立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - IT Shop Administration Guide

Setting up an IT Shop solution
One Identity Manager users in the IT Shop Implementing the IT Shop Using the IT Shop with the Application Governance Module Requestable products Preparing products for requesting Assigning and removing products Preparing the IT Shop for multi-factor authentication Assignment requests Delegations Creating IT Shop requests from existing user accounts, assignments, and role memberships Adding system entitlements automatically to the IT Shop Deleting unused application roles for product owners
Approval processes for IT Shop requests
Approval policies for requests Approval workflows for requests Determining effective approval policies Selecting responsible approvers Request risk analysis Testing requests for rule compliance Approving requests from an approver Automatically approving requests Approval by peer group analysis Approval recommendations for requests Gathering further information about a request Appointing other approvers Escalating an approval step Approvers cannot be established Automatic approval on timeout Halting a request on timeout Approval by the chief approval team Approving requests with terms of use Using default approval processes
Request sequence
The request overview Requesting products more than once Requests with limited validity period Relocating a customer or product to another shop Changing approval workflows of pending requests Requests for employees Requesting change of manager for an employee Canceling requests Unsubscribe products Notifications in the request process Approval by mail Adaptive cards approval Requests with limited validity period for changed role memberships Requests from permanently deactivated identities Deleting request procedures and deputizations
Managing an IT Shop
IT Shop base data Setting up IT Shop structures Setting up a customer node Deleting IT Shop structures Restructuring the IT Shop Templates for automatically filling the IT Shop Custom mail templates for notifications Product bundles Recommendations and tips for transporting IT Shop components with the Database Transporter
Troubleshooting errors in the IT Shop Configuration parameters for the IT Shop Request statuses Examples of request results

Approvals to be made externally

Use external approvals (EX approval procedure) if a request needs to be approved once a defined event from outside One Identity Manager takes place. You can also use this procedure to allow users with no access to One Identity Manager to approve requests.

Specify an event in the approval step that triggers an external approval. The event triggers a process that initiates the external approval for the request and evaluates the result of the approval decision. The approval process waits for the external decision to be passed to One Identity Manager. Define the subsequent approval steps depending on the result of the external approval.

To use an approval procedure

  1. In the Designer, define your own processes that:

    • Triggers an external approval.

    • Analyzes the results of the external approval.

    • Grants or denies approval in the subsequent external approval step in One Identity Manager.

  2. Defines an event that starts the process for external approval. Enter the result in Result in the approval step.

If the external event occurs, the approval step status in One Identity Manager must be changed. Use the CallMethod process task with the MakeDecision method for this. Pass the following parameters to the process task:

MethodName: Value = "MakeDecision"

ObjectType: Value = "PersonWantsOrg"

Param1: Value = "sa"

Param2: Value = <approval> ("true" = granted; "false" = denied)

Param3: Value = <reason for approval decision>

Param4: Value = <standard reason>

Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)

WhereClause: Value = "UID_PersonWantsOrg ='"& $UID_PersonWantsOrg$ &"'"

Use these parameters to specify which request is to be approved by external approval (WhereClause). Param1 specifies the approver. The approver is always the sa system user. Param2 passes down the approval decision. If the request was granted, a value of True must be returned. If the request was denied, a value of False must be returned. Use Param3 to pass a reason text for the approval decision; use Param4 to pass a predefined standard reason. If more than one external approval steps have been defined in an approval level, use Param5 to pass the approval step count. This ensures the approval is aligned with the correct approval step.

Example

All approved requests should be entered into an external ticketing system and started. If a request is completed in an external ticketing system, it must also be completed in One Identity Manager. Use this approval procedure to make external approvals and define:

  • A P1 process that creates a ticket with the information about the requested product in the external system and passes the ticket number to One Identity Manager in the request instance.
  • An E1 event that starts the P1 event.
  • A P2 process that checks whether the ticket status is "closed" and calls the CallMethod process task with the MakeDecision method in One Identity Manager.
  • An E2 event that starts the P2 process.
  • A schedule that starts the E2 event on a regular basis.

Enter E1 in the Event box as the trigger for the external decision.

Pass the product and customer data that the product is being requested for in the P1 process to the external ticket system. In another parameter, pass the ticket number from the external ticketing system to One Identity Manager.

Use the ticket number to check the ticket status in P2 process. If the ticket is closed, call the MakeDecision method and pass the ticket status from the external system to One Identity Manager in a parameter (Param2). In another parameter, specify the system user that changes the approval step status in One Identity Manager (Param1). Pass sa as the value for this parameter. Pass the reason for the approval decision in Param3.

For more information about defining processes, see One Identity Manager Configuration Guide.

Detailed information about this topic

Finding requesters

Use the BS and BR approval procedures to return the approval to the requester or request recipient. The BS approval procedure finds the request requester and the BR approval procedure finds the request recipient. As a result, the requester and the request recipient can also influence the approval. Their approval can be viewed in the approval history. The approval workflow can be continued from any approval level.

The requesters are also found if the QER | ITShop | PersonInsertedNoDecide and QER | ITShop | PersonOrderedNoDecide configuration parameters are set. For more information, see Approving requests from an approver.

Setting up approval procedures

You can create your own approval procedures if the default approval procedures for finding the responsible approvers do not meet your requirements. The condition through which the approvers are determined is formulated as a database query. Several queries may be combined into one condition.

To set up an approval procedure

  1. In the Manager, select the IT Shop > Basic configuration data > Approval procedures category.

  2. Select an approval procedure in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the approval procedure main data.

  4. Save the changes.

To edit the condition

  1. In the Manager, select the IT Shop > Basic configuration data > Approval procedures category.

  2. Select an approval procedure from the result list.

  3. Select Change queries for approver selection.

Detailed information about this topic

General main data of an approval procedure

Enter the following main data of an approval procedure.

Table 41: General main data of an approval procedure

Property

Description

Approval procedure

Descriptor for the approval procedure (maximum two characters).

Description

Approval procedure identifier.

DBQueue Processor task

Approvals can either be made automatically through a DBQueue Processor calculation task or by specified approvers. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.

You cannot assign a DBQueue Processor task if a query is entered for determining the approvers.

Max. number approvers

Maximum number of approvers to be determined by the approval procedure. Specify how many identities must really make approval decisions in the approval steps used by this approval procedure.

Sort order

Value for sorting approval procedures in the menu.

Specify the value 10 to display this approval procedure at the top of the menu when you set up an approval step.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级