

    In the Add assignments pane, assign the identities who are authorized to approve all requests.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  3. Save the changes.
Related topics

Approving requests with terms of use

Terms of use that explain conditions of use for a product can be stored for individual service items (for example, software license conditions). When someone requests this product, the requester, and request recipient must accept the terms of use before the request can be finalized.

In order for the request recipient to accept the terms of use, the request must be assigned to the request recipient in the approval process. Set an approval workflow for such requests that contain a BR approval step and enable the No automatic approval option for this approval step. One Identity Manager provides a default approval workflow and a Terms of Use acknowledgment for third-party orders (sample) default approval policy that you can use for this. Using the default approval workflow as a basis, create your own approval workflow that returns the request to the request recipient and determines the approver after the terms of use have been accepted. Use the BR approval procedure to do this.

To create an approval workflow for requests with terms of use

  1. In the Manager, select the IT Shop > Basic configuration data > Approval workflows > Predefined category.

  2. In the result list, select the Terms of Use acknowledgment for third-party orders (sample) approval workflow and run the Change main data task.

  3. Select the Copy workflow task.

  4. Enter a name for the copy and click OK.

  5. Edit the copy. Modify the approval workflow to suit your requirements.

  6. Create an approval policy and assign it to the approval workflow.

  7. Assign service items to the approval policy, which are assigned terms of use.

Detailed information about this topic

Using default approval processes

By default, One Identity Manager supplies approval policies and approval workflows. These are used in the approval processes of the Identity & Access Lifecycle shop.

Table 50: Default approval policies and workflows in the shop identity & access lifecycle

Approval policies/workflow

Description

Shelf | Product

Compliance checking simplified

Compliance checking and exception approval for all products on the shelf that do not have their own approval policy assigned to them. For more information, see Testing requests for rule compliance.

Identity Lifecycle

Self-service

Assignment requests and delegations are automatically approved by default. For more information, see Standard products for assignment requests.

Identity Lifecycle | Delegation

Identity Lifecycle | Business role entitlement assignment

Identity Lifecycle | Business role membership

Self-service

Automatic approval for all products on the shelf that do not have their own approval policy assigned to them. For more information, see Self-service.

Group Lifecycle

Azure Active Directory groups

Azure Active Directory subscriptions

Disabled Azure Active Directory service plans

Exchange Online distribution groups

Office 365 groups

Microsoft Teams teams

Terms of Use acknowledgment for third-party orders (sample)

Copy template for requests with terms of use. For more information, see Approving requests with terms of use.

 

Challenge loss of role membership

Limited period assignment requests for role memberships are automatically granted approval. For more information, see Requests with limited validity period for changed role memberships.

Identity Lifecycle | Challenge loss of role membership

New manager assignment

Requesting a change of manager must be approved by the new manager. For more information, see Requesting change of manager for an employee.

Identity Lifecycle | New manager assignment

Approval of Active Directory group create requests

New Active Directory group requests must be approved by the target system manager. The groups are added in One Identity Manager and published in the target system. For more information about this, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Group Lifecycle | New Active Directory security group

Group Lifecycle | New Active Directory distribution group

Approval of Active Directory group change requests

Changes to group type and range of Active Directory groups must be approved by the target system manager. For more information about this, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Group Lifecycle | Modify Active Directory group

Approval of Active Directory group deletion requests

Deleting an Active Directory group, must be approved by the target system manager. For more information about this, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Group Lifecycle | Delete Active Directory group

Approval of Active Directory group membership requests

Product owners and target system managers can request members for groups in these shelves. For more information about this, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Active Directory groups

Approval of SharePoint group create requests

New SharePoint group requests must be approved by the target system manager. The groups are added in One Identity Manager and published in the target system. For more information about this, see the One Identity Manager Administration Guide for Connecting to SharePoint.

Group Lifecycle | New SharePoint group

Approval of group membership requests

Product owners and target system managers can request members for groups in these shelves. For more information about this, see the One Identity Manager Administration Guide for Connecting to SharePoint.

SharePoint groups

Approval of system entitlement removal requests

This approval policy can be used to configure automatic deletion of memberships in Active Directory groups.

Approval of system entitlement removal requests

Approval of privileged access requests

Requests for access must be approved by the owner of the privileged object. To make an access request, additional system prerequisites must be met by the Privileged Account Management system. For more information about PAM access requests, see the One Identity Manager Administration Guide for Privileged Account Governance.

Privileged access | API key request

Privileged access | Password request

Privileged access | Remote desktop session request

Privileged access | Remote desktop session request

Privileged access | SSH key request

Privileged access | SSH session request

Privileged access | Telnet session request

Request sequence

Shop customers can request, renew, and unsubscribe products as soon as an IT Shop solution is set up. Use the Web Portal to do this. Furthermore, requests, and cancellations are approved in the Web Portal. You can make an overview of pending and closed requests for yourself. You can also find an overview of pending and closed requests in the Manager The status of pending requests is checked regularly by the DBQueue Processor. The review is started by the IT Shop check schedule.

Requests can have a limited time period, which means the requested product assignment is only valid with the validity period.

General request sequence
  1. A customer places a request in the Web Portal for:

    1. A product.

      - OR -

    2. Membership of a hierarchical role.

      - OR -

    3. The assignment of a company resource to a hierarchical role.

  2. The request goes through the assigned approval process.

  3. If the request has been granted approval and the Valid from date has been reached:

    1. The product is assigned to the customer. The company resource associated with the product is assigned indirectly to the customer.

      - OR -

    2. The customer becomes a secondary member of the hierarchical role.

      - OR -

    3. The company resource is assigned to the hierarchical role.

    The request contains the Assigned status (PersonWantsOrg.OrderState = 'Assigned').

    The product/membership/assignment remains until it is canceled.

Requests and the resulting assignments are displayed in the following table:

Requests

PersonWantsOrg

Product assignments

PersonInITShopOrg

Company resource assignments

For example,

PersonHasQERResource

ADSAccountInADSGroup

Hierarchical role assignments

For example, PersonInDepartment

Hierarchical role assignments

For example, DepartmentHasADSGroup

General cancellation sequence
  1. A customer cancels a product/membership/assignment in the Web Portal.

    - OR -

    A requested product/requested membership/requested assignment is automatically unsubscribed.

  2. The cancellation goes through the assigned approval process.

  3. If cancellation was granted approval and the expiry date has been reached:

    1. The product's assignment is removed. The product's assigned to the associated company resource is also removed.

      - OR -

    2. The customer’s membership of the hierarchical role is removed.

      - OR -

    3. The company resource's assignment to the hierarchical role is removed.

    The request contains the Unsubscribed status (PersonWantsOrg.OrderSTate = 'Unsubscribed').

If a customer is removed from a shop, existing requests for this are closed. The products are unsubscribed and assignments are removed. If the customer changes to another shop, the product requests can be retained under certain circumstances. If the request is an assignment request, it can also be retained under certain circumstances, even if the requester is no longer a customer in the shop.

For more information about requesting products, see the One Identity Manager Web Designer Web Portal User Guide.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级