0% found this document useful (0 votes)

98 views270 pages

OneIM ITShop Administration

Uploaded by

Iker Maletas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

98 views270 pages

OneIM ITShop Administration

Uploaded by

Iker Maletas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 270

One Identity Manager 8.2.

IT Shop Administration Guide

Copyright 2022 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this
guide is furnished under a software license or nondisclosure agreement. This software may be used
or copied only in accordance with the terms of the applicable agreement. No part of this guide may
be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser’s personal use without the
written permission of One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes
no representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office
information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property

damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data

if instructions are not followed.

One Identity Manager IT Shop Administration Guide

Updated - 30 May 2022, 09:15
Version - 8.2.1
Contents

Setting up an IT Shop solution 11

One Identity Manager users in the IT Shop 12
Implementing the IT Shop 14
Using the IT Shop with the Application Governance Module 16
Requestable products 16
Multi-request resources 19
Preparing products for requesting 21
Entering service items 22
General main data for service items 22
Pricing for service items 25
Extended main data for service items 26
Default service items 26
Specifying dependencies between products 26
Editing product dependencies for requests 27
Defining hierarchy for service items 27
Assigning hierarchical roles to service items 28
Assigning functional areas to service items 29
Assigning extended properties to service items 30
Displaying websites for service items 30
Changing products for service items 31
Adding tags and assigning them to service items 31
Assigning object-dependent references to service items 32
Displaying the service item overview 33
Reports about service items 33
Entering service categories 35
Main data for service categories 35
Default service categories 37
Assigning service items to service categories 37
Assigning object-dependent references to a service category 38
Displaying the service category overview 38
Entering product-specific request properties 39

One Identity Manager 8.2.1 IT Shop Administration Guide

3
Request property and request parameter settings 40
Copy request properties 45
Displaying the request properties overview 45
Products for requests with time restrictions 46
Product request on customer or product relocation 46
Non-requestable products 47
Entering terms of use 48
Assigning service items to terms of use 49
Displaying the terms of use overview 49
Entering tags 49
Assigning service items to tags 50
Displaying the tags overview 51
Assigning and removing products 51
Assigning products to shelves 53
Removing products from shelves 53
Moving products to another shelf 54
Replacing products 55
Preparing the IT Shop for multi-factor authentication 55
Using multi-factor authentication for requests 56
Assignment requests 57
Standard products for assignment requests 57
Requesting memberships in business roles 59
Requesting memberships in application roles 60
Customizing assignment requests 61
Canceling requests 62
Removing customers from a shop 62
Setting up assignment resources 64
General main data for assignment resources 64
Default assignment resources 66
Displaying assignment resource overviews 66
Adding assignment resources to the IT Shop 66
Removing assignment resources from the IT Shop 67
Delegations 67
Standard products for delegation 69
Preparing single delegations 69

One Identity Manager 8.2.1 IT Shop Administration Guide

4
Allowing delegation approvals 70
Creating IT Shop requests from existing user accounts, assignments, and role
memberships 71
Creating requests for employees 72
Creating user account requests 74
Creating workdesk requests 75
Creating assignment requests 76
Adding system entitlements automatically to the IT Shop 77
Deleting unused application roles for product owners 79

Approval processes for IT Shop requests 81

Approval policies for requests 81
General main data of approval policies 82
Default approval policies 83
Additional tasks for approval policies 83
The approval policy overview 83
Adding to the IT Shop 84
Validity checking 84
Editing approval workflows 84
Approval workflows for requests 85
Working with the workflow editor 85
Setting up approval workflows 88
Editing approval levels 89
Editing approval steps 90
Properties of an approval step 90
Connecting approval levels 95
Additional tasks for approval workflows 96
The approval workflow overview 96
Copying approval workflows 97
Deleting approval workflows 97
Default approval workflows 98
Determining the effective approval policies 98
Approvers for renewals 99
Approvers for unsubscriptions 100
Selecting responsible approvers 100
Default approval procedures 100

One Identity Manager 8.2.1 IT Shop Administration Guide

5
Self-service 105
Using IT Shop structures to find approvers 105
Using request recipients to find approvers 106
Using specific roles to find approvers 106
Using requested products to find approvers 107
Using approval roles to find approvers 109
Using cost centers to find approvers 111
Using departments to find approvers 112
Using requested roles to find approvers 112
Waiting for further approval 112
Calculated approval 114
Approvals to be made externally 115
Finding requesters 117
Setting up approval procedures 117
General main data of an approval procedure 118
Queries for approver selection 119
Copying an approval procedure 121
Deleting approval procedures 122
Determining the responsible approvers 122
Request risk analysis 124
Testing requests for rule compliance 125
Compliance checking requests 126
Identifying rule violations 127
Finding exception approvers 128
Restricting exception approvers 131
Setting up exception approver restrictions 132
Explicit exception approval 133
Rule checking for requests with self-service 134
Approving requests from an approver 134
Setting up approver restrictions 136
Automatically approving requests 136
Configuring automatic approval 138
Approval by peer group analysis 139
Configuring peer group analysis for requests 140
Gathering further information about a request 141

One Identity Manager 8.2.1 IT Shop Administration Guide

6
Appointing other approvers 142
Escalating an approval step 143
Approvers cannot be established 145
Automatic approval on timeout 146
Halting a request on timeout 147
Approval by the chief approval team 149
Approving requests with terms of use 150
Using default approval processes 151

Request sequence 155

The request overview 157
Displaying request details 157
Displaying the approval sequence 157
Displaying the approval history 158
Requesting products more than once 159
Requests with limited validity period 160
Renewing requests 161
Canceling or unsubscribing requests 162
Checking request validity periods 162
Relocating a customer or product to another shop 164
Changing approval workflows of pending requests 164
Requests for employees 166
Requesting change of manager for an employee 166
Canceling requests 168
Unsubscribe products 169
Notifications in the request process 169
Requesting approval 170
Reminding approvers 170
Scheduled request for approval 172
Sequence for limited requests 172
Approving or denying request approval 173
Notifying delegates 173
Canceling requests 175
Escalating requests 175
Delegating approvals 175
Rejecting approvals 176

One Identity Manager 8.2.1 IT Shop Administration Guide

7
Notifications with questions 176
Using additional approvers to approve requests 177
Unsubscribing approved requests 177
Renewing approved requests 178
Product change notifications 178
Default mail templates 178
Bulk delegation notifications 179
Approval by mail 179
Editing approval emails 182
Adaptive cards approval 183
Using adaptive cards for approvals 184
Adding and deleting recipients and channels 185
Creating, editing, and deleting adaptive cards for requests 186
Creating, editing, and deleting adaptive cards templates for requests 188
Deploying and evaluating adaptive cards for requests 189
Requests with limited validity period for changed role memberships 190
Requests from permanently inactive employees 191
Deleting requests 191

Managing an IT Shop 193

IT Shop base data 193
Processing status 195
Standard reason for requests 196
Predefined standard reasons for requests 197
Role classes for the IT Shop 198
Role types for the IT Shop 199
Business partners 199
Functional areas 201
Chief approval team 202
Product owners 203
Attestors 204
Setting up IT Shop structures 205
Adding IT Shop structures 206
General main data of IT Shop structures 206
Custom main data of IT Shop structures 208
Additional tasks for IT Shop structures 208

One Identity Manager 8.2.1 IT Shop Administration Guide

8
The IT Shop structure overview 209
Assigning approval policies 209
Assigning requestable products to shelves 210
Setting up a customer node 210
Adding customer nodes 211
General main data of customer nodes 211
Custom main data of customer nodes 212
Additional tasks for customer nodes 212
The entitled customers overview 212
Assigning employees directly 212
Assigning employees through dynamic roles 213
Deleting IT Shop structures 215
Deleting customer nodes 215
Deleting shelves 215
Deleting shops 216
Deleting shopping centers 216
Templates for automatically filling the IT Shop 217
Using shelf templates in an IT Shop solution 220
Editing shelf templates 221
General main data of a shelf template 221
Custom main data of shelf templates 222
Additional tasks for shelf templates 222
Assigning approval policies 223
Assigning requestable products to shelf templates 223
Shelf-filling wizard 224
Assigning shelf templates to shops and shopping center templates 224
Deleting shelf templates 225
Custom mail templates for notifications 227
Creating and modifying IT Shop mail templates 227
General properties of mail templates 228
Creating and editing mail definitions 229
Using base object properties 230
Use of hyperlinks to the Web Portal 231
Default functions for creating hyperlinks 232
Customize email signatures 233

One Identity Manager 8.2.1 IT Shop Administration Guide

9
Copying IT Shop mail templates 234
Displaying IT Shop mail template previews 234
Deleting IT Shop mail templates 234
Custom notification processes 235
Request templates 235
Creating and modifying request templates 235
General main data of a request template 236
Cart items 237
Deleting request templates 237
Recommendations and tips for transporting IT Shop components with the Database
Transporter 238

Troubleshooting errors in the IT Shop 239

Timeout on saving requests 239
Bulk delegation errors 240
Process monitoring for requests 240

Appendix: Configuration parameters for the IT Shop 242

Appendix: Request statuses 256

Appendix: Examples of request results 258

About us 261
Contacting us 261
Technical support resources 261

Index 262

One Identity Manager 8.2.1 IT Shop Administration Guide

10
1

Setting up an IT Shop solution

The IT Shop allows users to request company resources such as software, system roles, or
group membership as well as non-IT resources such as mobile telephones or keys.
Furthermore, membership of a hierarchical role (department, location, cost center, or
business role) can be requested through the IT Shop. The requests are processed by a
flexible policy-based approval process. Introducing the IT Shop avoids time-consuming
demands within the company and reduces the administration effort. The request history
makes it possible to follow who requested which company resource or hierarchical role and
when it was requested, renewed, or canceled.
Shops, shelves, customers, and products all belong to an IT Shop solution. Several shops
can be grouped together into shopping centers. The shelves are assigned company
resources in the form of products. Products can be grouped into service categories. All the
service categories are summarized in a service catalog. Customers can select products
from a service catalog in the Web Portal, add them to a cart, and send a purchase request.
The following figure shows an example of a service catalog with service categories.

Figure 1: Example of a service catalog

Requests follow a defined approval process that determines whether a product may be
assigned or not. Products can be renewed or canceled. Approval processes can also be
specified for renewals and cancellations. Approval policies are defined for approval
processes. The approval policies are assigned to approval workflows for product requests,
renewals, or cancellations.

One Identity Manager 8.2.1 IT Shop Administration Guide

11
Setting up an IT Shop solution
Figure 2: Example of a simple approval workflow

The products are requested, renewed, and canceled through the Web Portal. Authorized
employees have the option to approve requests and cancellations. For detailed information,
see the One Identity Manager Web Designer Web Portal User Guide.

One Identity Manager users in the IT

Shop
The following users are involved in the setting up and operating of an IT Shop system.

Table 1: Users

Users Tasks

Administrators Administrators must be assigned to the Request & Fulfillment | IT

for the IT Shop Shop | Administrators application role.
Users with this application role:
l Create the IT Shop structure with shops, shelves, customers,
templates, and service catalog.
l Create approval policies and approval workflows.
l Specify which approval procedure to use to find attestors.
l Create products and service items.
l Set up request notifications.

One Identity Manager 8.2.1 IT Shop Administration Guide

12
Setting up an IT Shop solution
Users Tasks
l Monitor request procedures.
l Administrate application roles for product owners and attestors.
l Maintain members of the chief approval team.
l Set up other application roles as required.
l Create extended properties for company resources of any type.
l Edit the resources and assign them to IT Shop structures.
l Assign system entitlements to IT Shop structures.

Product owners Product owners must be assigned to the Request & Fulfillment |
IT Shop | Product owners application role or a child application
role.
Users with this application role:
l Approve through requests.
l Edit service items and service categories under their
management.

One Identity One Identity Manager administrator and administrative system users
Manager Administrative system users are not added to application roles.
administrators
One Identity Manager administrators:
l Create customized permissions groups for application roles for
role-based login to administration tools in the Designer as
required.
l Create system users and permissions groups for non role-based
login to administration tools in the Designer as required.
l Enable or disable additional configuration parameters in the
Designer as required.
l Create custom processes in the Designer as required.
l Create and configure schedules as required.

Role approver l Request approval in the Web Portal.

Approvers are determined through approval processes.

Attestors for Attestors must be assigned to the Request & Fulfillment | IT

requests Shop | Attestors application role.
Users with this application role:
l Attest correct assignment of company resource to IT Shop
structures for which they are responsible.
l Attest objects that have service items assigned to them.

One Identity Manager 8.2.1 IT Shop Administration Guide

13
Setting up an IT Shop solution
Users Tasks
l Can view main data for these IT Shop structures but not edit
them.

NOTE: This application role is available if the Attestation Module is

installed.

Chief approval Chief approvers must be assigned to the Request & Fulfillment |
team IT Shop | Chief approval team application role.
Users with this application role:
l Approve through requests.
l Assign requests to other approvers.

Implementing the IT Shop

Identity & Access Lifecycle is already included in the default installation of One Identity
Manager. This shop contains several shelves that have standard products assigned to
them. You can use these products to request role or group memberships, for example, or to
delegate duties. All active employees automatically become members of this shop and can
therefore make requests.
You can use the Identity & Access Lifecycle shop to request standard products. Default
approval policies are implemented for approving these requests. You can request any
company resources you like by taking the default shop and extending it with your own
shelves or by setting up your own IT Shop solution.

To use the Identity & Access Lifecycle shop

1. In the Designer, set the QER | ITSHOP configuration parameter.

In the default installation, the configuration parameter is set and the IT Shop is
available. If the configuration parameter is not set, you can set it in the Designer and
then compile the database.
If you disable the configuration parameter at a later date, model components and
scripts that are not longer required, are disabled. SQL procedures and triggers are
still carried out. For more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the One Identity Manager
Configuration Guide.
2. Install and configure the Web Portal.
The products are requested, renewed, and canceled through the Web Portal.
Authorized employees have the option to approve requests and cancellations.
For more information, see the One Identity Manager Installation Guide and the One
Identity Manager Web Designer Web Portal User Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

14
Setting up an IT Shop solution
To customize the Identity & Access Lifecycle shop

1. Set up more shelves.

For more information, see Managing an IT Shop on page 193.
2. Prepare company resources for requesting.
For more information, see Preparing products for requesting on page 21.
3. Assign requestable products to the shelves.
For more information, see Assigning and removing products on page 51.
4. Set up the approval process.
In the default installation, different default approval policies are assigned to the
Identity & Access Lifecycle shop. Therefore, requests from this shop are run
through predefined approval processes.
You can also assign your own approval policy to the shop. For more information, see
Approval processes for IT Shop requests on page 81.
5. If necessary, edit the dynamic role condition.
For more information, see Assigning employees through dynamic roles on page 213.
For more information about creating the condition, see the One Identity Manager
Identity Management Base Module Administration Guide.

To set up your own IT Shop solution

1. In the Designer, set the QER | ITSHOP configuration parameter.

In the default installation, the configuration parameter is set and the IT Shop is
available. If the configuration parameter is not set, you can set it in the Designer and
then compile the database.
If you disable the configuration parameter at a later date, model components and
scripts that are not longer required, are disabled. SQL procedures and triggers are
still carried out. For more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the One Identity Manager
Configuration Guide.
2. Set up shops, shelves, and customer node.
For more information, see Managing an IT Shop on page 193.
3. Prepare company resources for requesting.
For more information, see Preparing products for requesting on page 21.
4. Assign requestable products to the IT Shop.
For more information, see Assigning and removing products on page 51.
One Identity Manager makes different standard products available, which can be
requested through the Identity & Access Lifecycle shop. You can also add these
standard products to your own IT Shop.
5. Set up the approval process.
For more information, see Approval processes for IT Shop requests on page 81.
6. Install and configure the Web Portal.

One Identity Manager 8.2.1 IT Shop Administration Guide

15
Setting up an IT Shop solution
The products are requested, renewed, and canceled through the Web Portal.
Authorized employees have the option to approve requests and cancellations.
For more information, see the One Identity Manager Installation Guide and the One
Identity Manager Web Designer Web Portal User Guide.

Related topics
l Using the IT Shop with the Application Governance Module on page 16

Using the IT Shop with the Application

Governance Module
The Application Governance Module allows you to quickly and simply run the onboarding
process for new applications from one place. An application created with the Application
Governance Module combines all the permissions application users require for their regular
work. This way, you can assign application entitlements to your applications (such as
system entitlements or system roles) and plan when they will be available as requestable
products (service items) (for example, in the Web Portal).
For more information about the Application Governance Module, see the One Identity
Manager Application Governance User Guide. For more information about configuring the
Application Governance Module, see the One Identity Manager Web Application
Configuration Guide.
Applications can also be set up in the Manager if the Application Governance Module is
available. For more information about this, see the One Identity Manager Web Application
Configuration Guide.

Requestable products
Requestable products in the IT Shop are company resources such as target system groups,
software, and non-IT resources after they have been assigned to a shelf. The following
company resources can be assigned to shelves as requestable products.

Table 2: Requestable products

Company resource Available in Documentation guide

module

Groups and system Target System One Identity Manager Target System Base
entitlements of custom Base Module Module Administration Guide
target systems

Active Directory groups Active Directory One Identity Manager Administration Guide

One Identity Manager 8.2.1 IT Shop Administration Guide

16
Setting up an IT Shop solution
Company resource Available in Documentation guide
module

Module for Connecting to Active Directory

SharePoint groups and SharePoint One Identity Manager Administration Guide

SharePoint roles Module for Connecting to SharePoint

HCL Domino groups Domino Module One Identity Manager Administration Guide
for Connecting to HCL Domino

LDAP groups LDAP Module One Identity Manager Administration Guide

for Connecting to LDAP

SAP groups, SAP roles, SAP R/3 User One Identity Manager Administration Guide
and SAP profiles Management for Connecting to SAP R/3
module Module

SAP structural profiles SAP R/3 One Identity Manager Administration Guide
Structural for SAP R/3 Structural Profiles Add-on
Profiles Add-on
Module

SAP BI analysis author- SAP R/3 One Identity Manager Administration Guide
izations Analysis for SAP R/3 Analysis Authorizations Add-on
Authorizations
Add-on Module

E-Business Suite permis- Oracle E- One Identity Manager Administration Guide

sions Business Suite for Connecting to Oracle E-Business Suite
Module

Azure Active Directory Azure Active One Identity Manager Administration Guide
groups Directory for Connecting to Azure Active Directory
Module

Azure Active Directory Azure Active One Identity Manager Administration Guide
administrator roles Directory for Connecting to Azure Active Directory
Module

Google Workspace Google One Identity Manager Administration Guide

groups, Google Workspace for Connecting to Google Workspace
Workspace products and Module
SKUs, Google Workspace
Admin role assignments

Cloud groups and system Cloud Systems One Identity Manager Administration Guide
entitlements Management for Connecting to the Universal Cloud
Module Interface

Resources Identity One Identity Manager Identity Manage-

Management ment Base Module Administration Guide
Base Module

One Identity Manager 8.2.1 IT Shop Administration Guide

17
Setting up an IT Shop solution
Company resource Available in Documentation guide
module

Multi-request resources Identity One Identity Manager Identity Manage-

Management ment Base Module Administration Guide
Base Module

Account definitions Target System One Identity Manager Target System Base
Base Module Module Administration Guide

System roles System Roles One Identity Manager System Roles Admin-
Module istration Guide

Subscribable reports Report One Identity Manager Report Subscriptions

Subscription Administration Guide
Module

Software Software One Identity Manager Software Manage-

Management ment Administration Guide
Module

Assignment resources Identity Manage- Use assignment resources to request any

ment Base number of assignments to hierarchical roles
Module or to delegate responsibilities through the
IT Shop. For more information, see Assign-
Business Roles
ment requests on page 57.
Module

Azure Active Directory Azure Active One Identity Manager Administration Guide
groups Directory for Connecting to Azure Active Directory
Module

Azure Active Directory Azure Active One Identity Manager Administration Guide
administrator roles Directory for Connecting to Azure Active Directory
Module

PAM user groups Privileged One Identity Manager Administration Guide

Account for Privileged Account Governance
Governance
Module

Password requests Privileged One Identity Manager Administration Guide

Account for Privileged Account Governance
Governance
Module

Remote desktop session Privileged One Identity Manager Administration Guide

requests Account for Privileged Account Governance
Governance
Module

SSH session requests Privileged One Identity Manager Administration Guide

Account for Privileged Account Governance

One Identity Manager 8.2.1 IT Shop Administration Guide

18
Setting up an IT Shop solution
Company resource Available in Documentation guide
module

Governance
Module

Telnet session requests Privileged One Identity Manager Administration Guide

Account for Privileged Account Governance
Governance
Module

SSH key requests Privileged One Identity Manager Administration Guide

Account for Privileged Account Governance
Governance
Module

Software and system roles can also be requested for workdesks. The request's UID_
Workdesk is given as additional information here (PersonWantsOrg.UID_WorkdeskOrdered).

Multi-request resources
The IT Shop distinguishes between single or multiple requestable products. Single
request products are, for example, software, system roles, or Active Directory groups.
These products cannot be requested if they have already been be requested for the same
time period.
Furthermore, an employee may need several of one type of company resources, for
example, consumables. You can find company resources such as these mapped in
One Identity Manager as Multi-request resource or Multi
requestable/unsubscribable resources.

Table 3: Resource types

Type Description Table

Resources Resources that an employee (workdesk, QERResource

device) may own just once.
The resources can be requested in the IT
Shop just once. The resources are
assigned to the employees after approval
has been granted. They remain assigned
until the request is unsubscribed. You can
request them again a later point.
Example: phone, company car.

Multi-request resources Resources that can be requested more QERReuse

than once in the IT Shop. Requests are
automatically canceled once approved.

One Identity Manager 8.2.1 IT Shop Administration Guide

19
Setting up an IT Shop solution
Type Description Table

The resources are not explicitly assigned

to employees.
Example: resource for requesting remote
desktop sessions for assets in a PAM
system; consumables, such as pens,
printing paper.

Multi Resources that an employee can request QERReuseUS

requestable/unsubscribable more than once in the IT Shop but must
resources return them explicitly once they are no
longer needed. The resources are
assigned to the employees after approval
has been granted. They remain assigned
until the request is canceled.
Example: printer, monitor.

To set up multi-request resources and add them as products in the IT Shop

1. In the Manager, select the Entitlements > Multi-request resources for IT

Shop category.

2. Click in the result list.

3. Edit the resource's main data.
4. Save the changes.
5. Select the Add to IT Shop task.
In the Add assignments pane, assign a shelf.
TIP: In the Remove assignments pane, you can remove shelf assignments.

To remove an assignment
l Select the shelf and double-click .
6. Save the changes.

To set up multi requestable/unsubscribable resources and to add them as

products to the IT Shop

1. In the Manager, select the Entitlements > Multi requestable/unsubscribable

resources for IT Shop category.

2. Click in the result list.

3. Edit the resource's main data.
4. Save the changes.
5. Select the Add to IT Shop task.
In the Add assignments pane, assign a shelf.

One Identity Manager 8.2.1 IT Shop Administration Guide

20
Setting up an IT Shop solution
TIP: In the Remove assignments pane, you can remove shelf assignments.

To remove an assignment
l Select the shelf and double-click .
6. Save the changes.

For more information about multi requestable products, see the One Identity Manager
Identity Management Base Module Administration Guide.

Preparing products for requesting

Company resources have to fulfill at least the following prerequisites before you can
request them in the Web Portal:
l The company resource must be labeled with the IT Shop option.
l A service item must be assigned to the company resource.
l The company resource must be assigned to a shelf as a product.
l If the company resource is only assigned to employees using IT Shop requests,
the company resource must also be labeled with the Only use in IT Shop option.
This means that the company resource cannot be directly assigned to roles outside
the IT Shop.

The Entitlements category displays all company resources that can be requested using
the IT Shop. This includes software, system entitlements, system roles, account
definitions, resources, multi-request resources, and assignment resources if the
corresponding modules are installed.
You can prepare the company resources for requesting in the IT Shop if you are an IT
Shop administrator and have logged in as role-based. You can assign service items, edit
the IT Shop and Only use in IT Shop options and assign the company resources to IT
Shop shelves.

To prepare company resources for requesting

1. In the Manager, select the Permissions category.

2. Navigate to the results list and select the company resource you want.
3. Select the Change main data task.
4. Enable the IT Shop option.
5. Assign a new service item in the Service item field.
To add a new service item, click . Copy the name of the company resource as
identifier for the service item. Enter the other properties on the service item
main data form.
6. Save the changes.
7. Select the Add to IT Shop task.

One Identity Manager 8.2.1 IT Shop Administration Guide

21
Setting up an IT Shop solution
8. In the Add assignments pane, assign the company resource to shelves.
9. Save the changes.

Customer keep their requested products on the shelf until they unsubscribe them.
Sometimes, however, products are only required for a certain length of time and can be
canceled automatically after this time. There are other settings required to provide limited
period products.

Detailed information about this topic

l Entering service items on page 22
l Products for requests with time restrictions on page 46

Entering service items

In order to request company resources in the Web Portal, a service item must be assigned
to them. Service items contain additional information about the company resources. For
example, you can specify article numbers, request properties, product supervisors, or
approvers for requests. A service catalog can be put together from the service items the
Web Portal. These contain all the requestable products. You can use service categories,
tags, and service item names to find the product in the service catalog.

To create or edit service categories

General main data for service items

Enter the following data on the General tab. If you add a new service item, you must fill
out the required fields.

One Identity Manager 8.2.1 IT Shop Administration Guide

22
Setting up an IT Shop solution
Table 4: General main data of a service item

Main data Meaning

Service item Service item name.

Special service If a product is used for a specific purpose, for example, for product
item collection, then mark it as a special service item.

Service Group individual products into a collection of products. Select an

category existing service category from the list or add a new one.
To create a new service category, click . Enter at least one name for
the service item.

Product owners Assign a Request & Fulfillment | IT Shop | Product owner applic-
ation role.
Product owners can be used as approvers in a defined approval process
within the IT Shop. They can decide on approval of the service item
request.
To create a new application role, click . Enter the application role
name and assign a parent application role.
If no product owner is assigned, the product owner of the assigned
service category is determined by template.

Attestors Assign a Request & Fulfillment | IT Shop | Attestor application

role.
The members of this application role can chosen as attestor in an attest-
ation procedure.
To create a new application role, click . Enter the application role
name and assign a parent application role.

Cost center Cost center for booking the service item in the accounts.

Manufacturer Manufacturer data.

Terms of use Terms of use for the product. The product can only be requested if the
requester has accepted the terms of use.

Request Company-specific service item properties.

number,
product code,
product code
(foreign)

Functional area Company-specific service item property.

Approval Approval policy used to determine the approver when the service item
policies is requested in the IT Shop.

Request Select a request property using the additional request parameters that

One Identity Manager 8.2.1 IT Shop Administration Guide

23
Setting up an IT Shop solution
Main data Meaning

property are defined for a request.

Calculation info Enter the calculation mode as accounting information.

Availability Company-specific information about the service item‘s availability.

Sort order Customer-specific criteria for sorting service items.

Website Web page with more information about the service item.
This field allows you to link product descriptions in the internet or
intranet to the service item. To open the website, select Visit website
in the default web browser.

Max. days valid Time period for limited assignments through IT Shop.
The service item is automatically canceled when the time expires.
When multi-request resources are requested (QERReuse), this value has
no effect.
Changing the deadline will not affect requests that have already been
approved. The new deadline applies to new requests. It is taken into
account when calculating the expiration date of pending request if no
deadline was previously set (value change from 0 to greater than 0).

Description Text field for additional explanation.

Retain service Specifies whether requests belonging to this service item remain intact
item when a customer or a product relocates.
assignment on
relocation

Not available Specifies whether the service item can still be requested in the IT Shop.
If this option is enabled, no new requests can be placed for this item.
Existing requests remain intact.

Request Specifies whether additional request properties must be entered separ-

properties must ately for each recipient of this product, if the product is requested for
be defined different recipients in one request procedure.
separately per
If this option is not set, the selected request properties apply uniformly
recipient
to all recipients of the product.

Approval by The approval of requests with this service item requires multi-factor
multi-factor authentication.
authentication

One Identity Manager 8.2.1 IT Shop Administration Guide

24
Setting up an IT Shop solution
For more information about attestation, see the One Identity Manager Attestation
Administration Guide. For more information about cost centers, see the One Identity
Manager Identity Management Base Module Administration Guide.

Detailed information about this topic

l Entering service categories on page 35
l Selecting responsible approvers on page 100
l Product owners on page 203
l Attestors on page 204
l Business partners on page 199
l Functional areas on page 201
l Determining the effective approval policies on page 98
l Entering product-specific request properties on page 39
l Products for requests with time restrictions on page 46
l Product request on customer or product relocation on page 46
l Moving products to another shelf on page 54
l Entering terms of use on page 48
l Preparing the IT Shop for multi-factor authentication on page 55

Pricing for service items

Enter the required pricing information for booking the service item to the accounts on the
Calculation tab.

Table 5: Pricing for a service item

Property Description

Purchase price Purchase price.

Sales price Sales price.

Internal price Internal transfer price.

Rental rate (purchasing) Purchase price on product rental.

Rental rate (selling) Sales price on product rental

Rental rate (internal) Internal transfer price on product rental

Currency Currency unit

Sales tax Sale tax to apply in percent (%)

One Identity Manager 8.2.1 IT Shop Administration Guide

25
Setting up an IT Shop solution
Extended main data for service items
On the Picture tab, you can import an image of the product into the data base. Select the
path where the picture is stored.
On the User-defined tab, enter additional company-specific information in the spare
fields. Use the Designer to customize display names, formats, and templates for the fields.

Default service items

One Identity Manager provides service items by default. These service items are assigned
to the Identity & Access Lifecycle shop. You can request them as standard products
through the Web Portal.

To edit default service items

l In the Manager, select the IT Shop > Service catalog > Predefined category.

Specifying dependencies between products

You can define dependencies for products. For example, when a printer is requested, a flat-
rate installation charge has to be requested at the same time, and toner may be requested
optionally. You can also specify if two products should never be requested simultaneously.
Dependencies between requestable products are created using service items.
When a product is requested, it is tested for dependencies and in this case, dependent
products are added to the request.

To specify dependencies between products

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the product's service item in the result list.
3. Select the Edit product dependencies for requests task.
l In the Dependent products tab, specify the dependent products.
In the Add assignments pane, assign the service items.
l In the Depends on products tab, specify which selected service item is
dependent on which products.
In the Add assignments pane, assign the service items.
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

26
Setting up an IT Shop solution
5. Select the Service item overview task.
6. Define the properties of the product dependency.
a. On the Dependent products or Depends on products form element, select
the dependent product.
This opens the product dependency details form.
b. Specify the dependency conditions. Select one of the following options:
l Cannot request products together
This option prevents the dependent product from being acquired by the
same request. The product can be assigned at any time with a separate,
direct request.
l Product must be requested at the same time
l Product can optionally be requested with another
7. Save the changes.

Editing product dependencies for requests

Dependencies between products are taken into account by Web Portal requests.

Detailed information about this topic

l Specifying dependencies between products on page 26

Defining hierarchy for service items

You can structure service items hierarchically. To do this, assign a service item below or
above another service item.

To structure service items hierarchically

One Identity Manager 8.2.1 IT Shop Administration Guide

27
Setting up an IT Shop solution
TIP: In the Remove assignments pane, you can remove service item
assignments.

To remove an assignment
l Select the service item and double-click .
4. Select the Parent service items tab.
In the Add assignments pane, assign parent service items.
TIP: In the Remove assignments pane, you can remove service item
assignments.

To remove an assignment
l Select the service item and double-click .
5. Save the changes.

Assigning hierarchical roles to service items

You can use One Identity Manager to assess the risk of assignments. The assessments can
be evaluated separately by role. Prerequisite is that service items are assigned to the roles.
For more information about risk assessment, see the One Identity Manager Risk
Assessment Administration Guide.

Assigning organizations to service items

To assign a service item to departments, cost centers, and locations

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Assign organizations task.
In the Add assignments pane, assign the organizations:
l On the Departments tab, assign departments.
l On the Locations tab, assign locations.
l On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

One Identity Manager 8.2.1 IT Shop Administration Guide

28
Setting up an IT Shop solution
To remove an assignment
l Select the organization and double-click .
4. Save the changes.

Assigning business roles to service items

NOTE: This function is only available if the Business Roles Module is installed.
You can issue separate invoices according to the different company structures. Assign
service items to business roles to do this.

To assign service items to business roles

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Assign business roles task.
In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
l Select the business role and double-click .
4. Save the changes.

Assigning functional areas to service items

You can use One Identity Manager to assess the risk of assignments. The assessments can
be evaluated separately by functional area. To do this, service items must be assigned to
functional areas. For detailed information, see the One Identity Manager Risk Assessment
Administration Guide.

To assign functional areas to a service item

One Identity Manager 8.2.1 IT Shop Administration Guide

29
Setting up an IT Shop solution
3. Select the Assign functional areas task.
Assign the functional areas in Add assignments.
TIP: In the Remove assignments pane, you can remove functional area
assignments.

To remove an assignment
l Select the functional area and double-click .
4. Save the changes.

Related topics
l Approval by peer group analysis on page 139

Assigning extended properties to service items

Extended properties are meta objects, such as operating codes, cost codes, or cost
accounting areas that cannot be mapped directly in One Identity Manager.

To assign extended properties to a service item

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Assign extended properties task.
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended
properties.

To remove an assignment
l Select the extended property and double-click .
4. Save the changes.

Displaying websites for service items

You can link product descriptions in internet or intranet with the service item. For this, you
enter the URL of a website in Website on the main data form.

One Identity Manager 8.2.1 IT Shop Administration Guide

30
Setting up an IT Shop solution
To open the website in a standard browser

Related topics
l General main data for service items on page 22

Changing products for service items

A product can be replaced by another product at a specified time. All employees who
have requested this product are notified by an email telling them to request a
replacement product.

To replace a product with another one

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the product's service item to replace in the result list.
3. Select the Change product task.
4. Enter the following data:
l Expiry date: Date on which the product is replaced by a different product.
l Alternative product: Service item that can be requested instead.
5. Click OK.

Related topics
l Product change notifications on page 178

Adding tags and assigning them to service items

Use this task to assign tags to service items and to add new tags.

One Identity Manager 8.2.1 IT Shop Administration Guide

31
Setting up an IT Shop solution
To add and assign a tag to a service item

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Assign tag task.
4. Select the Create tag task.
5. Enter the tag and a description for it.
6. Save the changes.
The new tag is shown on the assignment form.
7. Double-click on the tag to assign it to the selected service item.
8. Save the changes.

To assign a tag to a service item

To remove an assignment
l Select the tag and double-click .
4. Save the changes.

TIP: You can add more tags. For more information, see Entering tags on page 49.

Assigning object-dependent references to

service items
Object dependent references can be assigned to service items. Use object-dependent
references to configure your Web Portal with the Web Designer. All object-dependent
references whose type references the AccProduct table can be assigned. For more
information about this, see the One Identity Manager Web Designer Reference Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

32
Setting up an IT Shop solution
To assign object-dependent references to a service item

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Assign object-dependent references task.
In the Add assignments pane, assign object-dependent references.
TIP: In the Remove assignments pane, you can remove object-dependent
reference assignments.

To remove an assignment
l Select the object-dependent reference and double-click .
4. Save the changes.

Displaying the service item overview

On the overview form, you can see the most important information about a service item.

To obtain an overview of a service item

Reports about service items

One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for service items.
NOTE: Other sections may be available depending on the which modules are installed.

One Identity Manager 8.2.1 IT Shop Administration Guide

33
Setting up an IT Shop solution
Table 6: Reports about service items

Report Description

Overview of all assign- This report finds all roles containing employees with the selected
ments service item.

Related topics
l Overview of all assignments on page 34

Overview of all assignments

The Overview of all assignments report is displayed for some objects, such as
authorizations, compliance rules, or roles. The report finds all the roles, for example,
departments, cost centers, locations, business roles, and IT Shop structures in which there
are employees who own the selected base object. In this case, direct as well as indirect
base object assignments are included.

Examples:
l If the report is created for a resource, all roles are determined in which there
are employees with this resource.
l If the report is created for a group or another system entitlement, all roles are
determined in which there are employees with this group or system
entitlement.
l If the report is created for a compliance rule, all roles are determined in which
there are employees who violate this compliance rule.
l If the report is created for a department, all roles are determined in which
employees of the selected department are also members.
l If the report is created for a business role, all roles are determined in which
employees of the selected business role are also members.

To display detailed information about assignments

l To display the report, select the base object from the navigation or the result list and
select the Overview of all assignments report.
l Click the Used by button in the report toolbar to select the role class for which
you want to determine whether roles exist that contain employees with the selected
base object.
All the roles of the selected role class are shown. The color coding of elements
identifies the role in which there are employees with the selected base object. The
meaning of the report control elements is explained in a separate legend. To access
the legend, click the icon in the report's toolbar.

One Identity Manager 8.2.1 IT Shop Administration Guide

34
Setting up an IT Shop solution
l Double-click a control to show all child roles belonging to the selected role.
l By clicking the button in a role's control, you display all employees in the role with
the base object.
l Use the small arrow next to to start a wizard that allows you to bookmark this list
of employees for tracking. This creates a new business role to which the employees
are assigned.

Figure 3: Toolbar of the Overview of all assignments report.

Table 7: Meaning of icons in the report toolbar

Icon Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Entering service categories

You can group individual service items into service categories to create a service catalog.

To edit service categories

1. In the Manager, select the IT Shop > Basic configuration data > Service
categories category.
- OR -
In the Manager, select the IT Shop > Service catalog category.
2. In the result list, select the service category and run the Change main data task.
3. Edit the service category's main data.
4. Save the changes.

Main data for service categories

Enter the following main data of a service category. If you add a new service category, you
must fill out the required fields.

One Identity Manager 8.2.1 IT Shop Administration Guide

35
Setting up an IT Shop solution
Table 8: General main data of a service category

Main data Meaning

Service The service item’s name.

Special Specifies whether the service category has a special purpose.

service
category

Parent If you want to have service categories in a hierarchical structure, select a

service parent service category from the list.
category

Product Assign a Request & Fulfillment | IT Shop | Product owner applic-

owners ation role.
Product owners can be used as approvers in a defined approval process
within the IT Shop. They can decide on approval of the service item
request.
To create a new application role, click . Enter the application role name
and assign a parent application role.

Attestors Assign a Request & Fulfillment | IT Shop | Attestor application role.

The members of this application role can chosen as attestor in an attest-
ation procedure.
To create a new application role, click . Enter the application role name
and assign a parent application role.
For more information, see the One Identity Manager Attestation Admin-
istration Guide.

Approval Approval policies used to determine the approver when the service item is
policies requested from a service category in the IT Shop.

Request Select a request property using the additional request parameters that
property are defined for a request.
Requests can be given additional information though product-specific
request properties such as the specific details of a product, its size, or
color. A request property gathers all additional features together that can
be given when requesting a product.
To create a new request property, click and enter the request
property's name. Then define the request parameters.

Purchase Enter the required price information for the service category accounting.
price, sales
price, internal
price,
currency

One Identity Manager 8.2.1 IT Shop Administration Guide

36
Setting up an IT Shop solution
Main data Meaning

Sort order Customer specific criteria for sorting assigned service items.

Description Text field for additional explanation.

Full name Full name of the service category.

Remarks Text field for additional explanation.

Picture Picture for this service category. Select the path where the picture is
stored.

Spare field Additional company-specific information. Use the Designer to customize

no. 01 - spare display names, formats, and templates for the input fields.
field no. 10

Detailed information about this topic

l Selecting responsible approvers on page 100
l Product owners on page 203
l Attestors on page 204
l Determining the effective approval policies on page 98
l Entering product-specific request properties on page 39

Default service categories

One Identity Manager provides service categories by default. These service categories
make up the default service items in the service catalog.

To edit default service categories

l In the Manager, select the IT Shop > Basic configuration data > Service
categories > Predefined category.

Assigning service items to service categories

Use this task to assign any number of service items to a service category.

To assign service items to a service category

One Identity Manager 8.2.1 IT Shop Administration Guide

37
Setting up an IT Shop solution
3. Select the Assign service items task.
In the Add assignments pane, assign service items.
TIP: In the Remove assignments pane, you can remove service item
assignments.

To remove an assignment
l Select the service item and double-click .
4. Save the changes.

Assigning object-dependent references to a

service category
Object-dependent references can be assigned to service categories. Use object-dependent
references to configure your Web Portal with the Web Designer. All object-dependent
references whose type references the AccProductGroup table can be assigned. For more
information about this, see the One Identity Manager Web Designer Reference Guide.

To assign object-dependent references to a service category

1. In the Manager, select the IT Shop > Basic configuration data > Service
categories category.
- OR -
In the Manager, select the IT Shop > Service catalog category.
2. Select the service category in the result list.
3. Select the Assign object-dependent references task.
In the Add assignments pane, assign object-dependent references.
TIP: In the Remove assignments pane, you can remove assigned object-
dependent references.

To remove an assignment
l Select the object-dependent reference and double-click .
4. Save the changes.

Displaying the service category overview

The overview form, shows you the most important information about a service category,
at a glance.

One Identity Manager 8.2.1 IT Shop Administration Guide

38
Setting up an IT Shop solution
To obtain an overview of a service category

Entering product-specific request properties

Requests can be given additional information though product-specific request properties
such as the specific details of a product, its size, or color. A request property gathers all
additional features together that can be given when requesting a product.
Define a request parameter for each feature of a request property. Parameters can be
marked as mandatory if a value must be entered when they are requested.
To be able to use request properties, you assign them to service items or service
categories. When a product is requested, the parameters of this request property are
displayed. If a service item does not have a request property assigned to it, the service
category's request property is used.
NOTE: The definition of request properties was redesigned with One Identity Manager
version 8.2. Now you can define a lot of additional information for request parameters.
This makes the implementation of request properties more flexible. The previous solution
can still be used. When you add a new request property, you specify whether you want to
use the obsolete or the new style definition.
Adding request properties with the new style definition

To add a request property

1. In the Manager, select the IT Shop > Basic configuration data > Request
properties category.
2. Click in the result list.
3. Enter the name and a description for the request property.
Leave the Obsolete definition option disabled. After saving, the option cannot be
changed again.
4. Save the request property.
5. Select the Parameter tab.
6. Click Add.
7. Edit the request parameter's main data.
8. To add another request parameter, click Add.
9. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

39
Setting up an IT Shop solution
Adding request properties with the obsolete definition

To add a request property

1. In the Manager, select the IT Shop > Basic configuration data > Request
properties category.
2. Click in the result list.
3. Enter the name and a description for the request property.
4. Enable the Obsolete definition option.
After saving, the option cannot be changed again.
5. Save the request property.
6. Select the Parameter tab.
7. Click Add.
8. Edit the request parameter's main data.
9. To add another request parameter, click Add.
10. Save the changes.

Editing request properties

To edit a request property

1. In the Manager, select the IT Shop > Basic configuration data > Request
properties category.
2. Select the request property in the result list.
3. Select the Change main data task.
4. Edit the request property's main data.
5. Save the changes.

Detailed information about this topic

l Request property and request parameter settings on page 40
l Copy request properties on page 45

Related topics
l Main data for service categories on page 35
l General main data for service items on page 22

Request property and request parameter settings

Enter the following main data for a request property.

One Identity Manager 8.2.1 IT Shop Administration Guide

40
Setting up an IT Shop solution
Table 9: Request property main data

Property Description

Request Name of the request property.

property

Description Exact description of the request properties.

Obsolete Specifies whether an obsolete definition is used for the request parameter.
definition This information cannot be changed after a new request property has been
saved.

Settings for request parameters with the current definition

Request parameters with the current definition are saved in the DialogParameter table. All
a request property's parameters are grouped together internally as a parameter set
(DialogParameterSet). The parameter settings defined in the Manager are saved as default
parameters. During the request, fixed parameter values can be entered in the Web Portal.
These values are saved per request in parameter subsets. If the request has not entered a
value, the parameter value from the default parameter set is used.
IMPORTANT: If the parameter settings in the default parameter set are changed and, as
long as the requester has not entered their own values, the changes are passed on to all
the requests in the shopping cart that use this parameter set.
NOTE: The Inherited value can be selected for various parameter settings. This does not
affect request parameters. The parameter settings' default values apply that are shown
next to the input fields.
There are three tabs for editing the parameter settings, the value definition, and
scripts for calculating the values. The actual parameter values are shown next to the
fields and menus.
General tab

Table 10: General parameter settings

Property Description

Parameter Parameter name.

name

Parameter Type of parameter. Permitted values are:

type
l Fixed: Fixed parameter values are used. On the Value definition
tab, enter the parameter value.
l User prompt: The user must select a parameter value in the user
prompt during the request.
l Calculation: The parameter value is calculated during the request.
On the Value calculation tab, enter the table column and the
condition for calculating the value.

Other settings are shown or hidden depending on the type.

One Identity Manager 8.2.1 IT Shop Administration Guide

41
Setting up an IT Shop solution
Property Description

Display User friendly name for the parameter. To display language dependent
name display names, translate the given text with the button.

Description Text field for additional explanation.Translate the given text with the
button.

Sort order Position of the parameter in the request property view in the Web Portal.

Mandatory Specifies whether this is a mandatory parameter. This parameter must

parameter have a value in it in order to make the request.

Viewable Specifies whether the parameter is shown in the request in the Web
Portal.

Can be Specifies whether the parameter value can be overwritten during the
overwritten request.

Value definition tab

Table 11: Value definition

Property Description

Data type Parameter data type.

Date add- Additional information about calculating date and time data for displaying
on in the user interface. The value can be edited if the Date data type is
selected.

Value range Specifies whether the report parameter value has to be within a given
range. If Yes, additional fields appear.

Multivalue Specifies whether the parameter accepts multiple values. If Yes, users can
select multiple value from a list.

Multiline Specifies whether the parameter contents can have multiple lines. If Yes,
line breaks are permitted.

Data source Type of data source. Permitted values are:

l None: The user can give any value.
l Table: The user selects a value from a specified table column.
l List of permitted values: The user selects a value from a
predefined list.

You may require additional data depending on the data source.

Table Additional data for the data source Table.

column
Table column for selecting the parameter value. The user can select a value
(query)
from this table column. If the parameter is multi-value, you can select
several values from this column as well.

Display Additional data for the data source Table.

One Identity Manager 8.2.1 IT Shop Administration Guide

42
Setting up an IT Shop solution
Property Description

pattern Display pattern for table elements in lists in %column% notation. The ??
operator is permitted. This means, when one column's value is empty,
another column's value is displayed.
Example: %column1??column2??column3%

Condition Additional data for the data source Table.

(query)
Limiting condition (Where clause) for selecting the parameter value using a
table column. The user can select a value from the result set. If the
parameter is multi-value, you can select several values from this result set
as well.
You can reference other parameters in the condition using the following
syntax:
$PC(<Parametername>)$

List of Additional data for the data source List of permitted values.
permitted
List of values permitted in this parameter in the value=display name
values
notation. If an = is no given, the entry counts as both value and display
name.
Example: 1=internal 2=external
To display language dependent display names, translate each display name
using the button.

Overwrite Specifies whether an empty parameter value overwrites the default value.
empty value
If this option is disabled, the default value is overwritten if a parameter
value is not given.

Parameter Parameter value If a value range is given, the Parameter value (from)
value and the Parameter value (to) are displayed.

Example Example of the parameter.

value
If a value range is given, the Example value (from) and the Example
value (to) are displayed.

Default Default value of the parameter. This is used if the user does not specify a
value parameter value and the Overwrite empty value option is not set.
If a value range is given, the Default value (from) and the Default
value (to) are displayed.

Value calculation tab

Table 12: Scripts for calculating values

Property Description

Table Additional input for Calculated parameter type.

column
Table column for selecting the parameter value. The parameter value is

One Identity Manager 8.2.1 IT Shop Administration Guide

43
Setting up an IT Shop solution
Property Description

(calc.) calculated during the request.

Condition Additional input for Calculated parameter type.

(calc.)
Limiting condition (where clause) for selecting the value through a table
column. The parameter value is calculated during the request. If the
parameter is multivalue as well, several values may be found.
If a condition is not given and the parameter is not multivalue, the first
value is used that is determined by the table column. If the parameter is
multivalue and a condition is not given, all determined values are used.

Valuation Script in VB.Net syntax for modifying the parameter value. The script can
script be used as a formatting script and the existing parameter value modified or
reset the parameter value.

Validation Script in VB.Net syntax for checking permitted values of parameters. Create
script a script that checks the user input.

Request parameter main data for obsolete definition

Request parameters with an obsolete definition are saved in the AccProductParameter
table. In a request parameter's main data, you specify the column in the ShoppingCartItem
table where request parameter is saved during the request. If the selected column is a
foreign key column, the requester can select from list of permitted values from in the Web
Portal. The values can be limited by a condition. If the selected column allows free text, the
requester must enter the request property as text in the Web Portal.
NOTE: If you want to use custom column to store request properties, add identical
columns to the tables ShoppingCartItem and PersonWantsOrg.

Table 13: Request property main data

Property Description

Column Column of the ShoppingCartItem table where the parameter value is saved
during the request.

Display User friendly name for the parameter. To display language dependent
value display values, translate the given text with the button.

Sort order Sort order in which to display the request properties in the Web Portal.

Mandatory Specifies whether this is a mandatory parameter. This parameter must

parameter have a value in it in order to make the request.

Read-only Specifies whether the parameter should only be viewable in the Web Portal
and not editable.

Editable for Specifies whether the parameter can also edited by approvers.
approver
If this option is set, the parameter value that was entered by the requester
can be changed by the approver.

One Identity Manager 8.2.1 IT Shop Administration Guide

44
Setting up an IT Shop solution
Property Description

If this option is not set, only the requester can enter a value.

Condition Condition limiting a foreign key value list.

Related topics
l Entering product-specific request properties on page 39

Copy request properties

To reuse existing definitions of request parameters, you can copy the request properties.

To copy a request property

1. In the Manager, select the IT Shop > Basic configuration data > Request
properties category.
2. Select the request property in the result list.
3. Select the Create copy task.
4. Enter a name for the new request property and click OK.
This creates a request property with the given name. You can now edit the request
properties of this request property.

Related topics
l Request property and request parameter settings on page 40
l Entering product-specific request properties on page 39

Displaying the request properties overview

On the overview form, you see, at a glance, the most important information about a
request property.

To obtain an overview of a request property

1. In the Manager, select the IT Shop > Basic configuration data > Request
properties category.
2. Select the request property in the result list.
3. Select the Request properties overview task.

Related topics
l Request property and request parameter settings on page 40

One Identity Manager 8.2.1 IT Shop Administration Guide

45
Setting up an IT Shop solution
Products for requests with time restrictions
Customers retain their requested products until they cancel them themselves. Sometimes,
however, products are only required for a certain length of time and can be canceled
automatically after this time. Products that are intended to have a limited shelf life need to
be marked with a validity period.
To enter a validity period for products

To specify a validity period for a product request

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Change main data task.
4. Enter in the Validity period (max. # days) field the time period within which the
product can be requested.
INFORMATION: This value has no effect on requests for multi-request resources
(QERReuse).
5. Save the changes.

One Identity Manager calculates the date that the product is automatically canceled from
the current data and validity period at the time of request and approval.

Product request on customer or product

relocation
If a customer requests a product from a shop or shopping center and then changes to
another at a later date, you must decide how the existing request should be handled. The
same applies if a product is moved to another shelf. One Identity Manager checks whether
the request recipient and the product belong to the same shop after relocating.

Table 14: Effects of relocating

Request recipient Effect on closed requests Effect on pending requests

and product

In different shops The request is canceled. The request is canceled.

The assignment is removed.

In the same shop Behavior is defined by Retain service item assignment on

relocation in the service item.

One Identity Manager 8.2.1 IT Shop Administration Guide

46
Setting up an IT Shop solution
Table 15: Effect of the "retain service item assignment on relocation" option

Option Effect on approved Effect on pending requests

Value requests

Not set The request is canceled. The request is canceled.

The assignment is removed.

Enabled The request remains intact. The request remains intact. Shelf and shop
Shelf and shop are updated in are updated in the request procedure.
the request procedure.
Approvals already granted, are reset. The
Assignment of requested request runs through the approval process
company resources remains implemented in the new shop.
intact.
NOTE: The request is realized in the shop in which the request recipient is
customer and that contains the requested product. If several shelves or
shops are found to which the condition applies, One Identity Manager
selects one of the shelves or shop, respectively, to relocate.

The complete approval sequence is shown in the approval history.

To obtain a product's requests on relocation

Non-requestable products
Products that have already been requested but can only be requested for a limited period,
can be specially labeled for it. Existing request for the product remain intact. However, no
new requests may be made for the product.

To label a product as not requestable

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
2. Select the product's service item in the result list.

One Identity Manager 8.2.1 IT Shop Administration Guide

47
Setting up an IT Shop solution
3. Select the Change main data task.
4. Set Not available.
5. Save the changes.

Entering terms of use

To add or edit terms of use

1. In the Manager, select the IT Shop > Service catalog > Terms of use category.
2. In the result list, select a terms of use and run the Change main data task.
- OR -
Click in the result list.
3. Edit the terms of use main data.
4. Save the changes.

Enter the following properties for the terms of use.

Table 16: General main data of terms of use

Property Meaning

Terms of use Name of the terms of use.

Description Text field for additional explanation.

Contents Full text of the terms of use.

In order for the request recipient to accept the terms of use, the request must be assigned
to the request recipient in the approval process. Set an approval workflow for such requests
that contain a BR approval step and enable the No automatic approval option for this
approval step. One Identity Manager provides a default approval procedure and a Terms
of Use acknowledgment for third-party orders (sample) default approval policy that
you can use for this.

Related topics
l Approving requests with terms of use on page 150

One Identity Manager 8.2.1 IT Shop Administration Guide

48
Setting up an IT Shop solution
Assigning service items to terms of use
Specify the products to which the terms of use apply. Assign service items to the terms of
use to do this.

To assign service items to the terms of use

1. In the Manager, select the IT Shop > Service catalog > Terms of use category.
2. Select the terms of use in the result list.
3. Select the Assign service items task.
In the Add assignments pane, assign service items.
TIP: In the Remove assignments pane, you can remove service item
assignments.

To remove an assignment
l Select the service item and double-click .
4. Save the changes.

Displaying the terms of use overview

You can see the most important information about a tag on the overview form.

To obtain an overview of the terms of use

1. In the Manager, select the IT Shop > Service catalog > Terms of use category.
2. Select the terms of use in the result list.
3. Select the Terms of use overview task.

Entering tags
Product owners are able to add tags to their products. These tags can be used as search
criteria by requests in the Web Portal. There are two ways of adding tags.

To add or edit a tag

1. In the Manager, select the IT Shop > Basic configuration data > Tags category.
2. In the result list, select a tag and run the Change main data task.
- OR -
Click in the result list.
3. Edit the tag data.
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

49
Setting up an IT Shop solution
Enter the following data for a tag.

Table 17: General main data of a tag

Property Meaning

Tag Tag.

Description Tag description.

Comment Text field for additional explanation.

Parent tag Tags can be organized hierarchically. Assign a parent tag to do this.

To add a tag directly to a product

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the service item in the result list.
3. Select the Assign tag task.
4. Select the Create tag task.
5. Enter the tag and a description for it.
6. Click Ok to save the tag.
The new tag is shown on the assignment form.
7. Double-click on the tag to assign it to the selected service item.
8. Save the changes.

Assigning service items to tags

Assign service items to the tags so that you can use the tags as search terms in the Web
Portal. The Web Portal finds all the requestable service items assigned to a tag.

To assign a tag to a service item

1. In the Manager, select the IT Shop > Basic configuration data > Tags category.
2. Select a tag in the result list.
3. Select the Assign service items task.
In the Add assignments pane, assign service items.
TIP: In the Remove assignments pane, you can remove service item
assignments.

One Identity Manager 8.2.1 IT Shop Administration Guide

50
Setting up an IT Shop solution
To remove an assignment
l Select the service item and double-click .
4. Save the changes.

Displaying the tags overview

The overview form contains the most important information about a tag.

To get an overview of a tag

1. In the Manager, select the IT Shop > Basic configuration data > Tags category.
2. Select a tag in the result list.
3. Select the Tag overview task.

Assigning and removing products

Once you have prepared the product to be requested, assign it to a shelf or a shelf
template. A shelf has several tasks available for assigning and removing products.
NOTE: The tasks are only displayed if the Assignments permitted and Direct
assignment permitted options are enabled for the IT Shop structure or IT Shop
template role classes.

Table 18: Tasks for assigning and removing requestable products

Products Task

Software Assign software

Resources Assign resource

Multi-request resources Assign resource

Multi requestable/unsubscribable resources Assign resource

System roles Assign system roles

Groups and system entitlements from Assign system entitlements of custom

custom target systems target systems

Active Directory groups Active Directory Assign groups

Azure Active Directory permissions Azure Active Directory Assign groups

Azure Active Directory Assign admin-
istrator roles
Azure Active Directory assign subscrip-

One Identity Manager 8.2.1 IT Shop Administration Guide

51
Setting up an IT Shop solution
Products Task

tions
Assigning disabled Azure Active Directory
service plans

SharePoint permissions SharePoint Assign groups

Assign SharePoint roles

LDAP groups LDAP Assign groups

HCL Domino groups Notes Assign groups

SAP R/3 permissions Assign BI analysis authorizations

SAP Assign groups

Assign SAP profiles

Assign SAP roles

Assigning structural profiles

E-Business Suite permissions Assign E-Business Suite authorizations

Exchange Online permissions Assign Exchange Online mail-enabled

distribution groups
Office 365 Assign groups

Privileged Account Management permissions Assign PAM user groups

SharePoint Online permissions SharePoint Online Assign groups

Assign SharePoint Online roles

Google Workspace permissions Google Workspace Assign groups

Google Workspace Assign products and
SKUs

Unix groups Unix Assign groups

Cloud groups and system entitlements Assign cloud groups and system entitle-
ments

Subscribable reports Assign subscribable reports

Assignment resources Assign resource

Account definitions assign account definition

Detailed information about this topic

l Role classes for the IT Shop on page 198

One Identity Manager 8.2.1 IT Shop Administration Guide

52
Setting up an IT Shop solution
Assigning products to shelves
There are different tasks available for assigning a single product from a shelf. The following
example based on a resource shows you how to assign individual products.

To assign a resource to the Identity Lifecycle shelf as a product

1. In the Manager, select the IT Shop > IT Shop > Identity & Access Lifecycle >
Shelf: Identity Lifecycle category.
2. Select the Assign resources task.
3. In the Add assignments pane, assign resources.
4. Save the changes.

Products are automatically assigned to shelves at the same time, if:

l Groups are automatically added to the IT Shop
l Rule templates are used to set up the IT Shop

Use the DBQueue Processor inheritance mechanism and subsequent post-processing to

create a separate product node for each assigned product within the shelf. These product
nodes are displayed with the name of the product’s service item. If products are added in
bulk to the IT Shop by automatic processes, you can specify how many product nodes are
created in one DBQueue Processor run in the QER | ITShop | LimitOfNodeCheck
configuration parameter. Once this number has been exceeded, the task is closed and
queued again in the DBQueue for generating the rest of the product nodes. By default, 500
objects are processed in one run.

Related topics
l Adding system entitlements automatically to the IT Shop on page 77
l Templates for automatically filling the IT Shop on page 217

Removing products from shelves

There are different tasks available for removing a product from a shelf. In the following
section, we take the example of a resource to show how to remove a product.

To remove a resource from the Identity Lifecycle shelf

1. In the Manager, select the IT Shop > IT Shop > Identity & Access Lifecycle >
Shelf: Identity Lifecycle category.
2. Select the Assign resources task.
3. Remove the resource from Remove assignments.
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

53
Setting up an IT Shop solution
When you remove a product from a shelf, pending requests for the product are closed and
approved requests are unsubscribed.

To remove a product from all shelves

l Select the Remove from all shelves task.
You will find the task on the main data form of the respective product, for
example, a resource.

The task immediately removes product assignments to manually configured shelves and
shelf templates. Then, the DBQueue Processor removes product assignments to shelves,
based on a template definition. All assignments are unsubscribed if the product is part of an
assignment request.

Information on bulk processing

If products are added in bulk to the IT Shop by automatic processes, you can specify how
many product nodes are created in one DBQueue Processor run in the QER | ITShop |
LimitOfNodeCheck configuration parameter. Once this number has been exceeded, the
task is closed and queued again in the DBQueue for generating the rest of the product
nodes. By default, 500 objects are processed in one run. The number of requests submitted
in bulk can be considerably larger than other processes.
Set a lower value if performance issues arise when running the QER-K-OrgAutoChild
process task.

Moving products to another shelf

A product can be moved to another shelf. If the shelf is in another shop, the system checks
whether the request recipient is also a customer in the new shop.
NOTE: Standard products cannot be moved.

To move a product to another shelf

1. In the Manager, select the IT Shop > IT Shop > <shop> > Shelf:
<shelf> category.
2. Select an object in the result list.
3. Select the Move to another shelf task.
4. Select the new shelf.
5. Click OK.

Detailed information about this topic

l Product request on customer or product relocation on page 46

One Identity Manager 8.2.1 IT Shop Administration Guide

54
Setting up an IT Shop solution
Replacing products
A product can be replaced by another product at a specified time. All employees who
have requested this product are notified by an email telling them to request a
replacement product.

To replace a product with another one

1. In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > <service category> category.
- OR -
In the Manager, select the IT Shop > Service catalog > Hierarchical by service
categories > Singles category.
2. Select the product's service item to replace in the result list.
3. Select the Change product task.
4. Enter the following data:
l Expiry date: Date on which the product is replaced by a different product.
l Alternative product: Service item that can be requested instead.
5. Click OK.

Related topics
l Product change notifications on page 178

Preparing the IT Shop for multi-factor

authentication
You can use multi-factor authentication for specific security-critical resource requests,
which requires every requester or approver to enter a security code for the request or
request approval. Define which products require this authentication in your service items.
Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor
authentication. The authentication information required is defined in the subparameters
under the QER | Person | Starling or the QER | Person | Defender configuration
parameter. For detailed information about setting up multi-factor authentication, see the
One Identity Manager Authorization and Authentication Guide.

To use multi-factor authentication in the IT Shop

1. Set up multi-factor authentication as described in the One Identity Manager

Authorization and Authentication Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

55
Setting up an IT Shop solution
2. In the Manager, create service items for the product that can only be requested with
multi-factor authentication.
l Enable the Approval by multi-factor authentication option.
TIP: If the requester is also going to use multi-factor authentication, assign terms
of use to the service item. For more information, see Using multi-factor
authentication for requests on page 56.

IMPORTANT: An approval cannot be sent by email if multi-factor authentication is

configured for the requested product. Approval mails for such requests produce an
error message.
For more information about requesting products requiring multi-factor authentication
and about canceling products, see the One Identity Manager Web Designer Web
Portal User Guide.

Related topics
l General main data for service items on page 22
l Approval by mail on page 179
l Entscheidung per Starling 2FA App

Using multi-factor authentication for

requests
Multi-factor authentication can be implemented for requests as well as for request
approvals.
Once the Approval by multi-factor authentication option is enabled for a service item,
a security code is requested in every decision step of the approval process. This means
that every approver who makes approval decisions about this product must have a
Starling 2FA token.
To enable the requester to use multi-factor authentication, you can assign terms of use to
the service item, as well. The requester must enter the security code when they confirm the
terms of use. The request recipient must also enter a security code if the approval workflow
is accordingly configured. For more information, see Approving requests with terms of use
on page 150.

Table 19: Variations of multi-factor authentication for making requests

in the IT Shop

Active approval policy Terms of use Security code is requested from

Requester Approver

Self-service None

Self-service Assigned x

One Identity Manager 8.2.1 IT Shop Administration Guide

56
Setting up an IT Shop solution
Active approval policy Terms of use Security code is requested from

Requester Approver

No self-service None x

No self-service Assigned x x

Related topics
l Entering terms of use on page 48

Assignment requests
You can also use One Identity Manager to request hierarchical roles, like departments, or
business roles, through the IT Shop and assign them to employees, devices, and
workdesks. This allows any number of assignments to be made through IT Shop requests.
The advantage of this method is that any assignments can be authorized using an approval
process. Assignment renewals and assignment recall are also subject to an approval
process in the same way. The request history makes it possible to follow which
assignments were requested, renewed, or canceled, why, when, and by whom.
Managers of hierarchical roles can make assignment requests for their roles.
Hierarchical role managers can view the role assignment requests they manage in the Web
Portal. Use the QER | ITShop | ShowClosedAssignmentOrders configuration
parameter to specify whether all assignment requests are displayed or only open ones. By
default, pending as well as closed assignment requests are displayed.

To only display a manager's pending assignment requests in the Web Portal

l Disable the QER | ITShop| ShowClosedAssignmentOrders configuration
parameter in the Designer.

Standard products for assignment requests

You require special resources, also called assignment resources, for assignment requests.
Assignment resources are linked to service items and can thus be made available as
products in the IT Shop.
One Identity Manager provides standard products for assignment requests. These
are used to:
l Request membership in business roles or organizations for which the logged-in One
Identity Manager user is responsible.
l Order assignments of system entitlements or other company resources to business

One Identity Manager 8.2.1 IT Shop Administration Guide

57
Setting up an IT Shop solution
roles or organizations for which the logged in One Identity Manager user is
responsible.

Table 20: Standard products for assignment requests

Assignment Service item Shop | Shelf Request

resource

Members in Members in Memberships in business roles,

roles roles application roles and
Identity & Access organizations
Lifecycle | Identity
Role Role Lifecycle Assignment of company
entitlement entitlement resources to business roles and
assignments assignments organizations

In the default installation, all active One Identity Manager database employees are
customers of the Identity & Access Lifecycle shop. This allows all active employees to
request memberships and assignments. Assignment requests are automatically approved
by self-service.
You can add standard products for assignment requests to your own IT Shop.
Assignments can only be requested from and for customers of this shop. This means, the
manager of the hierarchical roles as well as the employees that are also members of these
roles, must be customers in the shop.
TIP: Assignment requests can also be made for custom assignment tables (many-to-
many tables), if they have an XOrigin column. The properties for this column must
correspond to the column definition for XOrigin columns in the One Identity Manager
data model.

Example for an assignment request

Clara Harris is the project X project leader. A business role (Project X) is added in the
Manager to ensure that all the project staff obtain the necessary entitlements. Clara
Harris is assigned as manager of this business role. All project staff have a user
account in the Active Directory domain P.
Clara Harris can request memberships in the Project X business role in the Web
Portal because she is a manager. Clara Harris requests memberships for herself and
all project staff.
Furthermore, Clara Harris wants all project staff to obtain their entitlements in Active
Directory through the Project X AD permissions Active Directory group. To this, she
requests Project X AD permissions in the Web Portal for the Project X business role.
The user accounts of all project staff become members in the Project X AD
permissions Active Directory group through internal inheritance processes.

For more information, see the One Identity Manager Web Designer Web Portal User Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

58
Setting up an IT Shop solution
Related topics
l Examples of request results on page 258

Requesting memberships in business roles

NOTE: This function is only available if the Business Roles Module is installed.
You have the option to limit assignment requests to single business roles. To do this, an
assignment resource is created for a fixed requestable business role. The business role is
automatically part of the request in an assignment resource request. If the request has
been approved, the requester becomes a member of the application role.
Each requestable business role of this kind can have its own approval process defined. The
service items connected with the assignment resources are assigned separate approval
policies in order to do this.

To limit assignment requests to single business roles

1. In the Manager, select the Business roles > <role class> category.
2. Select the business role in the result list.
3. Select the Create assignment resource task.
This starts a wizard that takes you through the steps for adding an
assignment resource.
a. Enter a description and allocate a resource type.
This creates a new assignment resource with the following custom properties:
l Table: Org
l Object: Full name of business role
b. Enter the service item properties to allocate to the assignment resource.
l Assign a service category so that the assignment resource in the Web
Portal can be ordered using the service category.
A new service item is created and linked to the assignment resource.
4. Assign the assignment resource to an IT Shop shelf as a product.
5. Assign an approval policy to the shelf or the assignment resource’s service item.

Assignment resource and service item main data can be processed later on if required.
The assignment resource can be requested in the Web Portal like any other company
resource. After the request has been successfully assigned, the employee for whom it was
requested becomes a member of the associated business role through internal inheritance
processes. For more information about requesting assignment resources, see the One
Identity Manager Web Designer Web Portal User Guide.
The assignment resource cannot be used to request the assignment of company
resources to this business role. Instead, use the Role entitlement assignment default
assignment resource.

One Identity Manager 8.2.1 IT Shop Administration Guide

59
Setting up an IT Shop solution
Related topics
l Adding assignment resources to the IT Shop on page 66
l General main data for service items on page 22
l Assigning requestable products to shelves on page 210
l Setting up assignment resources on page 64
l Entering service items on page 22

Requesting memberships in application

roles
You have the option to limit assignment requests to single business roles. To do this, an
assignment resource is created for a fixed requestable application role. The application role
then automatically becomes part of the assignment resource request. If the request is
approved, the requester becomes a member of the application role.
Each requestable application role of this kind can have its own approval process defined.
The service items connected with the assignment resources are assigned separate approval
policies in order to do this.

To limit assignment requests to single application roles

1. In the Manager, select an application role in the One Identity Manager

Administration category.
2. Select the Create assignment resource task.
This starts a wizard that takes you through the steps for adding an
assignment resource.
a. Enter a description and allocate a resource type.
This creates a new assignment resource with the following custom properties:
l Table: AERole
l Object: Full name of application role
b. Enter the service item properties to allocate to the assignment resource.
l Assign a service category so that the assignment resource in the Web
Portal can be ordered using the service category.
A new service item is created and linked to the assignment resource.
3. Assign the assignment resource to an IT Shop shelf as a product.
4. Assign an approval policy to the shelf or the assignment resource’s service item.

One Identity Manager 8.2.1 IT Shop Administration Guide

60
Setting up an IT Shop solution
inheritance processes. For more information about requesting assignment resources, see
the One Identity Manager Web Designer Web Portal User Guide.

Related topics
l Adding assignment resources to the IT Shop on page 66
l General main data for service items on page 22
l Assigning requestable products to shelves on page 210
l Setting up assignment resources on page 64
l Entering service items on page 22

Customizing assignment requests

Assignment requests with standard products are automatically approved through self-
service. If assignment requests are going to be approved by an approval supervisor, assign
a suitable approval policy to the default assignment resource. This means that assignment
requests also go through the defined approval process.

To approve assignment requests through an approver

l Assign separate approval policies to the default assignment resources service items.
- OR -
l Assign any approval policy to the Identity Lifecycle shelf.

Sometimes assignment requests should be subject to various approval processes

depending on the object requested. For example, a department manager should approve
department assignment, but department membership should be approved by the
employee’s manager. You can define assignment resources to do this. You can assign these
assignment resources to any shelf in your IT Shop.

To configure custom assignment requests

1. Create a new assignment resource.

a. In the Manager, select the Entitlements > Assignment resources for IT
Shop category.
b. Click in the result list.
c. Select the Change main data task.
d. Enter the assignment resource name.
e. Assign a new service item.
f. Save the changes.
2. Assign the assignment resource to an IT Shop shelf as a product.

One Identity Manager 8.2.1 IT Shop Administration Guide

61
Setting up an IT Shop solution
a. Select the Add to IT Shop task.
b. In the Add assignments pane, assign a shelf.
c. Save the changes.
3. Assign an approval policy to the shelf or the assignment resource’s service item.
4. In the Designer, override the VI_GetAccproductAssignmentMember script. Use the new
service item in the script code.
For more information about overriding scripts, see the One Identity Manager
Configuration Guide.

Detailed information about this topic

l General main data for assignment resources on page 64
l Adding assignment resources to the IT Shop on page 66
l General main data for service items on page 22
l Assigning requestable products to shelves on page 210
l Assigning approval policies on page 209

Related topics
l Approval processes for IT Shop requests on page 81

Canceling requests
Assignments, like all other products, can be canceled through Web Portal or requested for a
limited time period. These requests are automatically canceled when the validity period
expires. For more information, see the One Identity Manager Web Designer Web Portal
User Guide.

Detailed information about this topic

l Requests with limited validity period on page 160

Removing customers from a shop

If a customer has requested assignment through a shop and later they are removed from
the shop, then the assignment request is closed and the assignment is revoked. In this
case, however, assignments to roles should be retained if required.

One Identity Manager 8.2.1 IT Shop Administration Guide

62
Setting up an IT Shop solution
To prevent the assignment from being revoked

1. In the Designer, set the QER | ITShop |

ReplaceAssignmentRequestOnLeaveCU configuration parameter.
2. (Optional) Enable the QER | ITShop | ReplaceAssignmentRequestOnLeaveCU
| UID_PersonFallback configuration parameter in the Designer.
l In the Value field, enter the UID_Person of the person that should be used as
the fallback if no other request recipient can be found.
This person must be a customer in all shops in which assignments can
be requested.
3. Save the changes.
4. In the Manager, select the Entitlements > Assignment resources for IT
Shop category.
5. In the result list, select an assignment resource and select the Change main
data task.
6. Set the Keeps requested assignment resource option.
7. Save the changes.

This option is enabled by default for the Role entitlement assignment default
assignment resource. These configuration parameters are disabled by default.
If this option is enabled and the request recipient is removed from the customer node, then
the request is updated according to the following rules:

1. If the service item

l Has the Retain service item assignment on relocation option set
l The request recipient and service item are available in another shop
The assignment request is transferred into this shop. The request recipient
remains the same.
2. If by doing this the request recipient does not remain the same, then a new request
recipient is determined.
a. The manager of the business role or organization that has been requested
(PersonWantsOrg.ObjectKeyOrgUsedInAssign).
b. A member of the business role or organization that has been requested.
c. A member of the chief approval team.
d. The employee given in the QER | ITShop |
ReplaceAssignmentRequestOnLeaveCU | UID_PersonFallback
configuration parameter.

These rules are applied in the order given. The person who is found must be a customer
in the shop.
If no authorized approver can be found or the QER | ITShop |
ReplaceAssignmentRequestOnLeaveCU configuration parameter is disabled, then the
assignment request is converted into a direct assignment. If direct assignment for the

One Identity Manager 8.2.1 IT Shop Administration Guide

63
Setting up an IT Shop solution
assigned product is not permitted to the requested business role or organization, the
request is canceled and the assignment is removed.
NOTE: This option does not influence membership requests in roles or delegation.
Membership assignments are not removed, if the requester is removed from the
customer node. They are removed when the recipient of the assignment request is
deleted from the customer node.
Delegation ends when the delegate is deleted from the customer node.

Related topics
l General main data for assignment resources on page 64
l Relocating a customer or product to another shop on page 164

Setting up assignment resources

To edit an assignment resource

1. In the Manager, select the Entitlements > Assignment resources for IT

Shop category.
2. In the result list, select an assignment resource and run the Change main
data task.
3. Edit the assignment resource's main data.
4. Save the changes.

To create an assignment resource

1. In the Manager, select the Entitlements > Assignment resources for IT

Shop category.
2. Click in the result list.
3. Edit the assignment resource's main data.
4. Save the changes.

Detailed information about this topic

l General main data for assignment resources on page 64

General main data for assignment resources

Enter the following main data of an assignment resource.

One Identity Manager 8.2.1 IT Shop Administration Guide

64
Setting up an IT Shop solution
Table 21: Main data for an assignment resource

Property Description

Assignment Name for the assignment resource.

resource

Resource type Resource type for grouping assignment resources.

For more information, see the One Identity Manager Identity
Management Base Module Administration Guide.

IT Shop Specifies whether the assignment resource can be requested

through the IT Shop. The assignment resource can be requested by
an employee through the Web Portal and distributed using a defined
approval process.
This option cannot be disabled.

Only for use in IT Specifies whether the assignment resource can be requested
Shop through the IT Shop. The assignment resource can be requested by
an employee through the Web Portal and distributed using a defined
approval process. The assignment resource cannot be directly
assigned to roles outside the IT Shop.
This option cannot be disabled.

Service item Service item through which you can request the assignment
resource in the IT Shop. Assign an existing service item or add a
new one.

Table Table where the assignment should be made.

Assignment requests can be limited to a specific hierarchical role.
Choose the table from which the role should be selected.

Object Specific hierarchical role that employees can request. Only one
assignment resource can be created per role.

Description Text field for additional explanation.

Risk index Value for evaluating the risk of assigning the assignment resource
to employees. Set a value in the range 0 to 1. This input field is only
visible if the QER | CalculateRiskIndex configuration parameter
is set.
For more information, see the One Identity Manager Risk
Assessment Administration Guide.

Requested If this option is set, requested role assignments are converted into
assignments direct assignments if the request recipient is removed from the
remain intact. customer node of the associate shops.
The option can only be edited as long as there is a request has not
been assigned with this assignment resource.

One Identity Manager 8.2.1 IT Shop Administration Guide

65
Setting up an IT Shop solution
Property Description

Spare field no. 01 Additional company-specific information. Use the Designer to

... Spare field no. customize display names, formats, and templates for the input
10 fields.

Detailed information about this topic

l Entering service items on page 22
l Removing customers from a shop on page 62

Related topics
l Requesting memberships in business roles on page 59
l Requesting memberships in application roles on page 60

Default assignment resources

One Identity Manager provides standard products for assignment requests. These are
assigned to the Identity & Access Lifecycle shop as default assignment resources.

To edit default assignment resources

l In the Manager, select the Entitlements > Assignment resource for IT Shop >
Predefined category.

Displaying assignment resource overviews

Use this task to obtain an overview of the most important information about an assignment
resource. For this, you need to take into account the affiliation of the assignment resource
to IT Shop structures.

To obtain an overview of a service item

1. In the Manager, select the Entitlements > Assignment resources for IT

Shop category.
2. Select the assignment resource in the result list.
3. Select the Assignment resource overview task.

Adding assignment resources to the IT Shop

An assignment resource can be requested by shop customers when it is assigned to an IT
Shop shelf.

One Identity Manager 8.2.1 IT Shop Administration Guide

66
Setting up an IT Shop solution
To add a resource assignment to the IT Shop

1. In the Manager, select the Entitlements > Assignment resources for IT

Shop category.
2. Select the assignment resource in the result list.
3. Select the Add to IT Shop task.
4. In the Add assignments pane, assign the assignment resource to the IT
Shop shelves.
5. Save the changes.

Removing assignment resources from the IT Shop

To remove an assignment resource from all IT Shop shelves.

1. In the Manager, select the Entitlements > Assignment resources for IT

Shop category.
2. Select the assignment resource in the result list.
3. Select the Add to IT Shop task.
4. In the Remove assignments pane, remove the assignment resource from the IT
Shop shelves.
5. Save the changes.

To remove an assignment resource from all IT Shop shelves.

1. In the Manager, select the Entitlements > Assignment resources for IT

Shop category.
2. Select the assignment resource in the result list.
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The One Identity Manager Service removes the assignment resource from all
shelves. All assignment requests with this assignment resource are canceled in
the process.

Delegations
Role assignment and responsibilities can be temporarily delegated to others. Thereby, a
distinction is made between single delegations and deputizing.

One Identity Manager 8.2.1 IT Shop Administration Guide

67
Setting up an IT Shop solution
l Deputize: Delegate all your responsibilities for a defined area to a deputy. The
following areas can be selected:
l Approval authorization for requests
Once an employee is determined as the approver for requests, their deputy is
added as an additional approver.
l Exception approval requests violate the rules
Once an employee is determined as the exception approver for requests, their
deputy is added as an additional exception approver.
l Approval authorization in attestation cases
Once an employee is determined as the attestor, their deputy is added as an
additional attestor.
l Employee manager
An employee manager's deputy can also approve managerial tasks. For
example, a deputy can initiate requests for employees.
l Manager of all roles of a role class
The deputy of a hierarchical roles manager can also approve all managerial
tasks. For example, a deputy can initiate assignment requests for a
business role.
You can delegate responsibility for the following role classes:
l Departments
l Cost centers
l Locations
l Selected business roles
l IT Shop structures (owner)
Example: During their leave, user 1 delegates their responsibilities as manager of
business role with the "Projects 2222" role class and approval authorization for
requests to their deputy, user 2.
l A deputy, unlike single delegation, cannot be subdelegated.
l An employee who is connected as a main or sub-identity cannot become a
delegate nor can deactivated employees.
l Single delegation: Delegate your responsibility for a specific role or your
memberships in a specific business or application role to any given employee.
Example: User 1 delegates their membership in the "Project 2222-A" business
role to user 2.
l Single delegations can be subdelegated.

Delegations are automatically approved after a compliance check. They can be canceled
and deleted. For more information about delegating tasks, see the One Identity Manager
Web Portal User Guide.
Delegations are revoked when the valid-until date is exceeded or the delegate is deleted
from the customer node.

One Identity Manager 8.2.1 IT Shop Administration Guide

68
Setting up an IT Shop solution
Detailed information about this topic
l Preparing single delegations on page 69
l Standard products for delegation on page 69
l Allowing delegation approvals on page 70

Standard products for delegation

One Identity Manager provides standard products for delegations.

Table 22: Standard products for delegation

Service item Shop | Shelf Type of

delegation

Deputy Deputize
(temporary) Identity & Access Lifecycle | Identity
Lifecycle
Delegation Single delegations

In the default installation, all active One Identity Manager database employees are
customers of the Identity & Access Lifecycle shop. This allows all enabled employees to
delegate responsibilities.

Related topics
l Delegations on page 67
l Allowing delegation approvals on page 70

Preparing single delegations

Single delegations temporarily assign responsibilities for a specific role or memberships in a
specific business or application role to any employee. This employee may subdelegate
responsibility or membership as needed.

To run single delegation in One Identity Manager

l In the Designer, set the QER | ITShop | Delegation configuration parameter.
If you disable the configuration parameter at a later date, model components and
scripts that are not longer required, are disabled. SQL procedures and triggers are
still carried out. For more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the One Identity Manager
Configuration Guide.

The following objects in the default installation can be delegated.

One Identity Manager 8.2.1 IT Shop Administration Guide

69
Setting up an IT Shop solution
l Responsibilities for:
l Departments
l Cost centers
l Locations
l Business roles
l Employees
l IT Shop structures (owner)
l Membership in:
l Business roles
l Application roles

TIP: Specify the role classes associated to business roles for which memberships can be
delegated. This option is available when the Business Roles Module is installed.

To permit single delegation of a role class

1. In the Manager, select the Business roles > Basic configuration data > Role
classes category.
2. Select the role class in the result list.
3. Select the Change main data task.
4. Set Delegable.
5. Save the changes.

Use the Web Portal to delegate roles or responsibilities. For more information, see the One
Identity Manager Web Portal User Guide and the One Identity Manager Business Roles
Administration Guide.

Allowing delegation approvals

Delegations are automatically approved after a compliance check. If delegations are going
to be approved by an approver, assign a suitable approval policy to the default service
item. This means that delegation also go through the defined approval process.

To approve deputization by an approver

1. In the Manager, select the IT Shop > Service catalog > Predefined category.
2. In the result list, select the Deputy (temporary) service item then select the
Change main data task.

One Identity Manager 8.2.1 IT Shop Administration Guide

70
Setting up an IT Shop solution
3. In the Approval policy field, select an approval policy.
4. Save the changes.

To approve single delegation by an approver

1. In the Manager, select the IT Shop > Service catalog > Predefined category.
2. In the result list, select the Delegation service item and select the Change
main data task.
3. In the Approval policy field, select an approval policy.
4. Save the changes.

Related topics
l Delegations on page 67
l Standard products for delegation on page 69

Creating IT Shop requests from existing

user accounts, assignments, and role
memberships
You can create One Identity Manager requests for existing user accounts, membership in
system entitlements, assignments to employees, and hierarchical roles when IT Shop goes
into operation. One Identity Manager provides several methods to implement this. Using
these methods, requests are created that are completed and approved. These requests can
therefore be canceled at a later date. In addition to the initial request data, you can run a
custom script from each method that sets other custom properties for a request.

Table 23: Methods for transforming direct assignments into requests

Method Description

CreateITShopOrder (string Creates a request from a direct assignment. This

CustomScriptName) method can be applied to all tables used to find a
UID_Person.

CreateITShopOrder (string Creates an assignment request from an assign-

uidOrgProduct, string ment or membership. This method can be
uidPersonOrdered, string applied to all tables that cannot be used to find a
CustomScriptName) UID_Person.

CreateITShopOrder (string Creates an assignment request from an assign-

uidOrgProduct, string ment or membership and, in addition, saves a
uidWorkdeskOrdered, string UID_WorkdeskOrdered with the request
uidPersonOrdered, string procedure.

One Identity Manager 8.2.1 IT Shop Administration Guide

71
Setting up an IT Shop solution
Method Description

CustomScriptName)

CreateITShopWorkdeskOrder (string Creates a request for a workdesk from a direct

uidPerson, string CustomScriptName) assignment. This method can be applied to the
WorkDeskHasApp, WorkDeskHasESet and
WorkDeskHasDriver tables.

To run the methods

1. Create a script in the Designer with the Script Editor to call the desired method.
You can find an example script for calling a Customizer method in VB syntax on the
One Identity Manager installation medium in the
Modules\QBM\AddOn\SDK\ScriptSamples\03 Using database objects\11 Call
database object methods.vb directory. You can use this example script as a template
to create a script for call the methods described here.
2. Run the script.
You can use the script test from the Script Editor to do this.

For more information about creating scripts, see the One Identity Manager
Configuration Guide.
If a custom script is included in the method call, then this script will be run immediately
before the request is saved in the database.

An example of a custom script

Public Sub CCC_AddCustomPropToRequest(ByRef dbSource As IEntity, ByRef

dbPWO As IEntity)
'Populate values in PWO:
dbPWO.PutValue("OrderReason", "Group membership assignment converted to
IT Shop request automatically.")
End Sub

l dbSource: Refers to the source object. For example, ADSAccountInADSGroup, if

memberships in Active Directory groups are to be converted in requests.
l dbPWO: Refers to the request to be generated.

Creating requests for employees

You can create requests for employees or memberships in system entitlements with
CreateITShopOrder (string CustomScriptName). Prepare the IT Shop accordingly in order
to create the requests.

One Identity Manager 8.2.1 IT Shop Administration Guide

72
Setting up an IT Shop solution
To create requests from direct assignments to employees or memberships in
system entitlements

1. Prepare the company resources or system entitlements for use in the IT Shop.
2. Assign the company resources or system entitlements to a shelf in the IT Shop.
3. Link each user account for whose memberships requests are to be created with
an employee.
4. Add employees as customers to shops to which the company resources or system
entitlements are assigned as products.
5. (Optional): Create a script that populates other properties of the requests.
l Pass the script name as a CustomScriptName parameter to the task.
6. Create a script to run CreateITShopOrder (CustomScriptName string) for the
affected tables.

One Identity Manager creates requests from direct assignments to employees in the
following way:

1. Determine employees and their assigned company resources.

2. Determine shops assigned to company resources and employees.

3. Create the requests with initial data.

4. Run custom scripts.
5. Save the requests (entry in the PersonWantsOrg table).

6. Assign employees to the product structure (entry in PersonInITShopOrg table).

7. Transform direct company resource assignments into indirect assignments to
employees (for example, in the PersonHasQERResource table).

One Identity Manager creates requests for memberships in system entitlements in the
following way:

1. Establish the user accounts and their memberships.

2. Determine the affected employees.
3. Determine the shops to which employees and the system entitlements are assigned.

4. Create the requests with initial data.

5. Run custom scripts.
6. Save the requests (entry in the PersonWantsOrg table).

7. Assign employees to the product structure (entry in PersonInITShopOrg table).

8. Transform direct company memberships into indirect memberships for affected user
accounts (for example, in the ADSAccountInADSGroup table).

Related topics
l Preparing products for requesting on page 21

One Identity Manager 8.2.1 IT Shop Administration Guide

73
Setting up an IT Shop solution
Creating user account requests
To assign user accounts to employees, use One Identity Manager account definitions. You
can request matching account definitions for existing user accounts linked to the
employees through the IT Shop. To create these requests, you can use CreateITShopOrder
(string CustomScriptName). This method can be used for all user account tables (for
example, ADSAccount or SAPUser) and for the ADSContact, EX0MailBox, EX0MailContact, and
EX0MailUser.
Prepare the IT Shop accordingly in order to create the requests.

To create requests for user accounts

1. Create an account definition for the target system. Assign the account definition to
the target system.
This account definition is used for all user accounts where no account definition is
entered. You can miss out this step if all the user accounts are already assigned an
account definition.
2. Prepare the account definition for use in the IT Shop.
3. Assign the account definition to a shelf in the IT Shop.
4. Link the user accounts to an employee, if there is no employee already linked.
5. Add employee as customers to shops to which the account definition is
assigned as product.
6. (Optional): Create a script that populates other properties of the requests.
l Pass the script name as a CustomScriptName parameter to the task.
7. Create a script that runs the method for the tables affected.

One Identity Manager creates requests for user accounts in the following way:

1. Determine the valid account definition.

If an account definition is already assigned to the user account, it will be used.
Otherwise, the account definition of the target system is used.
2. Determine the affected employees.
3. Determine the shops to which employees and the account definition are assigned.

4. Create the requests with initial data.

5. Run custom scripts.
6. Save the requests (entry in the PersonWantsOrg table).

7. Assign employees to the product structure (entry in PersonInITShopOrg table).

8. Transform any possible direct account definition assignments to indirect assignments
(entry in PersonHasTSBAccountDef table).

One Identity Manager 8.2.1 IT Shop Administration Guide

74
Setting up an IT Shop solution
Related topics
l Preparing products for requesting on page 21

Creating workdesk requests

Requests for workdesks are created with CreateITShopWorkdeskOrder (string uidPerson,
string CustomScriptName). Prepare the IT Shop such that requests can be created.

To create requests from assignments to workdesks

1. Prepare the company resources (software, system role, or driver) for use in
the IT Shop.
2. Assign the company resources to a shelf in the IT Shop.
3. Select an employee as requester for the assignment to workdesks.
l Pass this employee's UID_Person as a uidPerson parameter to the task.
4. Add the selected employee as a customer to the shops to which the company
resources are assigned as products.
5. (Optional): Create a script that populates other properties of the requests.
l Pass the script name as a CustomScriptName parameter to the task.
6. Create a script to run CreateITShopWorkdeskOrder (string uidPerson, string
CustomScriptName) for the affected tables.

One Identity Manager creates requests for workdesk requests in the following way:

1. Determine workdesks and their assigned company resources.

2. Determine requester from the uidPerson parameter.
3. Determine shops assigned to company resources and requester.

4. Create the requests with initial data.

5. Run custom scripts.
6. Save the requests (entry in the PersonWantsOrg table).

7. Assign employees to the product structure (entry in PersonInITShopOrg table).

8. Transform direct company resource assignments into indirect assignments to
workdesks (for example, in the WorkDeskHasApp table).

TIP: To create an employee who can be used as a requester when creating a workstation,
set the Hardware | Workdesk | WorkdeskAutoPerson configuration parameter in
the Designer. The following properties are used for the employee object:
l Last name: Name of the workdesk (Ident_Workdesk)
l First name: Machine
l Identity type: Machine identity (Machine)

One Identity Manager 8.2.1 IT Shop Administration Guide

75
Setting up an IT Shop solution
When the workstation is deleted, the associated employee object is also deleted.

Related topics
l Preparing products for requesting on page 21

Creating assignment requests

You can create assignment requests for existing company resource assignments to
hierarchical roles and for memberships of employees, devices, or workdesks in hierarchical
roles. The following methods are available.

Table 24: Methods for transforming direct assignments into assignment

requests

Method Description

CreateITShopOrder (string Creates an assignment request from an assign-

uidOrgProduct, string ment or membership. This method can be
uidPersonOrdered, string applied to all tables which cannot be used to
CustomScriptName) find a UID_Person.

CreateITShopOrder (string Creates an assignment request from an assign-

uidOrgProduct, string ment or membership and, in addition, saves a
uidWorkdeskOrdered, string UID_WorkdeskOrdered with the request
uidPersonOrdered, string procedure.
CustomScriptName)

Prepare the IT Shop accordingly in order to create the requests.

To create assignment requests from direct assignment to hierarchical roles and

role memberships

1. From the IT Shop > Identity & Access Lifecycle > Shelf: Identity Lifecycle
shelf, select an assignment resource.
l Pass the product's UID_ITShopOrg as the uidOrgProduct parameter to the
method.
2. From the customer node of the IT Shop | Identity & Access Lifecycle shop,
select an employee as a requester for the assignment request.
l Pass this employee's UID_Person as a uidPersonOrdered parameter to the
method.
3. (Optional): Create a script that populates other properties of the requests.
l Pass the script name as a CustomScriptName parameter to the method.
4. Create a script to run the CreateITShopOrder (string uidOrgProduct, string
uidPersonOrdered, string CustomScriptName) method for the affected tables.

One Identity Manager 8.2.1 IT Shop Administration Guide

76
Setting up an IT Shop solution
TIP: You can also create your own assignment resource and assign it to a shelf in any
shop. Select an employee as requester for the assignment request from this shop's
customer node. For more information, see Customizing assignment requests on page 61.
One Identity Manager creates assignment requests from existing assignments to
hierarchical roles as follows:

1. Determine the hierarchical roles and their assigned company resources and
employees (employees, devices, or workdesks).
2. Determine the requester from the uidPersonOrdered parameter.
3. Determine the assignment resource from the uidOrgProduct parameter.
4. Determine shops assigned to the assignment resource and requester.

5. Create the requests with initial data.

6. Run custom scripts.
7. Save the requests (entry in the PersonWantsOrg table).

8. Transform direct company resource assignments to hierarchical roles into indirect

assignments to workdesks (for example, in the DepartmentHasQERResource) table.
Transform direct company memberships to hierarchical roles into indirect
memberships (for example, in the PersonInDepartment) table.

If the assignment request is to be created for a workdesk, pass the method the workdesk's
UID_WorkDesk as uidWorkdeskOrdered parameter. The method saves this UID as UID_
WorkdeskOrdered in the request (PersonWantsOrg table).

Detailed information about this topic

l Standard products for assignment requests on page 57

Related topics
l Preparing products for requesting on page 21

Adding system entitlements

automatically to the IT Shop
The following steps can be used to automatically add system entitlements to the IT
Shop. Synchronization ensures that the system entitlements are added to the IT Shop.
If necessary, you can manually start synchronization with the Synchronization Editor.
New system entitlements created in One Identity Manager also are added automatically
to the IT Shop.

One Identity Manager 8.2.1 IT Shop Administration Guide

77
Setting up an IT Shop solution
To add system entitlements automatically to the IT Shop

One Identity Manager 8.2.1 IT Shop Administration Guide

78
Setting up an IT Shop solution
QER | ITShop | AutoPublish | SPSGroup | ExcludeList
2. Compile the database.

The system entitlements are added automatically to the IT Shop from now on.
The following steps are run to add a system entitlement to the IT Shop.

1. A service item is determined for the system entitlement.

The service item is tested for each system entitlement and modified if necessary. The
name of the service item corresponds to the name of the system entitlement.
l The service item is modified if the system entitlement has a service item.
l System entitlements without a service item are allocated a new service item.
2. The service item is assigned to one of the default service categories.
3. An application role for product owners is determined and the service item is assigned.
For more information, see the administration manuals for the respective target
system connection.
Product owners can approve requests for membership in these system entitlements.
4. The system entitlement is labeled with the IT Shop option and assigned to the
corresponding IT Shop shelf in the Identity & Access Lifecycle shop.

Subsequently, the shop's customers can request memberships in system entitlement

through the Web Portal.
NOTE: When a system entitlement is irrevocably deleted from the One Identity Manager
database, the associated service item is also deleted.

Related topics
l Entering service items on page 22
l Deleting unused application roles for product owners on page 79
l Product owners on page 203

Deleting unused application roles for

product owners
The list of product owner application roles can quickly become confusing when groups
are automatically added to the IT Shop. This is because an application role is added for
each account manager. These application roles are no longer required when a groups
are deleted.
Redundant application roles for product owners can be deleted through a scheduled
process task. This deletes all the application role from the database for which the
following applies:

One Identity Manager 8.2.1 IT Shop Administration Guide

79
Setting up an IT Shop solution
l The parent application role is Request & Fulfillment | IT Shop | Product owner.
l The application role is not assigned to a service item.
l The application role is not assigned to a service category.
l The application role does not have members.

To display no longer required application roles with members

l In the Manager, select the IT Shop > Troubleshooting > Orphaned product
owners category.

To delete application roles automatically

l In the Designer, configure and enable the Cleans up application role "Request &
Fulfillment | IT Shop | Product owners” schedule.

NOTE: If you have set up your own application roles under the Request & Fulfillment |
IT Shop | Product Owner application role that you use for custom use cases (tables),
then check whether these can be deleted automatically. Otherwise, disable the Clean up
application role "Request & Fulfillment\IT Shop\Product owners" schedule.

Related topics
l Adding system entitlements automatically to the IT Shop on page 77
l Product owners on page 203

One Identity Manager 8.2.1 IT Shop Administration Guide

80
Setting up an IT Shop solution
2

Approval processes for IT Shop

requests

All IT Shop requests are subject to a defined approval process. During this approval
process, authorized employees grant or deny approval for the product assignments. You
can configure this approval process in various ways and therefore customize it to meet your
company policies.
You define approval policies and approval workflows for approval processes. Specify which
approval workflows are going to be used for the request in the approval policies. Use
approval workflows to specify which employee is authorized to grant or deny approval for
the request at the time it was placed. An approval workflow can contain a number of
approval levels, and this can, in turn, contain several approval steps, for example, when
several management hierarchy layers need to give approval for a request. A special
approval procedure is used to determine the approvers in each approval procedure.
In the default installation, different default approval policies are assigned to the Identity &
Access Lifecycle shop. Therefore, requests from this shop are run through predefined
approval processes. Assign an approval policy to the shop, the shelf or the service item of
the Identity & Access Lifecycle shelf if requests from this shop should go through
customized approval process.

Detailed information about this topic

l Approval policies for requests on page 81
l Approval workflows for requests on page 85
l Editing approval levels on page 89
l Default approval procedures on page 100

Approval policies for requests

One Identity Manager uses approval policies to determine the approver for each
request process.

One Identity Manager 8.2.1 IT Shop Administration Guide

81
Approval processes for IT Shop requests
To edit an approval policy

1. In the Manager, select the IT Shop > Basic configuration data > Approval
policies category.
2. Select an approval policy in the result list and run the Change main data task.
- OR -
Click in the result list.
3. Edit the approval policy main data.
4. Save the changes.

General main data of approval policies

Enter the following main data of an approval policy. If you add a new approval step, you
must fill out the compulsory fields.

Table 25: General main data of approval policies

Main data Meaning

Approval Approval policy name.

policies

Role type Role type to determine inheritance of approval policies within an IT Shop
solution. Add the required role types in IT Shop > Basic configuration
data > Roles types category.

Priority An integral number with a maximum of one digit.

A priority is used to decided which approval policy should be used if
several approval policies are found to be valid following the given rules.
The highest priority has the largest number.

Approval Workflow for determining approvers when a product is requested.

workflow
Select any approval workflow from the menu or click to set up a new
workflow.

Renewal Approval workflow for determining approvers when a product is renewed.

workflow
Select any approval workflow from the menu or click to set up a new
workflow.
If no renewal workflow is specified, the approval workflow of the request
is used when the request is renewed (UID_SubMethodOrderProduct).

Cancellation Approval workflow for determining approvers when a requested product

workflow is canceled.
Select any approval workflow from the menu or click to set up a new
workflow.

One Identity Manager 8.2.1 IT Shop Administration Guide

82
Approval processes for IT Shop requests
Main data Meaning

If there is no cancellation workflow given, cancellation is approved

immediately.

Mail Mail template used for creating email notifications for granting or denying
templates approval for a request and extended, expired, or canceled requests.

Description Text field for additional explanation.

Detailed information about this topic

l Determining the effective approval policies on page 98
l Role types for the IT Shop on page 199
l Setting up approval workflows on page 88
l Notifications in the request process on page 169

Default approval policies

One Identity Manager supplies service items by default. These approval policies are used in
the Identity & Access Lifecycle shop approval processes. You can store mail templates
with default approval policies for sending notifications during the request process and
specifying a priority.

To edit default approval policies

l In the Manager, select the IT Shop > Basic configuration data > Approval
policies > Predefined category.

Additional tasks for approval policies

After you have entered the main data, you can run the following tasks.

The approval policy overview

On the overview form, you see, at a glance, the most important information about an
approval policy.

To obtain an overview of an approval policy

1. In the Manager, select the IT Shop > Basic configuration data > Approval
policies category.

One Identity Manager 8.2.1 IT Shop Administration Guide

83
Approval processes for IT Shop requests
2. Select the approval policy in the result list.
3. Select the Approval policy overview task.

Adding to the IT Shop

You can assign approval policies to shops, shopping centers, or shelves. The approval
policy is applied to the request from the respective IT Shop nodes if there are no approval
policies assigned to child IT Shop nodes. For more information, see Determining the
effective approval policies on page 98.

To assign an approval policy to shops, shopping centers, or shelves

1. In the Manager, select the IT Shop > Basic configuration data > Approval
policies category.
2. In the result list, select the approval policy.
3. Select the Add to IT Shop task.
In the Add assignments pane, assign the shops, shopping centers, or shelves.
TIP: In the Remove assignments pane, you can remove shop, shopping center,
or shelf assignments.

To remove an assignment
Select the shop, shopping center, or shelf and double-click .
4. Save the changes.

Validity checking
Once you have edited an approval policy, you need to test it. This checks whether the
approval steps can be used in the approval workflows in this combination. Non-valid
approval steps are displayed in the error window.

To test an approval policy

1. In the Manager, select the IT Shop > Basic configuration data > Approval
policies category.
2. Select the approval policy in the result list.
3. Select the Validity check task.

Editing approval workflows

You can edit approval workflow that are assigned an approval policy here.

One Identity Manager 8.2.1 IT Shop Administration Guide

84
Approval processes for IT Shop requests
To edit approval workflow properties

1. In the Manager, select the IT Shop > Basic configuration data > Approval
policies category.
2. Select the approval policy in the result list.
3. To edit the approval workflow for requests, select task 1. Edit approval workflow.
4. To edit the renewal workflow for requests, select task 2. Edit approval workflow.
5. To edit the cancellation workflow, select task 3. Edit approval workflow.
6. This opens the Workflow Editor.

Detailed information about this topic

l Working with the workflow editor on page 85

Approval workflows for requests

You need to allocate an approval workflow to the approval policies in order to find the
approvers. In an approval workflow, you specify the approval procedures, the number of
approvers and a condition for selecting the approvers.
Use the workflow editor to create and edit approval workflows.

To edit an approval workflow

1. In the Manager, select the IT Shop > Basic configuration data > Approval
workflows category.
2. Select the approval workflow in the result list and run the Change main data task.
- OR -
Click in the result list.
This opens the Workflow Editor.
3. Edit the approval workflow main data.
4. Save the changes.

Working with the workflow editor

Use the workflow editor to create and edit approval workflows. The workflow editor allows
approval levels to be linked together. Multi-step approval processes are clearly displayed in
a graphical form.

One Identity Manager 8.2.1 IT Shop Administration Guide

85
Approval processes for IT Shop requests
Figure 4: Workflow editor

Approval levels and approval steps belonging to the approval workflow are edited in the
workflow editor using special control elements. The workflow editor contains a toolbox. The
toolbox items are activated or deactivated depending on how they apply to the control. You
can move the layout position of the control elements in the workflow editor with the mouse
or these can be moved automatically.

Table 26: Entries in the toolbox

Control Item Meaning

Workflow Edit Edit the properties of the approval workflow.

Layout The workflow elements are aligned automatically. The

automatically workflow layout is recalculated.

Approval Add A new approval level is added to the workflow.

levels
Edit Edit the properties of the approval workflow.

Delete Deletes the approval level.

Approval Add Add a new approval step to the approval level.

steps
Edit Edit the properties of the approval step.

Delete Deletes the approval step.

Assignments Remove The Approved connector for the selected approval

positive level is deleted.

One Identity Manager 8.2.1 IT Shop Administration Guide

86
Approval processes for IT Shop requests
Control Item Meaning

Remove The Deny connector for the selected approval level is

negative deleted.

Remove The Reroute connector for the selected approval level

reroute is deleted.

Remove escal- The Escalate connector for the selected approval level
ation is deleted.

Each of the controls has a properties window for editing the data of the approval
workflow, level, or step. To open the properties window, select the Toolbox > <
Control> > Edit item.
To delete a control, select the element and then the Toolbox > <Control> >
Delete item.
Individual elements are linked to each other with a connector. Activate the connection
points with the mouse. The cursor changes into an arrow icon for this. Hold down the left
mouse button and pull a connector from one connection point to the next.

Figure 5: Approval workflow connectors

One Identity Manager 8.2.1 IT Shop Administration Guide

87
Approval processes for IT Shop requests
Table 27: Approval workflow connectors

Connector Meaning

Approve Link to next approval level if the current approval level was granted
approval.

Deny Link to next approval level if the current approval level was not granted
approval.

Reroute Link to other approval levels to bypass the current approval.

Escalation Connection to another approval level when the current approval level is
escalated after timing out.

By default, a connection between workflow elements and level elements is created

immediately when a new element is added. If you want to change the level hierarchy, drag
a new connector to another level element.
Alternatively, you can release connectors between level elements using the Toolbox >
Assignments items. To do this, mark the level element where the connector starts. Then
add a new connector.
Different icons are displayed on the level elements depending on the configuration of the
approval steps.

Table 28: Icons on the level elements

Icon Meaning

The approval decision is made by the system.

The approval decision is made manually.

The approval step contains a reminder function.

The approval step contains a timeout.

Changes to individual elements in the workflow do not take place until the entire approval
workflow is saved. The layout position in the workflow editor is saved in addition to the
approval policies.

Setting up approval workflows

An approval workflow consists of one or more approval levels. An approval level can contain
one approval step or several parallel approval steps. Within the approval process, all of the
approval steps for one approval level must be run before the next approval level is called.
Use connectors to set up the sequence of approval levels in the approval workflow.
When you add a new approval workflow, the first thing to be created is a new
workflow element.

One Identity Manager 8.2.1 IT Shop Administration Guide

88
Approval processes for IT Shop requests
To edit approval level properties

1. Open the Workflow Editor.

2. Select the Toolbox > Workflow > Edit item.
3. Edit the workflow properties.
4. Click OK.

Table 29: Approval workflow properties

Property Meaning

Name Approval workflow name.

System halt Number of days to elapse after which the approval workflow, and
(days) therefore the system, automatically halts the entire approval process.

Description Text field for additional explanation.

Detailed information about this topic

l Halting a request on timeout on page 147

Editing approval levels

An approval level provides a method of grouping individual approval steps. All the approval
steps in one approval level are run in parallel. All the approval steps for different approval
levels are run one after the other. You use the connectors to specify the order.
Specify the individual approval steps in the approval levels. At least one approval step is
required per level. Enter the approval steps first before you add an approval level.

To add an approval level

1. Select the Toolbox > Approval levels > Add item.

This opens the properties dialog for the first approval step.
2. Enter the approval step properties.
3. Save the changes.

You can edit the properties of an approval level as soon as you have added an approval
level with at least one approval step.

To edit approval level properties

1. Select the approval level.

2. Select the Toolbox > Approval levels > Edit item.
3. Enter a display name for the approval level.
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

89
Approval processes for IT Shop requests
NOTE: You can define more than one approval step for each approval level. In this case,
the approvers of an approval level can make a decision about a request in parallel rather
than sequentially. The request cannot be presented to the approvers at the next approval
level until all approval steps of an approval level have been completed within the
approval process.

To add more approval steps to an approval level

1. Select the approval level.

2. Select the Toolbox > Approval steps > Add item.
3. Enter the approval step properties.
4. Save the changes.

Detailed information about this topic

l Properties of an approval step on page 90
l Editing approval steps on page 90

Editing approval steps

To edit approval level properties

1. Select the approval step.

2. Select the Toolbox > Approval steps > Edit item.
3. Edit the approval step properties.
4. Save the changes.

Detailed information about this topic

l Properties of an approval step on page 90

Properties of an approval step

On the General tab, enter the data described below. On the Mail templates tab, select
the mail templates for generating mail notifications. If you add a new approval step, you
must fill out the required fields.

Table 30: General properties of an approval step

Property Meaning

Single step Approval step name.

Approval Procedure to use for determining the approvers.

One Identity Manager 8.2.1 IT Shop Administration Guide

90
Approval processes for IT Shop requests
Property Meaning

procedure

Processing Processing status of the success or failure case of the approval step. The
status processing status for the request is set according to the decision and
whether it has been made positively or negatively. Define the processing
status in the basic configuration data.

Role Hierarchical role from which to determine the approvers.

The role is used in the OM and OR default approval procedures. Addition-
ally, you can use the role if you use a custom approval procedure in the
approval step.

Fallback Application role whose members are authorized to approve requests if an

approver approver cannot be determined through the approval procedure. Assign
an application from the menu.
To create a new application role, click . Enter the application role name
and assign a parent application role. For detailed information, see the One
Identity Manager Authorization and Authentication Guide.
NOTE: The number of approvers is not applied to the fallback approvers.
The approval step is considered approved the moment as soon as one
fallback approver has approved the request.

Relevance Specifies whether the approver is notified when a request leads to a rule
for violation. The following values are permitted:
compliance
l Not relevant: Information about rule violations is not relevant for
approvers in this approval step. No additional information is
displayed for the approver in the approval process.
l Information: Approvers in this approval step receive information
during the approval process if the request causes a compliance rule
violation. The approvers decided whether to grant or deny the
request.
l Necessary measures: Approvers in this approval step receive
information during the approval process if the request causes a
compliance rule violation. The request is automatically denied.

Condition Condition for calculating the approval decision. The condition is used in the
CD, EX, or WC default approval procedures. Additionally, you can use the
role if you use a custom approval procedure in the approval step.
Comparison value for the risk index in the approval procedure RI. Enter a
number in the range 0.1 to 1.0. 1.0. You can use , or . as a decimal point.

Number of Number of approval required to approve a request. Use this number to

approvers further restrict the maximum number of approvers of the implemented
approval procedure.
If there are several people allocated as approvers, then this number

One Identity Manager 8.2.1 IT Shop Administration Guide

91
Approval processes for IT Shop requests
Property Meaning

specifies how many people from this group have to approve a request. A
request can only be passed on to the next level if this has been done.
If you want approval decisions to be made by all the employees found
using the applicable approval procedure, for example all members of a role
(default approval procedure OR), enter the value -1. This overrides the
maximum number of approvers defined in the approval procedure.
If not enough approvers can be found, the approval step is presented to
the fallback approvers. The approval step is considered approved as soon
as one fallback approver has approved the request.
If an approval decision is made by the chief approval team, it overrides the
approval decision of just one regular approver. This means, if three
approvers must approve an approval step and the chief approval team
makes a decision, two more are still required.
The number of approvers defined in an approval step is not taken into
account in the approval procedures CD, EX,or WC.

Description Text field for additional explanation.

Approval Reason entered in the request if approval is automatically granted.

reason
This field is only shown for the approval procedures CD, CR, RI, SB, EX,
and WC. In the CR approval procedure, you can user the wild card {0} in
the text. The place holder syntax corresponds to a format place holder in
VB.Net ({0} to {9})

Reject Reason entered in the request and the approval history, if approval is
reason automatically denied.
This field is only shown for the approval procedures CD, CR, RI, SB, EX,
and WC. In the CR approval procedure, you can user the wild card {0} in
the text. The place holder syntax corresponds to a format place holder in
VB.Net ({0} to {9})

Reminder Number of minutes to elapse after which the approver is notified by mail
after that there are still pending requests for approval. The input is converted
(minutes) into working hours and displayed additionally.
NOTE: Ensure that a state, county, or both is entered into the
employee's main data of determining the correct working hours. If this
information is missing, a fallback is used to calculate the working hours.
For more information about calculating employees' working hours, see
the One Identity Manager Identity Management Base Module
Administration Guide.
TIP: Weekends and public holidays are taken into account when working
hours are calculated. If you want weekends and public holidays to be
dealt with in the same way as working days, set the QBM |
WorkingHours | IgnoreHoliday or QBM | WorkingHours |

One Identity Manager 8.2.1 IT Shop Administration Guide

92
Approval processes for IT Shop requests
Property Meaning

IgnoreWeekend configuration parameter. For more information about

this, see the One Identity Manager Configuration Guide.
If more than one approver was found, each approver will be notified. The
same applies if an additional approver has been assigned.
If an approver delegated the approval, the time point for reminding the
delegation recipient is recalculated. The delegation recipient and all the
other approvers are notified. The original approver is not notified.
If an approver has made an inquiry, the time point for reminding the
queried employee is recalculated. As long as the inquiry has not been
answered, only this employee is notified.

Timeout Number of minutes to elapse after which the approval step is

(minutes) automatically granted or denied approval. The input is converted into
working hours and displayed additionally.
The working hours of the respective approver are taken into account when
the time is calculated.
NOTE: Ensure that a state, county, or both is entered into the
employee's main data of determining the correct working hours. If this
information is missing, a fallback is used to calculate the working hours.
For more information about calculating employees' working hours, see
the One Identity Manager Identity Management Base Module
Administration Guide.
TIP: Weekends and public holidays are taken into account when working
hours are calculated. If you want weekends and public holidays to be
dealt with in the same way as working days, set the QBM |
WorkingHours | IgnoreHoliday or QBM | WorkingHours |
IgnoreWeekend configuration parameter. For more information about
this, see the One Identity Manager Configuration Guide.
If more than one approver was found, then an approval decision for the
approval step is not automatically made until the timeout for all approvers
has been exceeded. The same applies if an additional approver has been
assigned.
If an approver delegated approval, the time point for automatic approval is
recalculated for the new approver. If this approval is rejected, the time
point for automatic approval is recalculated for the original approver.
If an approver is queried, the approval decision must be made within the
defined timeout anyway. The time point for automatic approval is not
recalculated.
If additional approvers are determined by recalculating the current
approvers, then the automatic approval deadline is not extended. The
additional approvers must approve within the time frame that applies to
the current approver.

One Identity Manager 8.2.1 IT Shop Administration Guide

93
Approval processes for IT Shop requests
Property Meaning

Timeout Action that is run if the timeout expires.

behavior
l Approved: The request is approved in this approval step. The next
approval level is called.
l Deny: The request is denied in this approval step. The approval
level for denying is called.
l Escalation: The request process is escalated. The escalation
approval level is called.
l Cancel: The approval step, and therefore the entire approval
process for the request, is canceled.

Additional Specifies whether a current approver is allowed to instruct another

approver employee as an approver. This additional approver has parallel author-
possible ization to make approvals for the current request. The request is not
passed on to the next approval level until both approvers have made a
decision.
This option can only be set for approval levels with a single, manual
approval step.

Approval can Specifies whether a current approver can delegate the approval of the
be delegated request to another employee. This employee is added to the current
approval step as the approver. This employee then makes the approval
decision instead of the approver who made the delegation.
This option can only be set for approval levels with a single, manual
approval step.

Approval by Specifies whether the employee who is affected by the approval decision
affected can also approve this request. If this option is set, requester, and request
employee recipients can approve the request.
If this option is not set, use the QER | ITShop | PersonIn-
sertedNoDecide, QER | ITShop | PersonOrderedNoDecide, QER |
ITShop | PersonInsertedNoDecideCompliance, and QER | ITShop |
PersonOrderedNoDecideCompliance configuration parameters to
specify for all requests whether requester and request recipient can
approve the request.

Do not show Specifies whether or not the approval step should be displayed in the
in approval approval history. For example, this behavior can be applied to approval
history steps with the CD - calculated approval procedure, which are used only
for branching in the approval workflow. It makes it easier to follow the
approval history.

No Specifies whether the approval step is decided manually. The request is

automatic presented again to an approver even if they are the requester themselves
approval or the request has been approved in a previous approval step. The setting
of the DecisionOnInsert, ReuseDecision and AutoDecision config-

One Identity Manager 8.2.1 IT Shop Administration Guide

94
Approval processes for IT Shop requests
Property Meaning

uration parameters is ignored in this approval step.

Escalate if no Specifies whether the approval step is escalated if no approver can be

approver found and no fallback approver is assigned. In this case, the request is
found neither canceled nor passed to the chief approval team.
This option can only be enabled if an approval level is linked to escalation.
The option cannot be enables if the approval step uses the approval
procedure OC or OH.

Detailed information about this topic

l Request risk analysis on page 124
l Notifications in the request process on page 169
l Processing status on page 195
l Reminding approvers on page 170
l Escalating an approval step on page 143
l Automatic approval on timeout on page 146
l Halting a request on timeout on page 147
l Automatically approving requests on page 136
l Using specific roles to find approvers on page 106
l Waiting for further approval on page 112
l Approvals to be made externally on page 115
l Calculated approval on page 114

Related topics
l Selecting responsible approvers on page 100
l Approvers cannot be established on page 145
l Approval by the chief approval team on page 149
l Approving requests from an approver on page 134
l Restricting exception approvers on page 131

Connecting approval levels

When you set up an approval workflow with several approval levels, you have to connect
each level with another. You may create the following links.

One Identity Manager 8.2.1 IT Shop Administration Guide

95
Approval processes for IT Shop requests
Table 31: Links to approval levels

Link Description

Approve Link to next approval level if the current approval level was granted
approval.

Deny Link to next approval level if the current approval level was not granted
approval.

Reroute Link to another approval level to bypass the current approval.

Approvers can pass the approval decision through another approval level,
for example, if approval is required by a manager in an individual case. To
do this, create a connection to the approval levels to which the approval can
be rerouted. This way, approvals can also be rerouted to a previous
approval level, for example, if an approval decision is considered not to be
well-founded. Starting from one approval level, more than one reroute can
lead to different approval levels. The approvers select, in the Web Portal,
which of these approval levels to reroute the approval to.
It is not possible to reroute approval steps with the approval procedures
OC, OH, EX, CR, CD, SB, or WC.

Escalation Link to another approval level when the current approval level is escalated
after timing out.

If there are no further approval levels after the current approval level, the request is
considered approved if the approval decision was to grant approval. If approval is not
granted, the request is considered to be finally denied. The approval method is closed in
both cases.

Additional tasks for approval workflows

After you have entered the main data, you can run the following tasks.

The approval workflow overview

To obtain an overview of an approval workflow

1. In the Manager, select the IT Shop > Basic configuration data > Approval
workflows category.
2. Select the approval workflow in the result list.
3. Select Approval workflow overview.

One Identity Manager 8.2.1 IT Shop Administration Guide

96
Approval processes for IT Shop requests
Copying approval workflows
You can copy default approval workflows in order to customize them.

To copy an approval workflow

1. In the Manager, select the IT Shop > Basic configuration data > Approval
workflows category.
2. Select an approval workflow in the result list and run the Change main data task.
3. Select the Copy workflow task.
4. Enter a name for the copy.
5. Click OK to start copying.
- OR -
Click Cancel to cancel copying.
6. To edit the copy immediately, click Yes.
- OR -
To edit the copy later, click No.

Deleting approval workflows

The approval workflow can only be deleted if it is not assigned to an approval policy.

To delete an approval workflow

1. Remove all assignments to approval policies.

a. Check to which approval policies the approval workflow is assigned.
b. Go to the main data form for the approval policy and assign a different
approval workflow.
2. In the Manager, select the IT Shop > Basic configuration data > Approval
workflows category.
3. Select an approval workflow in the result list.
4. Click .
5. Confirm the security prompt with Yes.

Detailed information about this topic

l The approval workflow overview on page 96
l General main data of approval policies on page 82

One Identity Manager 8.2.1 IT Shop Administration Guide

97
Approval processes for IT Shop requests
Default approval workflows
One Identity Manager provides approval workflows by default. These approval workflows
are used in the Identity & Access Lifecycle shop approval processes. Each default
approval workflow is linked to a default approval policy. You can edit different properties of
the approval step, for example, to configure notifications in the request process.

To edit default approval workflows

l In the Manager, select the IT Shop > Basic configuration data > Approval
workflows > Predefined category.

Determining the effective approval

policies
You can apply approval policies to different IT Shop structures and service items. If you
have several approval policies within your IT Shop, which policy is to be used is based on
the rules that are specified.
Effective approval policies are defined in the following way:

1. The effective approval policy is the one assigned to the requested service item.
2. If there is no approval policy assigned to the service item, the approval policy from
the service category is used.
3. If there is no approval policy assigned to the service item, the approval policy
assigned to the requested product’s shelf is used.
4. If there is no approval policy assigned to the shelf, one of the approval policies
assigned to the shop is used.
5. If there is no approval policy assigned to the shop, one of the approval policies
assigned to the shopping center is used.

An approval policy found by one of these methods is applied under the following conditions:
l The approval policy is not assigned a role type.
- OR -
l The assigned role type corresponds to the shelf role type.

If more several effective approval policies are identified by the rules, the effective approval
policy is determined by the following criteria (in the given order).

1. The approval policy has the highest priority (alphanumeric sequence).

2. The approval policy has the lowest number of approval steps.
3. The first approval policy found is taken.

Furthermore:

One Identity Manager 8.2.1 IT Shop Administration Guide

98
Approval processes for IT Shop requests
l If no approval policy can be found for a product, a request cannot be started.
The same applies for renewals and unsubscriptions.
l If no approver can be determined for one level of an approval policy, the request can
be neither approved nor denied.
l Pending requests are rejected and closed.
l Unsubscriptions cannot be approved. Therefore, unsubscribed products
remain assigned.
l Renewals cannot be approved. Therefore, products for renewal remain
assigned until the valid until date is reached.

NOTE: If an approval workflow for pending requests changes, you must decide how
to proceed with these requests. Configuration parameters are used to define the
desired procedure.
For more information, see Changing approval workflows of pending requests on
page 164.

Related topics
l Approvers for renewals on page 99
l Approvers for unsubscriptions on page 100
l Requests with limited validity period on page 160

Approvers for renewals

Once the currently effective approval policy has been identified, the actual approvers are
determined by the approval workflow specified by it. When requests are renewed, a
renewal workflow is run. If no renewal workflow is stored with the approval policy,
approvers are determined by the approval workflow.
If no approvers can be identified for a renewal, then the renewal is denied. The product
remains assigned only until the Valid until date. The request is then canceled and the
assignment is removed.

Related topics
l Canceling or unsubscribing requests on page 162
l Renewing requests on page 161
l Determining the effective approval policies on page 98

One Identity Manager 8.2.1 IT Shop Administration Guide

99
Approval processes for IT Shop requests
Approvers for unsubscriptions
Once the currently effective approval policy has been identified, the actual approvers are
determined by the approval workflow specified by it. When a product is unsubscribed, the
cancellation workflow runs. If no unsubscribe workflow is stored with the approval policy,
approvers are determined by the approval workflow.
If no approvers can be determined for an unsubscription, then the unsubscription is denied.
The product remains assigned.

Related topics
l Determining the effective approval policies on page 98

Selecting responsible approvers

One Identity Manager can make approvals automatically in an approval process or through
approvers. An approver is an employee or a group of employees who can grant or deny
approval for a request (renewal or cancelation) within an approval process. It takes several
approval procedures to grant or deny approval. You specify in the approval step which
approval procedure should be used.
If several people are determined to be approvers by an approval procedure, the number
given in the approval step specifies how many people must approve the step. Only then is
the request presented to the approvers in the next approval level. The request is canceled if
an approver cannot be found for an approval step.
One Identity Manager provides approval procedures by default. You can also define your
own approval procedures.
The DBQueue Processor calculates which employee is authorized as an approver and in
which approval level. The calculation is triggered by the IT Shop approver schedule. Take
into account the special cases for each approval procedure when setting up the approval
workflows to determine those authorized to grant approval.

Default approval procedures

The following approval procedures are defined to select the responsible approvers by
default.

Table 32: Approval procedures for IT Shop requests

Approval procedure name Responsible approvers

BA - Owner of the application All members of the application role assigned for owners

One Identity Manager 8.2.1 IT Shop Administration Guide

100
Approval processes for IT Shop requests
Approval procedure name Responsible approvers

For more information, see Using requested products to

find approvers on page 107.

BE - Approver of application All members of the application roles assigned for

entitlement approvers and additional approvals
For more information, see Using requested products to
find approvers on page 107.

BR - Back to recipient Employee who receives the request

For more information, see Finding requesters on page
117.

BS - Back to requester Employee who trigger the request

For more information, see Finding requesters on page
117.

CD - Calculated approval -
For more information, see Calculated approval on page
114.

CM - Recipient's manager Manager

For more information, see Using request recipients to
find approvers on page 106.

CR - Compliance check -
(simplified)
For more information, see Compliance checking requests
on page 126.

D0 - Manager of shelf's Manager and deputy manager

department
For more information, see Using IT Shop structures to
find approvers on page 105.

D1 - Manager of shop's Manager and deputy manager

department
For more information, see Using IT Shop structures to
find approvers on page 105.

D2 - Manager of shopping Manager and deputy manager

center's department
For more information, see Using IT Shop structures to
find approvers on page 105.

DI - Named (IT) approvers of All members of the assigned application role

department provided in
For more information, see Using departments to find
request
approvers on page 112.

DM - Manager of recipient's Manager and deputy manager

department
For more information, see Using request recipients to

One Identity Manager 8.2.1 IT Shop Administration Guide

101
Approval processes for IT Shop requests
Approval procedure name Responsible approvers

find approvers on page 106.

DP - Manager of department Manager and deputy manager

provided in request
For more information, see Using departments to find
approvers on page 112.

DR - Named approvers of All members of the assigned application role

department provided in
For more information, see Using departments to find
request
approvers on page 112.

EX - Approvals to be made -
externally
For more information, see Approvals to be made
externally on page 115.

H0 - Shelf owner Owner and deputy

For more information, see Using IT Shop structures to
find approvers on page 105.

H1 - Shop owner Owner and deputy

For more information, see Using IT Shop structures to
find approvers on page 105.

H2 - Shopping center owner Owner and deputy

For more information, see Using IT Shop structures to
find approvers on page 105.

ID - Named (IT) approvers of All members of the assigned application role

recipient's department
For more information, see Using approval roles to find
approvers on page 109.

IL - Named (IT) approvers of All members of the assigned application role

recipient's location
For more information, see Using approval roles to find
approvers on page 109.

IO - Named (IT) approvers of All members of the assigned application role

recipient's primary role
For more information, see Using approval roles to find
approvers on page 109.

IP - Named (IT) approvers of All members of the assigned application role

recipient's cost center
For more information, see Using approval roles to find
approvers on page 109.

KA - Product owner and Product owner and additional owner of the Active
additional owner of the Active Directory group, if Active Directory groups or group
Directory Group memberships are attested.
For more information, see Using requested products to

One Identity Manager 8.2.1 IT Shop Administration Guide

102
Approval processes for IT Shop requests
Approval procedure name Responsible approvers

find approvers on page 107.

MS - Manager of the requested Manager and deputy of the business role, department,
business role or organization cost center or location requested by assignment request.
For more information, see Using requested roles to find
approvers on page 112.

OA - product owner All members of the assigned application role

For more information, see Using requested products to
find approvers on page 107.

OC - Exception approver for All members of the assigned application role

violated rules
For more information, see Finding exception approvers
on page 128.

OH - Exception approver for All members of the assigned application role

worst rule violation
For more information, see Finding exception approvers
on page 128.

OM - Manager of a specific role Manager of the role selected in the approval workflow.
For more information, see Using specific roles to find
approvers on page 106.

OR - Members of a certain role All employees assigned to a secondary business role.

For more information, see Using specific roles to find
approvers on page 106.

OT - Attestor of assigned All members of the assigned application role

service item
For more information, see Using requested products to
find approvers on page 107.

P0 - Manager of shelf's cost Manager and deputy manager

center
For more information, see Using IT Shop structures to
find approvers on page 105.

P1 - Manager of shop's cost Manager and deputy manager

center
For more information, see Using IT Shop structures to
find approvers on page 105.

P2 - Manager of shopping Manager and deputy manager

center's cost center
For more information, see Using IT Shop structures to
find approvers on page 105.

PA - Additional owner of the All employees to be found through the additional owner
Active Directory group of the requested Active Directory group.
For more information, see Using requested products to

One Identity Manager 8.2.1 IT Shop Administration Guide

103
Approval processes for IT Shop requests
Approval procedure name Responsible approvers

find approvers on page 107.

PG - owners of the requested All employees who can be determined as an owner of the
privileged access request requested privileged access request.
For more information, see Using requested products to
find approvers on page 107.

PI - Named (IT) approvers of All members of the assigned application role

cost center provided in
For more information, see Using cost centers to find
request
approvers on page 111.

PM - Manager of recipient's Manager and deputy manager

cost center
For more information, see Using request recipients to
find approvers on page 106.

PP - Manager of cost center Manager and deputy manager

provided in request
For more information, see Using cost centers to find
approvers on page 111.

PR - Named approvers of cost All members of the assigned application role

center provided in request
For more information, see Using cost centers to find
approvers on page 111.

RD - Named approvers of cost All members of the assigned application role

center provided in request
For more information, see Using approval roles to find
approvers on page 109.

RI - Employee's risk index -

For more information, see Request risk analysis on page
124.

RL - Named approvers of All members of the assigned application role

recipient's location
For more information, see Using approval roles to find
approvers on page 109.

RO - Named approvers of All members of the assigned application role

recipient's primary role
For more information, see Using approval roles to find
approvers on page 109.

RP - Named approvers of All members of the assigned application role

recipient's cost center
For more information, see Using approval roles to find
approvers on page 109.

SB - Self-service -
For more information, see Self-service on page 105.

One Identity Manager 8.2.1 IT Shop Administration Guide

104
Approval processes for IT Shop requests
Approval procedure name Responsible approvers

TO - Target system manager All members of the assigned application role

of the requested system
For more information, see Using requested products to
entitlement
find approvers on page 107.

WC - Waiting for further -

approval
For more information, see Waiting for further approval
on page 112.

Self-service
Use the SB (self-service) approval procedure to approve requests automatically. You do not
have to specify approvers for this approval procedure. A self-service request is always
granted immediate approval. Always define an approval workflow with the approval
procedure SB as a one-step workflow. That means you cannot set up more approval steps
in addition to a self-service approval step.
The approval workflow and the Self-service approval policy are available by default and
assigned to the Identity & Access Lifecycle shop.

Using IT Shop structures to find approvers

Use the following approval procedures to establish an IT Shop structure owner, an IT Shop
structure department manager or an IT Shop structure cost center manager as approver.

Table 33: Approval procedures for determining approvers for IT Shop structures

Approval Approver
procedure

The IT Shop structure from which the request comes is assigned an owner or a deputy.

H0 Owner and deputy of the shelf

H1 Owner and deputy of the shop
H2 Owner and deputy of the shopping center

A department is assigned to the IT Shop structure from which the request is made.
The department is assigned a manager or a deputy manager.

D0 Manager and deputy manager of the department's shelf

D1 Manager and deputy manager of the department's shop
D2 Manager and deputy manager of the department's shopping center

A cost center is assigned to the IT Shop structure from which the request is made.

One Identity Manager 8.2.1 IT Shop Administration Guide

105
Approval processes for IT Shop requests
Approval Approver
procedure

The cost center is assigned a manager or a deputy manager.

P0 Manager and deputy manager of the cost center's shelf

P1 Manager and deputy manager of the cost center's shop
P2 Manager and deputy manager of the cost center's shopping center

Using request recipients to find approvers

Use the following approval procedure if you want to determine the manager of the request
recipient to be approver.

Table 34: Approval procedures for determining approvers for request recipients

Approval Approver
procedure

The request recipient is assigned a manager.

CM Request recipient's manager

The request recipient is assigned to a department.

The department is assigned a manager or a deputy manager.

DM Manager and deputy manager of the request recipient's department.

The request recipient is assigned a cost center.

The cost center is assigned a manager or a deputy manager.

PM Manager and deputy manager of the request recipient's cost center.

Using specific roles to find approvers

If members of a specific role are to be determined as approvers, use the OR or OM approval
procedure. In the approval step, also specify the role to be used to find the approver. The
approval procedures determine the following approvers. If a deputy IT Shop has been
entered in the main data of these employees, they are also authorized as approver.

Table 35: Approval procedures for determining approvers for a specific role

Selectable roles Approver

Departments Manager and deputy manager of the hierarchical role specified in

One Identity Manager 8.2.1 IT Shop Administration Guide

106
Approval processes for IT Shop requests
Selectable roles Approver

(Department) the approval step.

Cost centers
(ProfitCenter)
Locations (Locality)
Business roles (Org)

Departments All secondary members of the hierarchical role specified in the

(Department) approval step.
Cost centers
(ProfitCenter)
Locations (Locality)
Business roles (Org)
Application roles
(AERole)

Using requested products to find approvers

If the owner of the requested product is to be determined as an approver, use the following
approval procedures:
OA - product owner
Assign an application role to the product’s service item in the Product owner input field
to make it possible to find owners of a product as approvers. In this case, all the
employees assigned to the application role through secondary assignment are recognized
as approvers.
OT - Attestor of assigned service item
Assign an application role to the product’s service item in the Attestor field to make it
possible to identify the attestors of the requested product as approvers. In this case, all the
employees assigned to the application role through secondary assignment are recognized
as approvers.
PA - Additional owner of the Active Directory group

Installed modules: Active Roles Module

If an Active Directory group is requested, the approvers can be found through the
additional owner of this Active Directory group. All employees are found that are:
l A member in the assigned Active Directory group through their Active Directory
user account
l Linked to the assigned Active Directory user account

One Identity Manager 8.2.1 IT Shop Administration Guide

107
Approval processes for IT Shop requests
NOTE: Only use this approval procedure if the TargetSystem | ADS | ARS_SSM
configuration parameter is set.
The column Additional owners is only available in this case.
KA - Product owner and additional owner of the Active Directory Group

Installed modules: Active Roles Module

If an Active Directory group is requested, the approvers are found through the product
owner of this Active Directory group. If the groups were added automatically to the IT
Shop, the account managers are identified as product owners. For more information about
these functions, see the One Identity Manager Administration Guide for One Identity Active
Roles Integration.
NOTE: If the TargetSystem | ADS | ARS_SSM configuration parameter is set,
additional owners of the Active Directory group are also determined.
The column Additional owners is only available in this case.
PG - owners of the requested privileged access request

Installed modules: Privileged Account Governance Module

If an access request is made for a privileged object within a Privileged Account

Management system, such as PAM assets, PAM asset accounts and PAM directory accounts,
then the owner of the privileged objects is determined as the approver in the approval
process for these. The owners of the privileged objects must have the Privileged Account
Governance | Asset and account owners application role or a child application role.
To make an access request, additional system prerequisites must be met by the Privileged
Account Management system. For more information about PAM access requests, see the
One Identity Manager Administration Guide for Privileged Account Governance.
TO - target system manager of the requested system entitlement

Installed modules: Target System Base Module

Other target system modules

If a system entitlement is requested, the target system managers can be found as

approvers using this approval procedure. Assign the synchronization base object of the
target system to the target system manager (for example Active Directory domain, SAP
client, target system type in the Unified Namespace). This finds, as approvers, all
employees assigned to the application role assigned here and all members of the parent
application roles.
This finds all target system managers of the system entitlement that are stored as the final
product with the request (PersonWantsOrg.UID_ITShopOrgFinal column).
BA - Owner of the application

Installed modules: Application Governance Module

One Identity Manager 8.2.1 IT Shop Administration Guide

108
Approval processes for IT Shop requests
When application entitlements are requested, this approval procedure identifies as the
approvers, the application owners under which the application entitlements are
provisioned. The application owners must be assigned to the Application Governance |
Owners application role or a child application role.
For more information about applications and application entitlements, see the One Identity
Manager Application Governance User Guide.
BE - Approver of application entitlement

Installed modules: Application Governance Module

When application entitlements are requested, this approval procedure identifies as the
approvers, the application approvers under which the application entitlements are
provisioned and the additional approvers of the application entitlement.
For more information about applications and application entitlements, see the One Identity
Manager Application Governance User Guide.

Using approval roles to find approvers

Use the following approval procedure if you want to establish the approver of a hierarchical
role to be approver.

Table 36: Approval procedures to determine approvers through an approval role

Approval Approver
procedure

RD The request recipient is assigned a primary department. The department

is assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined
to be approvers.

RL The request recipient is assigned a primary location. The location is

assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined
to be approvers.

RO Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business
role is assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined
to be approvers.

RP The request recipient is assigned a primary cost center. The cost center is
assigned an application role in the Role approver menu.
All secondarily assigned employees of this application role are determined
to be approvers.

One Identity Manager 8.2.1 IT Shop Administration Guide

109
Approval processes for IT Shop requests
Figure 6: Determining approvers through a department's role approver

Approval Approver
procedure

ID The request recipient is assigned a primary department. The department

is assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined
to be approvers.

IL The request recipient is assigned a primary location. The location is

assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined
to be approvers.

IO Installed modules: Business Roles Module

The request recipient is assigned a primary business role. The business
role is assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined
to be approvers.

IP The request recipient is assigned a primary cost center. The cost center is
assigned an application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined
to be approvers.

Determining the approver using the example of an approval role for the request's recipient
primary department (approval procedure RD):

One Identity Manager 8.2.1 IT Shop Administration Guide

110
Approval processes for IT Shop requests
1. Determine the requester’s primary department (UID_Department).
2. The application role (UID_AERole) is determined through the department’s role
approver (UID_RulerContainer).
3. Determine the secondary employees assigned to this application role. These can
issue approval.
4. If there is no approval role given for the primary department or the approval role
does not have any members, the approval role is determined for the parent
department.
5. The request cannot be approved if no approval role with members is found by drilling
up to the top department.

NOTE: When approvers are found using the approval procedures RO or IO, and
inheritance for business roles is defined from the bottom up, note the following:
If no role approver is given for the primary business role, the role approver is determined
from the child business role.

Using cost centers to find approvers

Use the following procedure to determine the approver through a cost center given in
the request.

Table 37: Approval procedures for determining approvers for a cost center

Approval Approver
procedure

PP A cost center is entered in the request. The cost center is assigned a

manager.
The manager of the given cost center is established as approver.

PR A cost center is entered in the request. The cost center is assigned an

application role in the Role approver menu.
All secondarily assigned employees of this application role are determined
to be approvers.
Approvers are determined following the same method as described in
Using approval roles to find approvers.

PI A cost center is entered in the request. The cost center is assigned an

application role in the Role approver (IT) menu.
All secondarily assigned employees of this application role are determined
to be approvers.
Approvers are determined following the same method as described in
Using approval roles to find approvers.

One Identity Manager 8.2.1 IT Shop Administration Guide

111
Approval processes for IT Shop requests
Using departments to find approvers
Use the following procedure to determine the approver through a department given in
the request.

Table 38: Approval procedures for determining approvers for a department

Approval Approver
procedure

DP A department is entered in the request. The department is assigned a

manager.
The manager of the given department is established as approver.

DR A department is entered in the request. The department is assigned an

DI A department is entered in the request. The department is assigned an

Using requested roles to find approvers

If membership in or assignment to a hierarchical role is requested and the manager of
the requested role is to be the approver, use the MS approval procedure. Then the
manager and deputy of the requested department, cost center, business role or location
are determined as the approvers. This approval procedure can only be used for
assignment requests.

Waiting for further approval

NOTE: Only one approval step can be defined with the WC approval procedure per
approval level.
Use the WC approval procedure within an approval process to ensure that a defined
prerequisite is fulfilled before the request is approved. Therefore, the approval of a
permissions group request should only take place if the corresponding user account exists.
Deferred approval is useful when a request should be tested for rule conformity. If the user

One Identity Manager 8.2.1 IT Shop Administration Guide

112
Approval processes for IT Shop requests
account does not exist when the requested permissions groups are tested, any rule
violations that may occur due to the request will not be logged.
You can specify which prerequisites have to be fulfilled so that a request can be presented
for approval by defining an appropriate condition. The condition is evaluated as a function
call. The function must accept the request UID as a parameter (PersonWantsOrg.UID_
PersonWantsOrg). It must define three return values as integer values. One of the following
actions is carried out depending on the function’s return value.

Table 39: Return value for deferred approval

Return Action
value

Return The condition is fulfilled. Deferred approval has completed successfully. The
value > 0 next approval step (in case of success) is carried out.

Return The condition is not yet fulfilled. Approval is rolled back and is retested the
value = 0 next time DBQueue Processor runs.

Return The condition is not fulfilled. Deferred approval has failed. The next approval
value < 0 step (in case of failure) is carried out.

To use an approval procedure

1. Create a database function which tests the condition for the request.
2. Create an approval step with the WC approval procedure. Enter the function call
in Condition.
Syntax: dbo.<function name>
3. Specify an approval step in the case of success. Use an approval procedure with
which One Identity Manager can determine the approvers.
4. Specify an approval step in the case of failure.

Example

To check whether the necessary user account exists when the permissions group is
requested, you can use the TSB_FGIPWODecisionForGroup function that is supplied.

Table 40: Example of an approval step with deferred

approval

Single step: Waiting Condition

Approval procedures: WC - Waiting for further approval

Condition: dbo.TSB_FGIPWODecisionForGroup

Number of approvers: 1

One Identity Manager 8.2.1 IT Shop Administration Guide

113
Approval processes for IT Shop requests
Table 41: Return value for deferred approval decisions in the TSB_
FGIPWODecisionForGroup function

Return Action
value

Return The user account exists, thus fulfilling the condition. The delayed approval is
value > 0 decided positively. The request is passed onto the next approval step. Now an
approval step must follow which can establish the approvers for the request.

Return The condition is not fulfilled. There is a request pending for a user account or
value = 0 the employee has an account definition with which a user account could be
created. Approval is, therefore, deferred, and tested again on the next
DBQueue Processor run.

Return The condition is not fulfilled. There is no request for a user account and the
value < 0 employee does not have an account definition with which a user account could
be created. The delayed approval is decided negatively. The request is passed
onto the next approval step.

Calculated approval
NOTE: Only one approval step can be defined with the CD approval procedure per
approval level.
It is possible to determine who should be presented with the request for approval on the
basis of a defined condition. For example, if the price of the request is below a defined limit,
then the department manager can grant approval. If this limit is exceeded, the request has
to be presented to the cost center manager. In another case, requests from members of
department XY can be granted immediate approval as long as the request does not exceed
the defined price limit. If the limit is exceeded or if the employee belongs to another
department, the approval has to be granted by the department manager.
To calculate an approval (CD approval procedure), enter a condition when you set up the
approval step. If the condition returns a result, the approval step is approved through One
Identity Manager. If the condition does not return a result, the approval step is denied by
One Identity Manager. If there are no subsequent steps to be carried out, the request is
finally granted or denied approval. The condition is defined as a valid where clause for
database queries. You can enter the SQL query directly or with a wizard. The condition is
always checked for the current request and requester.

Example for calculated approval

Requests with a price of under 1000 euros can be approved by the customer’s department
manager. Requests over 1000 euros must be presented to the cost center manager.

Table 42: Approval step with calculated approval

Single step: Calculated approval

One Identity Manager 8.2.1 IT Shop Administration Guide

114
Approval processes for IT Shop requests
Approval procedures: CD - Calculated approval

Condition:
EXISTS (
SELECT 1 FROM (
SELECT UID_ITShopOrg FROM ITShopOrg
WHERE EXISTS (
SELECT 1 FROM (
SELECT UID_AccProduct FROM
AccProduct
WHERE round
(PurchasePrice, 13) < round(1.000000E+003,
13)
) as X
WHERE X.UID_AccProduct =
ITShopOrg.UID_AccProduct
) ) as X
WHERE X.UID_ITShopOrg = PersonWant-
sOrg.UID_Org)

Number of approvers: 1

Figure 7: Approval workflow showing calculated approval

Approvals to be made externally

Use external approvals (EX approval procedure) if a request needs to be approved once a
defined event from outside One Identity Manager takes place. You can also use this
procedure to allow users with no access to One Identity Manager to approve requests.
Specify an event in the approval step that triggers an external approval. The event triggers
a process that initiates the external approval for the request and evaluates the result of the

One Identity Manager 8.2.1 IT Shop Administration Guide

115
Approval processes for IT Shop requests
approval decision. The approval process waits for the external decision to be passed to One
Identity Manager. Define the subsequent approval steps depending on the result of the
external approval.

To use an approval procedure

1. In the Designer, define your own processes that:

l Triggers an external approval.
l Analyzes the results of the external approval.
l Grants or denies approval in the subsequent external approval step in One
Identity Manager.
2. Defines an event that starts the process for external approval. Enter the result in
Result in the approval step.

If the external event occurs, the approval step status in One Identity Manager must be
changed. Use the CallMethod process task with the MakeDecision method for this. Pass the
following parameters to the process task:
MethodName: Value = "MakeDecision"
ObjectType: Value = "PersonWantsOrg"
Param1: Value = "sa"
Param2: Value = <approval> ("true" = granted; "false" = denied)
Param3: Value = <reason for approval decision>
Param4: Value = <standard reason>
Param5: Value = <number approval steps> (PWODecisionStep.SubLevelNumber)
WhereClause: Value = "UID_PersonWantsOrg ='"& $UID_PersonWantsOrg$ &"'"
Use these parameters to specify which request is to be approved by external approval
(WhereClause). Param1 specifies the approver. The approver is always the sa system user.
Param2 passes down the approval decision. If the request was granted, a value of True
must be returned. If the request was denied, a value of False must be returned. Use Param3
to pass a reason text for the approval decision; use Param4 to pass a predefined standard
reason. If more than one external approval steps have been defined in an approval level,
use Param5 to pass the approval step count. This ensures the approval is aligned with the
correct approval step.

Example

All approved requests should be entered into an external ticketing system and started. If a
request is completed in an external ticketing system, it must also be completed in One
Identity Manager. Use this approval procedure to make external approvals and define:
l A P1 process that creates a ticket with the information about the requested product in
the external system and passes the ticket number to One Identity Manager in the
request instance.
l An E1 event that starts the P1 event.

One Identity Manager 8.2.1 IT Shop Administration Guide

116
Approval processes for IT Shop requests
l A P2 process that checks whether the ticket status is "closed" and calls the
CallMethod process task with the MakeDecision method in One Identity Manager.
l An E2 event that starts the P2 process.
l A schedule that starts the E2 event on a regular basis.

Enter E1 in the Event box as the trigger for the external decision.
Pass the product and customer data that the product is being requested for in the P1
process to the external ticket system. In another parameter, pass the ticket number from
the external ticketing system to One Identity Manager.
Use the ticket number to check the ticket status in P2 process. If the ticket is closed, call
the MakeDecision method and pass the ticket status from the external system to One
Identity Manager in a parameter (Param2). In another parameter, specify the system user
that changes the approval step status in One Identity Manager (Param1). Pass sa as the
value for this parameter. Pass the reason for the approval decision in Param3.
For more information about defining processes, see One Identity Manager
Configuration Guide.

Detailed information about this topic

l Properties of an approval step on page 90

Finding requesters
Use the BS and BR approval procedures to return the approval to the requester or request
recipient. The BS approval procedure finds the request requester and the BR approval
procedure finds the request recipient. As a result, the requester and the request recipient
can also influence the approval. Their approval can be viewed in the approval history. The
approval workflow can be continued from any approval level.
The requesters are also found if the QER | ITShop | PersonInsertedNoDecide and QER
| ITShop | PersonOrderedNoDecide configuration parameters are set. For more
information, see Approving requests from an approver on page 134.

Setting up approval procedures

You can create your own approval procedures if the default approval procedures for finding
the responsible approvers do not meet your requirements. The condition through which the
approvers are determined is formulated as a database query. Several queries may be
combined into one condition.

To set up an approval procedure

1. In the Manager, select the IT Shop > Basic configuration data > Approval
procedures category.

One Identity Manager 8.2.1 IT Shop Administration Guide

117
Approval processes for IT Shop requests
2. Select an approval procedure in the result list and run the Change main data task.
- OR -
Click in the result list.
3. Edit the approval procedure main data.
4. Save the changes.

To edit the condition

1. In the Manager, select the IT Shop > Basic configuration data > Approval
procedures category.
2. Select an approval procedure from the result list.
3. Select Change queries for approver selection.

Detailed information about this topic

l General main data of an approval procedure on page 118
l Queries for approver selection on page 119

General main data of an approval procedure

Enter the following main data of an approval procedure.

Table 43: General main data of an approval procedure

Property Description

Approval Descriptor for the approval procedure (maximum two characters).

procedure

Description Approval procedure identifier.

DBQueue Approvals can either be made automatically through a DBQueue

Processor Processor calculation task or by specified approvers. Assign a custom
task DBQueue Processor task if the approval procedure should make an
automatic approval decision.
You cannot assign a DBQueue Processor task if a query is entered for
determining the approvers.

Max. number Maximum number of approvers to be determined by the approval

approvers procedure. Specify how many employees must really make approval
decisions in the approval steps used by this approval procedure.

Sort order Value for sorting approval procedures in the menu.

Specify the value 10 to display this approval procedure at the top of the
menu when you set up an approval step.

One Identity Manager 8.2.1 IT Shop Administration Guide

118
Approval processes for IT Shop requests
Related topics
l Properties of an approval step on page 90

Queries for approver selection

The condition through which the approvers are determined is formulated as a database
query. Several queries may be combined into one condition. This adds all employees
determined by single queries to the group of approvers.

To edit the condition

1. In the Manager, select the IT Shop > Basic configuration data > Approval
procedures category.
2. Select an approval procedure from the result list.
3. Select Change queries for approver selection.

To create single queries

1. Click Add.
This inserts a new row in the table.
2. Mark this row. Enter the query properties.
3. Add more queries if required.
4. Save the changes.

To edit a single query

1. Select the query you want to edit in the table. Edit the query's properties.
2. Save the changes.

To remove single queries

1. Select the query you want to remove in the table.

2. Click Delete.
3. Save the changes.

Table 44: Query properties

Property Description

Approver Query identifier that determines the approvers.

selection

Query Database query for determining the approvers.

The database query must be formulated as a select statement.
The column selected by the database query must return a UID_

One Identity Manager 8.2.1 IT Shop Administration Guide

119
Approval processes for IT Shop requests
Property Description

Person. Every query must return a value for UID_

PWORulerOrigin. The query returns one or more employees to
whom the request is presented for approval. If the query fails to
a result, the request is canceled.
A query contains exactly one select statement. To combine
several select statements, create several queries.
If a DBQueue Processor task is assigned, you cannot enter a
query to determine approvers.

You can, for example, determine predefined approvers with the query (example 1). The
approver can also be found dynamically depending on the request to approve. To do this,
access the request to be approved within the database query using the @UID_
PersonWantsOrg variable (example 2).

Example 1

Requests should be approved by a specific approver.

Query: select UID_Person, null as UID_PWORulerOrigin from Person where

InternalName='Bloggs, Jan'

Example 2

Approval for requests should be granted or denied through the requester’s parent
department. The approver is the cost center manager that is assigned to the requester‘s
primary department. The requester is the employee that started the request (UID_
PersonInserted, for example, when placing requests for employees).

Query: select pc.UID_PersonHead as UID_Person, null as UID_PWORulerOrigin from

PersonWantsOrg pwo
join Person p on pwo.UID_PersonInserted = p.UID_Person
join Department d on p.UID_Department = d.UID_Department
join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter
where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg

Taking delegation into account

To include delegation when determining approvers, use the query to also determine the
employees to whom a responsibility has been delegated. If the managers of hierarchical
roles are to make the approval decision, determine the approvers from the HelperHeadOrg
table. This table groups all hierarchical role managers, their deputy managers, and
employees to whom a responsibility has been delegated. If the members of business or
application roles are to make the approval decision, determine the approvers from the

One Identity Manager 8.2.1 IT Shop Administration Guide

120
Approval processes for IT Shop requests
PersonInBaseTree table. This table groups all hierarchical role members and employees to
whom a responsibility has been delegated.
Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the
delegation has made a decision on a request and thus allow the Web Portal to show if the
approver was originally delegated.

To determine the UID_PWORulerOrigin of the delegation

l Determine the UID_PersonWantsOrg of the delegation and copy this value as
UID_PWORulerOrigin to the query. Use the dbo.QER_FGIPWORulerOrigin table
function to do this.
select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin

Modified query from example 2:

select hho.UID_PersonHead as UID_Person, dbo.QER_FGIPWORulerOrigin
(hho.XObjectkey) as UID_PWORulerOrigin from PersonWantsOrg pwo
join Person p on pwo.UID_PersonInserted = p.UID_Person
join Department d on p.UID_Department = d.UID_Department
join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter
join HelperHeadOrg hho on hho.UID_Org = pc.UID_ProfitCenter
where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg

Copying an approval procedure

You can copy default approval procedures in order to customize them.

To copy an approval procedure

1. In the Manager, select the IT Shop > Basic configuration data > Approval
procedures category.
2. Select an approval procedure in the result list. Select the Change main data task.
3. Select the Create copy task.
4. Confirm the security prompt with Yes.
5. Enter the short name for the copy.
The short name for an approval procedure consists of a maximum of two characters.
6. Click OK to start copying.
- OR -
Click Cancel to cancel copying.

One Identity Manager 8.2.1 IT Shop Administration Guide

121
Approval processes for IT Shop requests
Deleting approval procedures
To delete an approval procedure

1. Remove all assignments to approval steps.

a. On the approval procedure overview form, check which approval steps are
assigned to the approval procedure.
b. Switch to the approval workflow and assign another approval procedure to the
approval step.
2. In the Manager, select the IT Shop > Basic configuration data > Custom
defined > Approval procedures category.
3. Select an approval procedure from the result list.
4. Click .
5. Confirm the security prompt with Yes.

Determining the responsible approvers

The DBQueue Processor calculates which employee is authorized as an approver and in
which approval level. Once a request is triggered, the approvers are determined for every
approval step of the approval workflow to be processed. Changes to responsibilities may
lead to an employee no longer being authorized as an approver for a request that is not yet
finally approved. In this case, approvers must be recalculated. The following changes can
trigger a recalculation for as yet unapproved requests:
l Approval policy, workflow, step, or procedure changes.
l An authorized approver loses their responsibility in One Identity Manager, for
example, if a change is made to the department manager, product owner, or target
system manager.
l An employee obtains responsibilities in One Identity Manager and therefore is
authorized as an approver, for example as the manager of the request recipient.
l An employee authorized as an approver is deactivated.

Once an employee's responsibilities have changed in One Identity Manager, an approver

recalculation task is queued in the DBQueue. By default, all approval steps of the pending
approval processes are recalculated at the same time. Approval steps that have already
been approved remain approved, even if their approver has changed. Recalculating
approvers may take a long time depending on the configuration of the system environment
and the amount of data to be processed. To optimize this processing time, you can specify
the approval steps for which the approvers are to be recalculated.

One Identity Manager 8.2.1 IT Shop Administration Guide

122
Approval processes for IT Shop requests
To configure recalculation of approvers
l In the Designer, set the QER | ITShop | ReducedApproverCalculation
configuration parameter and select one of the following options as the value.

Table 45: Options for recalculating approvers

Option Description

No All approval steps are recalculated. This behavior also applies if the
configuration parameter is not set.
Advantage: All valid approvers are displayed in the approval
process. The rest of the approval sequence is transparent.
Disadvantage: Recalculating approvers may take a long time.

CurrentLevel Only approvers for the approval level that is currently to be edited
are recalculated. Once an approval level has been approved, the
approvers are determined for the next approval level.
Advantage: The number of approval levels to calculate is lower.
Calculating the approvers may be faster.
TIP: Use this option if performance problems occur in your envir-
onment in connection with the recalculation of approvers.
Disadvantage: The originally calculated approvers are still
displayed in the approval sequence for each subsequent approval
step, even though they may no longer have approval
authorization. The rest of the approval sequence is not correctly
represented.

NoRecalc No recalculation of approvers The previous approvers remain

authorized to approve the current approval levels. Once an
approval level has been approved, the approvers are determined
for the next approval level.
Advantage: The number of approval levels to calculate is lower.
Calculating the approvers may be faster.
TIP:Use this option if performance problems occur in your
environment in connection with the recalculation of approvers,
even though the CurrentLevel option is used.
Disadvantage: The originally calculated approvers are still
displayed in the approval sequence for each subsequent approval
step, even though they may no longer have approval
authorization. The rest of the approval sequence is not correctly
represented. Employees that are no longer authorized can approve
the current approval level.
In the worst-case scenario, the only attestors originally calculated
here now have no access to One Identity Manager, for example,
because they have left the company. The approval level cannot be

One Identity Manager 8.2.1 IT Shop Administration Guide

123
Approval processes for IT Shop requests
Option Description

approved.
To see approval steps of this type through
l Define a timeout and timeout behavior when you set up the
approval workflows on the approval steps.
- OR -
l When setting up the IT Shop, assign members to the chief
approval team. These can access open approval processes at
any time.

Detailed information about this topic

l Properties of an approval step on page 90
l Chief approval team on page 202

Related topics
l Changing approval workflows of pending requests on page 164

Request risk analysis

Everyone with IT system authorization in a company represents a security risk for that
company. For example, a person with permission to edit financial data in SAP carries a
higher risk than an employee with permission to edit their own personal data. To quantify
the risk, you can enter a risk value for every company resource in One Identity Manager. A
risk index is calculated from this value for every person who is assigned this company
resource, directly, or indirectly. Company resources include target system entitlements (for
example, Active Directory groups or SAP profiles), system roles, subscribable reports,
software, and resources. In this way, all the people that represent a particular risk to the
company can be found.
Every time a company resource with a specified risk index is assigned, the employee's risk
index may exceed a permitted level. You can check the risk index of company resources if
they are requested through the IT Shop. If the risk index is higher than the specified value,
the request is denied.

To set up risk assessment for requests

l Create an approval workflow.
1. Add an approval step with the RI approval procedure.
2. In the Condition field, enter the comparison value for the risk index. Enter a

One Identity Manager 8.2.1 IT Shop Administration Guide

124
Approval processes for IT Shop requests
number in the range 0.0 to 1.0.
3. Enter other approval levels if required.

The approval step is granted approval by One Identity Manager if the risk index of the
requested company resource is lower than the comparison value. If the risk index is higher
or equal to the comparison value, the approval step is not granted approval.
Risk assessment of requests works for both direct company resource request and
assignment requests. Only risk indexes with inputted values are examined for the approval
decision; calculated risk indexes are not taken into account. Therefore, risk assessment of
requests only works if the product's original table or one of the member tables of a
requested assignment has a RiskIndex column. If the table only has the
RiskIndexCalculated column, the request is automatically approved. If both member
tables of an assignment request have a RiskIndex column, the highest of the two risk
indexes is used as the basis for the approval.
If the company resource request or an assignment has been granted approval, the
employee's risk index is recalculated the next time the scheduled calculation task is run.
For more information about risk assessment, see the One Identity Manager Risk
Assessment Administration Guide.

Related topics
l Properties of an approval step on page 90

Testing requests for rule compliance

Installed modules: Compliance Rules Module

You can integrate rule conformity testing for IT Shop requests within an approval workflow.
A separate approval procedure is supplied for this. This approval procedure checks whether
the request's recipient will violate compliance rules if the requests are granted approval.
The result of the test is logged in the request's approval sequence and approval history.

Table 46: Approval procedures for compliance checking

Approval Description
procedure

CR - Checks the current request for possible rule violations. It takes into
compliance account the requested product and all the company resources already
check assigned to the request recipient.
(simplified)

One Identity Manager 8.2.1 IT Shop Administration Guide

125
Approval processes for IT Shop requests
Prerequisites for request validation
l Compliance rules are defined.
For detailed information, see the One Identity Manager Compliance Rules
Administration Guide.
l The approval workflow contains an approval step with the CR approval procedure.
For more information, see Compliance checking requests on page 126.

Compliance checking requests

To retain an overview of potential rule violations, you can run a simplified compliance
check. Use the CR approval procedure to test requests for possible rule violations before
finally approving them.
The following data of a recipient's request is taken into account by the compliance check:
l All pending requests
l All company resources already assigned to the recipient
l All the recipient's user accounts
l All entitlement in the target system (for example, Active Directory groups or SAP
roles) the recipient has obtained through these user accounts

Auxiliary tables for object assignments are regularly evaluated for the compliance check.
Auxiliary tables are calculated on a scheduled basis. Furthermore, the approval procedure
only takes into account compliance rules that are created using the simplified definition.
Rule checking does not completely check the requests with this. It is possible that under
the following conditions, rule checking does not identify a rule violation:
l Customer permissions change after the auxiliary table have been calculated.
l If memberships are requested in business role or organization, a rule is violated by
an object that is inherited through the business role or organization. Inheritance is
calculated after request approval and can therefore not be identified until after the
auxiliary table is calculated again.
l The customer does not belong to the rule's employee group affected until the
request is made.
l The rule condition was created in expert node or as a SQL query.

TIP: A complete check of assignments is achieved with cyclical testing of compliance rule
using schedules. This finds all the rule violations that result from the request.
It is possible that under the following conditions, rule checking identifies a rule violation
where one does not exist:
l Two products violate one rule when they are assigned at the same time. The product
requests are, however, for a limited period. The validity periods does not overlap.
Still a potential rule violation is identified.

One Identity Manager 8.2.1 IT Shop Administration Guide

126
Approval processes for IT Shop requests
TIP: These requests can be approved after checking by exception approver as permitted
by the definition of the violation rule.
The compliance check is not only useful for specifying which rule is violated by a request,
but it can also find out which product in the request caused the rule violation. This makes a
detailed analysis possible of the rule violation. The request can still be approved by
exception approval, the definition of compliance rules permitting. Additional approval steps
are added in approval workflows to deal with exception approval.

Conditions for compliance checking requests

l You can add only one approval step per approval policy with the CR approval
procedure.
l The rule conditions were created in the simple definition.
l IT Shop properties that are specified for each rule are taken into account in the rule
testing. Identification of a rule violation depends on the setting on Rule violation
identified.
l The compliance check should be added as the last approval level in the approval
workflow. The subsequent approval levels only get one approval step to determine
the exception approver if approval is denied.

Compliance check sequence

1. If an approval step for compliance checking using the CR approval procedure is found
in the request’s approval procedure, all products in pending requests are assigned to
the customer. It is assumed that all pending requests will be approved and therefore
the customer will obtain all the products. The current request is then analyzed with
respect to potential violations against the defined rules.
2. If no rule violations are found, the approval step is automatically granted approval
and the request is passed on to the approver at the next approval level above.
3. If a rule violation is detected, the request is automatically not granted approval. The
request can still be approved by exception approval, the definition of rule violations
permitting.

For more information about compliance checking, see the One Identity Manager
Compliance Rules Administration Guide.

Detailed information about this topic

l Identifying rule violations on page 127
l Finding exception approvers on page 128

Identifying rule violations

If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is
set, properties can be added to compliance rules that are taken into account when rule

One Identity Manager 8.2.1 IT Shop Administration Guide

127
Approval processes for IT Shop requests
checking requests.
Specify which violation should be logged for the rule by using the Rule violation
identified IT Shop property.

Table 47: Permitted values

Value Description

New rule Only rule violations that are added through approval of the current
violation due request are logged.
to a request

Unapproved Rule violations that are added through approval of the current request are
exception logged. Already known rule violations that have not yet been granted an
exception are also logged.

Any All rule violations are logged, independent of whether an exception

compliance approval has already been granted or not.
violation
This value is automatically set when the Explicit exception approval
option is set.

If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is

not set, new rule violations are logged through the current request.
For detailed information, see the One Identity Manager Compliance Rules
Administration Guide.

Finding exception approvers

Requests that may cause a rule violation can still be approved by exception approval.

To allow exception approval for request with rule violations

1. Enable the Exception approval allowed option for the compliance rule and assign
an exception approver.
For more information, see theOne Identity Manager Compliance Rules
Administration Guide.
2. Enter an approval step in the approval workflow with the OC or OH procedure.
Connect this approval level with the compliance checking approval level at the
connection point for denying this approval decision.
NOTE:
l Only apply this approval procedure immediately after an approval level with
the CR approval procedure.
l For each approval workflow, only one approval step can be defined using the
OC or OH approval procedure.

One Identity Manager 8.2.1 IT Shop Administration Guide

128
Approval processes for IT Shop requests
3. If the QER | ComplianceCheck | EnableITSettingsForRule configuration
parameter is set, you can use the rule's IT Shop properties to configure which rule
violations are presented to an exception approver. Set or unset Explicit exception
approval to do this.
For more information, see Explicit exception approval on page 133.

Table 48: Approval procedures for exception approval

Approval Description
procedure

OC The approval decision is agreed on by the exception approvers of the

(Exception violated rule. As it may be possible that several rule are broken with one
approvers request, the request is presented to all the exception approvers in parallel.
for violated If one of the exception approvers rejects the exception, the request is
rules) rejected.

OH The approval decision is agreed on by the rule's exception approver which

(exception poses the highest threat. In this way, you can accelerate the exception
approver for approval procedure for a request that violates several rules.
worst rule
Ensure the following apply for this approval procedure:
violation)
l The severity level is set in the assessment criteria for all compliance
rules.
l The exception approver for the worst rule violation in all affected
rules is one of the exception approvers.

Example

Four different compliance rules are violated by a request for Active Directory group
membership. The target system manager of the Active Directory domain is entered
as exception approver for all the compliance rules.
Using the OC approval procedure, the target system manger must grant approval
exceptions for all four compliance rules.
Using the OH approval procedure, the target system manager is presented with the
request only for the compliance rule with the highest severity code. The manager's
decision is automatically passed on to the other violated rules.

One Identity Manager 8.2.1 IT Shop Administration Guide

129
Approval processes for IT Shop requests
Figure 8: Example of an approval workflow with compliance checking and
exception approval

Sequence of compliance checking with exception approval

1. If a rule violation is detected during compliance checking, the request is

automatically not granted approval. The request is passed on to the approver of the
next approval level for approval.
2. Exception approvers are found according to the given approval procedure.
3. If exception approval is granted, the request is approved and assigned.
4. If exception approval is not granted, the request is denied.

IMPORTANT: If the QER | ITShop | ReuseDecision configuration parameter is set and

the exception approver has already approved as the request an approver in a previous
approval step, exception approval is automatically granted. For more information, see
Automatically approving requests on page 136.
NOTE:
l As opposed to the manager/deputy principle normally in place, an exception
approver’s deputy is NOT permitted to grant exception approval alone.
l You cannot determine fallback approvers for exception approvers. The request is
canceled if no exception approver can be established.
l The chief approval team cannot grant exception approvals.

One Identity Manager 8.2.1 IT Shop Administration Guide

130
Approval processes for IT Shop requests
Restricting exception approvers
By default, exception approvers can also make approval decisions about requests in which
they are themselves requester (UID_PersonInserted) or recipient (UID_PersonOrdered). To
prevent this, you can specify the desired behavior in the following configuration parameter
and in the approval step:
l QER | ComplianceCheck | DisableSelfExceptionGranting configuration
parameter
l QER | ITShop | PersonOrderedNoDecideCompliance configuration parameter
l QER | ITShop | PersonInsertedNoDecideCompliance configuration parameter
l Approval by affected employee option in the approval step for finding
exception approvers

If the requester or approver is not allowed to grant approval exceptions, their main identity
and all sub identities are removed from the circle of exception approvers.

Summary of configuration options

Requesters can grant exception approval for their own requests, if:
l PersonInsertedNoDecideCompliance configuration parameter is not set.

- OR -
l Approval by affected employee option is set.

Recipients can grant exception approval for their own requests, if:
l DisableSelfExceptionGranting configuration parameter is not set.
PersonOrderedNoDecideCompliance configuration parameter is not set.

- OR -
l DisableSelfExceptionGranting configuration parameter is not set.
Approval by affected employee option is set.

Requesters cannot grant exception approval, if:

l PersonInsertedNoDecideCompliance configuration parameter is set.
Approval by affected employee option is not set.

Recipients cannot grant exception approval, if:

l DisableSelfExceptionGranting configuration parameter is set.

- OR -
l PersonOrderedNoDecideCompliance configuration parameter is set.
Approval by affected employee option is not set.

One Identity Manager 8.2.1 IT Shop Administration Guide

131
Approval processes for IT Shop requests
Related topics
l Setting up exception approver restrictions on page 132
l Approving requests from an approver on page 134

Setting up exception approver restrictions

To prevent recipients of request becoming exception approvers
l In the Designer, disable the QER | ComplianceCheck |
DisableSelfExceptionGranting configuration parameter.

This configuration parameter takes effect:

l When requests are granted approval exception.
l During cyclical rule checking. For more information about cyclical rule
checking, see the One Identity Manager Compliance Rules Administration
Guide.
- OR -
l In the Designer, enable the QER | ITShop |
PersonOrderedNoDecideCompliance configuration parameter.
This configuration parameter takes effect:
l When requests are granted approval exception.
l If the Approval by affected employee option is disabled in the
approval step.

To prevent requesters becoming exception approvers

l In the Designer, set the QER | ITShop | PersonInsertedNoDecideCompliance
configuration parameter.
This configuration parameter takes effect:
l When requests are granted approval exception.
l If the Approval by affected employee option is disabled in the
approval step.

For individual approval workflows, you can allow exceptions to the general rule in the
PersonInsertedNoDecide and PersonOrderedNoDecide configuration parameters.
Use these options if the requester or recipient of requests is allowed to grant themselves
exception approval only for certain requests.

To allow request recipients or requesters to become exception approvers in

certain cases
l In the approval step for determining exception approvers, enable the Approval by
affected employee option.

One Identity Manager 8.2.1 IT Shop Administration Guide

132
Approval processes for IT Shop requests
Related topics
l Properties of an approval step on page 90
l Approving requests from an approver on page 134
l Restricting exception approvers on page 131

Explicit exception approval

If the QER | ComplianceCheck | EnableITSettingsForRule configuration parameter is
set, properties can be added to compliance rules that are taken into account when rule
checking requests.
Use the Explicit exception approval IT Shop property to specify whether the reoccurring
rule violation should be presented for exception approval or whether an existing exception
approval can be reused.

Table 49: Permitted values

Option Description
is

Enabled A known rule violation must always be presented for exception approval, even
if there is an exception approval from a previous violation of the rule.

Not set A known rule violation is not presented again for exception approval if there is
an exception approval from a previous violation of the rule. This exception
approval is reused and the known rule violation is automatically granted
exception.

If several rules are violated by a request and Explicit exception approval is set for one of
the rules, the request is presented for approval to all exception approvers for this rule.
Rules that have Explicit exception approval set result in a renewed exception
approval if:
l A rule check is carried out within the approval process for the current request.
- AND -
a. The rule is violated by the current request.
- OR -
b. The IT Shop customer has already violated the rule.

In case (a), the request for the IT Shop customer is presented to the exception approver.
If the request is approved, case (b) applies to the next request. In case (b), every request
for the IT Shop customer must be decided by the violation approver, even when the
request itself does not result in a rule violation. The result you achieve is that assignments
for employees who have been granted an exception, are verified and reapproved for every
new request.

One Identity Manager 8.2.1 IT Shop Administration Guide

133
Approval processes for IT Shop requests
For more information about exception approvals, see the One Identity Manager Compliance
Rules Administration Guide.

Rule checking for requests with self-service

Self-service (SB approval procedure) is always defined as a one-step procedure. That
means you cannot set up more approval steps in addition to a self-service approval step.

To realize compliance checking for requests with self-service

l Create an approval workflow with a single approval level. The approval workflow
contains an approval step with the CR approval procedure. For more information, see
Compliance checking requests on page 126.
If the rule check is successful, the request is granted approval and self-service is
accomplished implicitly.
To make exception approval possible for rule violations, add an approval level with
the OC or OH approval procedure. For more information, see Finding exception
approvers on page 128.

Approving requests from an approver

By default, approvers can make approval decisions about requests in which they are
themselves requester (UID_PersonInserted) or recipient (UID_PersonOrdered). To prevent
this, you can specify the desired behavior in the following configuration parameter and in
the approval step.
l QER | ITShop | PersonOrderedNoDecide configuration parameter
l QER | ITShop | PersonInsertedNoDecide configuration parameter
l Approval by affected employee option in the approval step.

If the requester or approver is not allowed to make approval decisions, their main identity
and all subidentities are removed from the group of approvers.
NOTE:
l The configuration parameter setting also applies for fallback approvers; it does not
apply to the chief approval team.
l This configuration parameter does not affect the BS and BR approval procedures.
These approval procedures also find the requester and the request recipient if the
configuration parameter is not set. For more information, see Finding requesters
on page 117.

Summary of configuration options

Requesters can approve their own requests if:

One Identity Manager 8.2.1 IT Shop Administration Guide

134
Approval processes for IT Shop requests
l The PersonInsertedNoDecide configuration parameter is not set.

- OR -
l The Approval by affected employee option is set.

Recipients can approve their own requests if:

l The PersonOrderedNoDecide configuration parameter is not set.

- OR -
l The Approval by affected employee option is set.

Requesters cannot approve if:

l The PersonInsertedNoDecide configuration parameter is set.
The Approval by affected employee option is not set.

Recipients cannot approve if:

l The PersonOrderedNoDecide configuration parameter is set.
The Approval by affected employee option is not set.

Example

A department manager places a request for an employee. Both of them are found to
be approvers by the approval procedure. To prevent the department manager from
approving the request, set the QER | ITShop | PersonInsertedNoDecide
parameter. To prevent the employer from approving the request, set the QER |
ITShop | PersonOrderedNoDecide parameter.

Approving requests from an exception approver

Similarly, you specify whether exception approvers are allowed to approve their own
requests if compliance rules are violated by a request. For more information, see
Restricting exception approvers on page 131.

Related topics
l Setting up approver restrictions on page 136

One Identity Manager 8.2.1 IT Shop Administration Guide

135
Approval processes for IT Shop requests
Setting up approver restrictions
To prevent recipients of requests becoming approvers
l In the Designer, set the QER | ITShop | PersonOrderedNoDecide
configuration parameter.
This configuration parameter takes effect if the Approval by affected employee
option is not set on the approval step.

To prevent requesters becoming approvers

l In the Designer, set the QER | ITShop | PersonInsertedNoDecide
configuration parameter.
This configuration parameter takes effect if the Approval by affected employee
option is not set on the approval step.

For individual approval workflows, you can allow exceptions to the general rule in the
PersonInsertedNoDecide and PersonOrderedNoDecide configuration parameters.
Use these options to allow the requester or recipient of requests to make approval
decisions themselves in single approval steps.

To allow request recipients or requesters to become approvers in certain cases

l On the approval step, enable the Approval by affected employee option.

Related topics
l Properties of an approval step on page 90
l Approving requests from an approver on page 134

Automatically approving requests

Approvers may be involved in an approval process more than once, for example, if they are
also requesters or determined as approvers in various approval steps. In such cases, the
approval process can be speeded up with automatic approval.
NOTE: Automatic approvals apply to all fallback approvers but not for the chief
approval team.
Use configuration parameters to specify when automatic approvals are used. You can
specify exceptions from default behavior for individual approval steps. Specify the behavior
you expect in the following configuration parameters and approval steps.
l QER | ITShop | DecisionOnInsert configuration parameter
l QER | ITShop | AutoDecision configuration parameter

One Identity Manager 8.2.1 IT Shop Administration Guide

136
Approval processes for IT Shop requests
l QER | ITShop | ReuseDecision configuration parameter
l No automatic approval option in the approval step

Summary of configuration options

Approval steps are automatically approved or denied if:

l The QER | ITShop | DecisionOnInsert configuration parameter is set.
The No automatic approval option is not set.
- OR -
l The QER | ITShop | AutoDecision configuration parameter is set.
The No automatic approval option is not set.
- OR -
l The QER | ITShop | ReuseDecision configuration parameter is set.
The No automatic approval option is not set.

Requests are manually approved or denied if:

Detailed information about this topic

l Configuring automatic approval on page 138

Related topics
l Approval by the chief approval team on page 149
l Approvers cannot be established on page 145
l Timeout on saving requests on page 239

One Identity Manager 8.2.1 IT Shop Administration Guide

137
Approval processes for IT Shop requests
Configuring automatic approval
Scenario: An approver can grant or deny approval in several
approval steps.

An approver may be authorized to approve several levels of an approval workflow. By

default, the request is presented to the approver in each approval level. You can allow
automatic approval so that the approver is not presented with a request more than once.

To allow an approver's decisions to be met automatically in several sequential

approval levels
l In the Designer, set the QER | ITShop | AutoDecision configuration parameter.
The approval decision of the first approval levels is applied to subsequent approval
levels for which the approver is authorized.
The configuration parameter takes effect if the No automatic approval option is
not enabled for the approval step.

To attain automatic acceptance for an approver's decisions for all non-

sequential approval levels
l In the Designer, set the QER | ITShop | ReuseDecision configuration parameter.
If the approver granted approval to this request in an earlier approval step, the
approval decision is transferred. If the approver did not grant approval in an earlier
approval step, the request is presented for approval again.
The configuration parameter takes effect if the No automatic approval option is
not enabled for the approval step.
IMPORTANT: If the approver is also an exception approver for compliance rule
violations, requests that violate compliance rules will also be automatically
approved without being presented for exception approval.

Scenario: Requester is also approver

Approvers can run requests for themselves. If a requester is determined to be approver for
the request, their approval steps are immediately granted approval.

To prevent automatic approval for an approver's requests

l In the Designer, disable the QER | ITShop | DecisionOnInsert
configuration parameter.
If a requester is determined to be the approver of an approval step, the request is
presented to the requester to be approved.

The QER | ITShop | DecisionOnInsert configuration parameter is set by default and

takes effect if the No automatic approval option is not enabled in the approval step.
If the QER | ITShop | PersonInsertedNoDecide configuration parameter is set, the
requester does not become an approver and cannot approve the request. Also, the request
cannot be decided automatically.

One Identity Manager 8.2.1 IT Shop Administration Guide

138
Approval processes for IT Shop requests
Preventing automatic approval in individual cases

For single approval steps, you can configure exceptions to the general rule in the
configuration parameters.

To prevent automatic approvals for particular approval steps

l Enable the No automatic approval option in the approval step.
The QER | ITShop | DecisionOnInsert, QER | ITShop | ReuseDecision, and
QER | ITShop | AutoDecision configuration parameters are not considered in this
approval step. In each case, requests are to be presented to the approver of this
approval step.

Related topics
l Automatically approving requests on page 136
l Properties of an approval step on page 90
l Approving requests from an approver on page 134
l Finding exception approvers on page 128

Approval by peer group analysis

Using peer group analysis, approval for requests can be granted or denied automatically.
For example, a peer group might be all employees in the same department. Peer group
analysis assumes that these employees require the same products. So, if a company
resource has already been assigned to a majority of employees in a department, a new
request for this company resource is automatically approved. This helps to accelerate
approval processes.
Peer groups contain all employees with the same manager or belonging to the same
primary or secondary department as the request's recipient. Configuration parameters
specify which employee belong to the peer group. At least one of the following
configuration parameters must be set.
l QER | ITShop | PeerGroupAnalysis | IncludeManager: Employees that have
the same manager as the request's recipient
l QER | ITShop | PeerGroupAnalysis | IncludePrimaryDepartment: Employees
that belong to the same primary department as the request's recipient
l QER | ITShop | PeerGroupAnalysis | IncludeSecondaryDepartment:
Employees whose secondary department corresponds to the primary or secondary
department of the request's recipient

The proportion of employees of a peer group who must already own the company resource,
is set in the QER | ITShop | PeerGroupAnalysis | ApprovalThreshold configuration
parameter. The threshold specifies the ratio of the total number of employees in the peer
group to the number of employees in the peer group who already own this product.

One Identity Manager 8.2.1 IT Shop Administration Guide

139
Approval processes for IT Shop requests
You can also specify that employees are not allowed to request cross-functional products,
which means, if the requested product and the primary department of the request recipient
are from different functional areas, the request should be denied. To include this check in
peer group analysis, set the QER | ITShop | PeerGroupAnalysis |
CheckCrossfunctionalAssignment configuration parameter.
Requests are automatically approved for fully configured peer group analysis, if both:
l The requested product is not cross-functional
l The number of employees in the peer group who already own this product equals or
exceeds the given threshold.

If this is not the case, requests are automatically denied.

To use this functionality, the One Identity Manager provides the QER_PersonWantsOrg_Peer
group analysis process and the PeergroupAnalysis event. The process is run using an
approval step with the EX approval procedure.

Configuring peer group analysis for requests

To configure peer groups

1. In the Designer, set the QER | ITShop | PeerGroupAnalysis configuration

parameter.
2. Set at least on of the following subparameters:
l QER | ITShop | PeerGroupAnalysis | IncludeManager: Employees who
have the same manager as the request's recipient
l QER | ITShop | PeerGroupAnalysis | IncludePrimaryDepartment:
Employees who belong to the same primary department as the request's
recipient
l QER | ITShop | PeerGroupAnalysis | IncludeSecondaryDepartment:
Employees whose secondary department corresponds to the primary or
secondary department of the request's recipient
Thus, you specify which employees belong to the peer group. You can also set two or
all of the configuration parameters.
3. To specify a threshold for the peer group, set the QER | ITShop |
PeerGroupAnalysis | ApprovalThreshold configuration parameter and specify a
value between 0 and 1.
The default value is 0.9. That means, at least 90 percent of the peer group members
must already have the requested product so that the request can be approved.
4. (Optional) To check whether the requested product is cross-functional, enable the
QER | ITShop | PeerGroupAnalysis | CheckCrossfunctionalAssignment
configuration parameter.

One Identity Manager 8.2.1 IT Shop Administration Guide

140
Approval processes for IT Shop requests
a. Assign the service items and departments to functional areas.
Only functional areas that are primary assigned service items are taken
into account.
For more information about functional areas, see the One Identity Manager
Identity Management Base Module Administration Guide.
b. Assign employees to primary departments.
5. In the Manager, create an approval workflow with at least one approval level. For the
approval step, enter at least the following data:
l Single step: EXWithPeerGroupAnalysis.
l Approval procedure: EX
l Event: PeerGroupAnalysis
The event starts the QER_PersonWantsOrg_Peer group analysis process, which runs
the QER_PeerGroupAnalysis script.
The script runs automatic approval and sets the approval step type to Grant
or Deny.

Detailed information about this topic

l Approval by peer group analysis on page 139

Related topics
l Approvals to be made externally on page 115
l General main data for service items on page 22

Gathering further information about a

request
Approvers are able to gather additional information about a request. This ability does not,
however, replace granting or denying approval for a request. There is no additional
approval step required in the approval workflow to obtain the information.
Approvers can request information in form of a question from anybody. The request is
placed on hold for the period of the inquiry. Once the queried employee has supplied the
necessary information and the approver has made an approval decision, the request is
taken off hold. The approver can recall a pending inquiry at any time. The request is taken
off hold. The approver’s request and the employee's answer are recorded in the approval
flow and are therefore available to the approver.
NOTE: If the approver who made the query is dropped, hold status is revoked. The
queried employee must not answer. The request procedure continues.
For more information, see the One Identity Manager Web Designer Web Portal User Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

141
Approval processes for IT Shop requests
Detailed information about this topic
l Email notification: Notifications with questions on page 176

Appointing other approvers

Once an approval level in the approval workflow has been reached, approvers at this level
can appoint another employee to handle the approval. To do this, you have the options
described below:
l Rerouting approvals
The approver appoints another approval level to carry out approvals. To do this, set
up a connection to the approval level in the approval workflow to which an approval
decision can be rerouted.
l Appointing additional approvers
The approver appoints another employee to carry out the approval.The other
approver must make an approval decision in addition to the known approvers. To do
this, enable the Additional approver possible option in the approval step.
The additional approver can reject the approval and return the requests to the
original approver. The original approver is informed about this by email. The original
approver can appoint another additional approver.
l Delegate approval
The approver appoints another employee with approval. This employee is added to
the current approval step as the approver. This employee then makes the approval
decision instead of the approver who made the delegation. To do this, enable the
Approval can be delegated option in the approval step.
The current approver can reject the approval and return the requests to the original
approver. The original approver can withdraw the delegation and delegate a different
employee, for example, if the other approver is not available.

Email notifications can be sent to the original approvers and the others.
For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Detailed information about this topic

l Connecting approval levels on page 95
l Editing approval levels on page 89
l Properties of an approval step on page 90

Related topics
l Notifications in the request process on page 169
l Email notification: Delegating approvals on page 175

One Identity Manager 8.2.1 IT Shop Administration Guide

142
Approval processes for IT Shop requests
l Email notification: Rejecting approvals on page 176
l Email notification: Using additional approvers to approve requests on page 177
l Email notification: Scheduled request for approval on page 172

Escalating an approval step

Approval steps can be automatically escalated once the specified timeout is exceeded. The
request is presented to another approval body. The request is then further processed in the
normal approval workflow.

To configure escalation of an approval step

1. Open the approval workflow in the Workflow Editor.

2. Add an additional approval level with one approval step for escalation.
3. Connect the approval step that is going to be escalated when the time period
is exceeded with the new approval step. Use the connection point for
escalation to do this.

Figure 9: Example of an approval workflow with escalation

4. Configure the behavior for the approval step to be escalated when it times out.

Table 50: Properties for escalation on timeout

Property Meaning

Timeout Number of minutes to elapse after which the approval step is

One Identity Manager 8.2.1 IT Shop Administration Guide

143
Approval processes for IT Shop requests
Property Meaning

(minutes) automatically granted or denied approval. The input is converted into

working hours and displayed additionally.
The working hours of the respective approver are taken into account
when the time is calculated.
NOTE: Ensure that a state, county, or both is entered into the
employee's main data of determining the correct working hours. If
this information is missing, a fallback is used to calculate the
working hours. For more information about calculating employees'
working hours, see the One Identity Manager Identity Management
Base Module Administration Guide.
TIP: Weekends and public holidays are taken into account when
working hours are calculated. If you want weekends and public
holidays to be dealt with in the same way as working days, set the
QBM | WorkingHours | IgnoreHoliday or QBM |
WorkingHours | IgnoreWeekend configuration parameter. For
more information about this, see the One Identity Manager
Configuration Guide.
If more than one approver was found, then an approval decision for
the approval step is not automatically made until the timeout for all
approvers has been exceeded. The same applies if an additional
approver has been assigned.
If an approver delegated approval, the time point for automatic
approval is recalculated for the new approver. If this approval is
rejected, the time point for automatic approval is recalculated for the
original approver.
If an approver is queried, the approval decision must be made within
the defined timeout anyway. The time point for automatic approval is
not recalculated.
If additional approvers are determined by recalculating the current
approvers, then the automatic approval deadline is not extended. The
additional approvers must approve within the time frame that applies
to the current approver.

Timeout Action that is run if the timeout expires.

behavior l Escalation: The request process is escalated. The escalation
approval level is called.

5. (Optional) If the approval step still needs to be escalated but no approver be

found and no fallback approver is assigned, set the Escalate if no approver
found option.
In this case, the request is escalated instead of being canceled or passed to the chief
approval team.

In the event of an escalation, email notifications can be sent to the new approvers and
requesters.

One Identity Manager 8.2.1 IT Shop Administration Guide

144
Approval processes for IT Shop requests
Related topics
l Email notification: Requesting approval on page 170
l Email notification: Escalating requests on page 175

Approvers cannot be established

You can specify a fallback approver if requests cannot be approved because no approvers
are available. A request is then always assigned to the fallback approver for approval no
approver can be found in an approval step in the specified approval procedure.
To specify fallback approvers, define application roles and assign these to an approval step.
Different approval groups in the approval steps may also require different fallback
approvers. Specify different application role for this, to which you can assign employees
who can be determined as fallback approvers in the approval process. For more
information, see the One Identity Manager Authorization and Authentication Guide.

To specify fallback approvers for an approval step

l Enter the following data for the approval step.

Table 51: Approval step properties for fallback approvers

Property Meaning

Fallback Application role whose members are authorized to approve requests if

approver an approver cannot be determined through the approval procedure.
Assign an application from the menu.
To create a new application role, click . Enter the application role
name and assign a parent application role. For detailed information,
see the One Identity Manager Authorization and Authentication
Guide.
NOTE: The number of approvers is not applied to the fallback
approvers. The approval step is considered approved the moment
as soon as one fallback approver has approved the request.

Request sequence with fallback approvers

1. No approver can be found for an approval step in an approval process. The request is
assigned to all members of the fallback approver application role.
2. Once a fallback approver has approved a request, it is presented to the approvers at
the next approval level.
NOTE:In the approval step, you can specify how many approvers must make a
decision on this approval step. This limit is NOT valid for the chief approval team.
The approval step is considered to be approved as soon as ONE fallback approver

One Identity Manager 8.2.1 IT Shop Administration Guide

145
Approval processes for IT Shop requests
3. The request is canceled if no fallback approver can be found.

Fallback approvers can make approval decisions on requests for all manual approval steps.
Fallback approvals are not permitted for approval steps using the CR, SB, CD, EX, and WC
approval procedures or OC and OH approval procedures.

Related topics
l Editing approval levels on page 89
l Selecting responsible approvers on page 100
l Approval by the chief approval team on page 149
l Escalating an approval step on page 143

Automatic approval on timeout

Requests can be automatically granted or denied approval once a specified time period
has expired.

To configure automatic approval if the timeout expires

l Enter the following data for the approval step.
l Timeout (minutes):
Number of minutes to elapse after which the approval step is automatically
granted or denied approval. The input is converted into working hours and
displayed additionally.
The working hours of the respective approver are taken into account when the
time is calculated.
NOTE: Ensure that a state, county, or both is entered into the employee's
main data of determining the correct working hours. If this information is
missing, a fallback is used to calculate the working hours. For more
information about calculating employees' working hours, see the One
Identity Manager Identity Management Base Module Administration Guide.
TIP: Weekends and public holidays are taken into account when working
hours are calculated. If you want weekends and public holidays to be dealt
with in the same way as working days, set the QBM | WorkingHours |
IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend
configuration parameter. For more information about this, see the One
Identity Manager Configuration Guide.
If more than one approver was found, then an approval decision for the
approval step is not automatically made until the timeout for all approvers has
been exceeded. The same applies if an additional approver has been assigned.

One Identity Manager 8.2.1 IT Shop Administration Guide

146
Approval processes for IT Shop requests
If an approver delegated approval, the time point for automatic approval is
recalculated for the new approver. If this approval is rejected, the time point
for automatic approval is recalculated for the original approver.
If an approver is queried, the approval decision must be made within the
defined timeout anyway. The time point for automatic approval is not
recalculated.
If additional approvers are determined by recalculating the current approvers,
then the automatic approval deadline is not extended. The additional approvers
must approve within the time frame that applies to the current approver.
l Timeout behavior:
Action, which is run if the timeout expires.
l Approved: The request is approved in this approval step. The next
approval level is called.
l Deny: The request is denied in this approval step. The approval level for
denying is called.

If a request is decided automatically, the requester can be notified by email.

Related topics
l Email notification: Approving or denying request approval on page 173
l Editing approval levels on page 89

Halting a request on timeout

Requests can be automatically halted once a specified time period has been exceeded. The
action halts when either a single approval step or the entire approval process has exceeded
the timeout.

To configure halting after the timeout of a single approval step has been
exceeded
l Enter the following data for the approval step.
l Timeout (minutes):
Number of minutes to elapse after which the approval step is automatically
granted or denied approval. The input is converted into working hours and
displayed additionally.
The working hours of the respective approver are taken into account when the
time is calculated.
NOTE: Ensure that a state, county, or both is entered into the employee's
main data of determining the correct working hours. If this information is
missing, a fallback is used to calculate the working hours. For more

One Identity Manager 8.2.1 IT Shop Administration Guide

147
Approval processes for IT Shop requests
information about calculating employees' working hours, see the One
Identity Manager Identity Management Base Module Administration Guide.
TIP: Weekends and public holidays are taken into account when working
hours are calculated. If you want weekends and public holidays to be dealt
with in the same way as working days, set the QBM | WorkingHours |
IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend
configuration parameter. For more information about this, see the One
Identity Manager Configuration Guide.
If more than one approver was found, then an approval decision for the
approval step is not automatically made until the timeout for all approvers has
been exceeded. The same applies if an additional approver has been assigned.
If an approver delegated approval, the time point for automatic approval is
recalculated for the new approver. If this approval is rejected, the time point
for automatic approval is recalculated for the original approver.
If an approver is queried, the approval decision must be made within the
defined timeout anyway. The time point for automatic approval is not
recalculated.
If additional approvers are determined by recalculating the current approvers,
then the automatic approval deadline is not extended. The additional approvers
must approve within the time frame that applies to the current approver.
l Timeout behavior:
Action that runs if the timeout expires.
l Cancel: The approval step, and therefore the entire approval process for
the request, is canceled.

To configure halting on timeout for the entire approval process

l Enter the following data for the approval workflow.
l System halt (days):
Number of days to elapse after which the approval workflow, and therefore the
system, automatically halts the entire approval process.

If a request is halted, the requester can be notified by email.

Related topics
l Email notification: Canceling requests on page 175
l Editing approval levels on page 89
l Setting up approval workflows on page 88

One Identity Manager 8.2.1 IT Shop Administration Guide

148
Approval processes for IT Shop requests
Approval by the chief approval team
Sometimes, approval decisions cannot be made for requests because the approver is not
available or does not have access to One Identity Manager tools. To complete these
requests, you can define a chief approval team whose members are authorized to intervene
in the approval process at any time.
The chief approval team is authorized to approve, deny, or cancel requests in special cases
or to authorize other approvers.
IMPORTANT:
l The four-eye principle can be broken like this because chief approval team
members can make approval decisions for requests at any time. Specify, on a
custom basis, in which special cases the chief approval team may intervene in the
approval process.
l The chief approval team members may always approval their own requests. The
settings for the QER | ITShop | PersonInsertedNoDecide and QER | ITShop
| PersonOrderedNoDecide configuration parameters do not apply for the chief
approval team.
l Approvals made by the chief approval team are not automatically transferred to
other approval levels. Settings for the QER | ITShop | DecisionOnInsert, QER |
ITShop | AutoDecision and QER | ITShop | ReuseDecision configuration
parameters do not apply to the chief approval team.
l In the approval step, you can specify how many approvers must make a decision
on this approval step.
l If an approval decision is made by the chief approval team, it overrides the
approval decision of just one regular approver. This means, if three
approvers must approve an approval step and the chief approval team makes
a decision, two more are still required.
l The number of approvers is not taken into account if the request is assigned
to fallback approvers. The chief approval team can also approve in this case.
The approval decision is considered to be made as soon as one member of
the chief approval team has made an approval decision about the request.
l If a regular approver has added an additional approver, the chief approval team
can approve for both the regular and the additional approvers. If both approvals
are pending, a chief approver first replaces the regular approver's approval only.
Only a second approval of the chief approval team can replace the approval of the
additional approver.

The chief approval team can approve requests for all manual approval steps. The
following applies:
l Chief approval team decisions are not permitted for approval steps using the CR, SB,
CD, EX, and WC approval procedures or the OC and OH procedures.
l If a member of the chief approval team is identified as a regular approver for an
approval step, they can only make an approval decision for this step as a regular

One Identity Manager 8.2.1 IT Shop Administration Guide

149
Approval processes for IT Shop requests
approver.
l The chief approval team can also make an approval decision if a regular approver has
submitted a query and the request is in hold status.

To add members to the chief approval team

1. In the Manager, select the IT Shop > Basic configuration data > Chief
approval team category.
2. Select the Assign employees task.
In the Add assignments pane, assign the employees who are authorized to approve
all requests.
TIP: In the Remove assignments pane, you can remove the assignment of
employees.

To remove an assignment
l Select the employee and double-click .
3. Save the changes.

Related topics
l Chief approval team on page 202
l Escalating an approval step on page 143

Approving requests with terms of use

Terms of use that explain conditions of use for a product can be stored for individual
service items (for example, software license conditions). When someone requests this
product, the requester, and request recipient must accept the terms of use before the
request can be finalized.
In order for the request recipient to accept the terms of use, the request must be assigned
to the request recipient in the approval process. Set an approval workflow for such
requests that contain a BR approval step and enable the No automatic approval option
for this approval step. One Identity Manager provides a default approval procedure and a
Terms of Use acknowledgment for third-party orders (sample) default approval
policy that you can use for this. Using the default approval workflow as a basis, create
your own approval workflow that returns the request to the request recipient and
determines the approver after the terms of use have been accepted. Use the BR approval
procedure to do this.

To create an approval workflow for requests with terms of use

1. In the Manager, select the IT Shop > Basic configuration data > Approval
workflows > Predefined category.

One Identity Manager 8.2.1 IT Shop Administration Guide

150
Approval processes for IT Shop requests
2. In the result list, select the Terms of Use acknowledgment for third-party
orders (sample) approval workflow and run the Change main data task.
3. Select the Copy workflow task.
4. Enter a name for the copy and click OK.
5. Edit the copy. Modify the approval workflow to suit your requirements.
6. Create an approval policy and assign it to the approval workflow.
7. Assign service items to the approval policy, which are assigned terms of use.

Detailed information about this topic

l Setting up approval workflows on page 88
l Approval policies for requests on page 81
l General main data for service items on page 22
l Adding to the IT Shop on page 84

Using default approval processes

By default, One Identity Manager supplies approval policies and approval workflows. These
are used in the approval processes of the Identity & Access Lifecycle shop.

Table 52: Default approval policies and workflows in the shop identity & access
lifecycle

Approval Description Shelf |

policies/ Product
workflow

Compliance Compliance checking and exception approval for all Identity

checking simpli- products on the shelf that do not have their own Lifecycle
fied approval policy assigned to them. For more inform-
ation, see Testing requests for rule compliance on
page 125.

Self-service Assignment requests and delegations are automat- Identity

ically approved by default. For more information, Lifecycle |
see Standard products for assignment requests on Delegation
page 57.
Identity
Lifecycle |
Business role
entitlement
assignment

Identity

One Identity Manager 8.2.1 IT Shop Administration Guide

151
Approval processes for IT Shop requests
Approval Description Shelf |
policies/ Product
workflow

Lifecycle |
Business role
membership

Self-service Automatic approval for all products on the shelf that Group
do not have their own approval policy assigned to Lifecycle
them. For more information, see Self-service on
page 105.

Terms of Use Copy template for requests with terms of use. For
acknowledgment more information, see Approving requests with
for third-party terms of use on page 150.
orders (sample)

Challenge loss of Limited period assignment requests for role member- Identity
role membership ships are automatically granted approval. For more Lifecycle |
information, see Requests with limited validity Challenge loss
period for changed role memberships on page 190. of role
membership

New manager Requesting a change of manager must be approved Identity

assignment by the new manager. For more information, see Lifecycle |
Requesting change of manager for an employee on New manager
page 166. assignment

Approval of Active New Active Directory group requests must be Group

Directory group approved by the target system manager. The groups Lifecycle |
create requests are added in One Identity Manager and published in New Active
the target system. For detailed information, see the Directory
One Identity Manager Administration Guide for security group
Connecting to Active Directory.
Group
Lifecycle |
New Active
Directory
distribution
group

Approval of Active Changes to group type and range of Active Directory Group
Directory group groups must be approved by the target system Lifecycle |
change requests manager. For detailed information, see the One Modify Active
Identity Manager Administration Guide for Connect- Directory
ing to Active Directory. group

Approval of Active Deleting an Active Directory group, must be Group

Directory group approved by the target system manager. For Lifecycle |
deletion requests detailed information, see the One Identity Manager Delete Active

One Identity Manager 8.2.1 IT Shop Administration Guide

152
Approval processes for IT Shop requests
Approval Description Shelf |
policies/ Product
workflow

Administration Guide for Connecting to Active Directory

Directory. group

Approval of New SharePoint group requests must be approved Group

SharePoint group by the target system manager. The groups are Lifecycle |
create requests added in One Identity Manager and published in the New
target system. For detailed information, see the One SharePoint
Identity Manager Administration Guide for Connect- group
ing to SharePoint.

Approval of Active Product owners and target system managers can Active
Directory group request members for groups in these shelves. For Directory
membership detailed information, see the One Identity Manager groups
requests Administration Guide for Connecting to SharePoint.

Approval of Active Active

Directory group Directory
membership groups
requests II

Approval of group SharePoint

membership groups
requests

Approval of This approval policy can be used to configure Approval of

system entitle- automatic deletion of memberships in Active system
ment removal Directory groups. entitlement
requests removal
requests

Approval of Requests for access must be approved by the owner Privileged

privileged access of the privileged object. To make an access request, access |
requests additional system prerequisites must be met by the Password
Privileged Account Management system. For more request
information about PAM access requests, see the One
Privileged
Identity Manager Administration Guide for Privileged
access | SSH
Account Governance.
session
request
Privileged
access |
Remote
desktop
session
request
Privileged

One Identity Manager 8.2.1 IT Shop Administration Guide

153
Approval processes for IT Shop requests
Approval Description Shelf |
policies/ Product
workflow

access |
Telnet session
request

One Identity Manager 8.2.1 IT Shop Administration Guide

154
Approval processes for IT Shop requests
3

Request sequence

Shop customers can request, renew, and unsubscribe products as soon as an IT Shop
solution is set up. Use the Web Portal to do this. Furthermore, requests, and cancellations
are approved in the Web Portal. You can make an overview of pending and closed requests
for yourself. You can also find an overview of pending and closed requests in the Manager
The status of pending requests is checked regularly by the DBQueue Processor. The review
is started by the IT Shop check schedule.
Requests can have a limited time period, which means the requested product assignment is
only valid with the validity period.

General request sequence

1. A customer places a request in the Web Portal for:

a. A product.
- OR -
b. Membership of a hierarchical role.
- OR -
c. The assignment of a company resource to a hierarchical role.
2. The request goes through the assigned approval process.
3. If the request has been granted approval and the Valid from date has been reached:
a. The product is assigned to the customer. The company resource associated
with the product is assigned indirectly to the customer.
- OR -
b. The customer becomes a secondary member of the hierarchical role.
- OR -
c. The company resource is assigned to the hierarchical role.
The request contains the Assigned status (PersonWantsOrg.OrderState =
'Assigned').
The product/membership/assignment remains until it is canceled.

Requests and the resulting assignments are displayed in the following table:

One Identity Manager 8.2.1 IT Shop Administration Guide

155
Request sequence
Requests PersonWantsOrg
Product assignments PersonInITShopOrg
Company resource assignments For example,
PersonHasQERResource
ADSAccountInADSGroup
Hierarchical role assignments For example, PersonInDepartment
Hierarchical role assignments For example, DepartmentHasADSGroup

General cancellation sequence

1. A customer cancels a product/membership/assignment in the Web Portal.

- OR -
A requested product/requested membership/requested assignment is automatically
unsubscribed.
2. The cancellation goes through the assigned approval process.
3. If cancellation was granted approval and the expiry date has been reached:
a. The product's assignment is removed. The product's assigned to the associated
company resource is also removed.
- OR -
b. The customer’s membership of the hierarchical role is removed.
- OR -
c. The company resource's assignment to the hierarchical role is removed.
The request contains the Unsubscribed status (PersonWantsOrg.OrderSTate =
'Unsubscribed').

If a customer is removed from a shop, existing requests for this are closed. The products
are unsubscribed and assignments are removed. If the customer changes to another shop,
the product requests can be retained under certain circumstances. If the request is an
assignment request, it can also be retained under certain circumstances, even if the
requester is no longer a customer in the shop.
For more information about requesting products, see the One Identity Manager Web
Designer Web Portal User Guide.

Related topics
l Examples of request results on page 258
l Requests with limited validity period on page 160
l Relocating a customer or product to another shop on page 164
l Removing customers from a shop on page 62
l Determining the responsible approvers on page 122

One Identity Manager 8.2.1 IT Shop Administration Guide

156
Request sequence
The request overview
To obtain an overview of all pending and closed requests

1. In the Manager, select the IT Shop | Requests | <filter> category.

2. Select a request procedure in the result list.
3. Select the Request overview task.

Displaying request details

To obtain detailed information about a request

1. In the Manager, select the IT Shop | Requests | <filter> category.

2. Select a request procedure in the result list.
3. Select the Request details task.

This shows you the request data and the status of the request.

Displaying the approval sequence

For pending requests, see the current status of the approval process. The approval
sequence is shown as soon as the DBQueue Processor has determined the approvers for
the first approval step. In the approval workflow, you can view the approval sequence, the
results of each approval step, and the approvers found. If the approval procedure could not
find an approver, the request is canceled by the system.

To display the approval sequence of a pending request

1. In the Manager, select the IT Shop > Requests > Pending requests >
<filter> category.
2. Select a request procedure in the result list.
3. Select the Approval sequence task.

Each approval level of an approval workflow is represented by a special control. The

approvers responsible for a particular approval step are shown in a tooltip. Pending
attestation questions are also shown in tooltips. These elements are shown in color, the
color code reflecting the current status of the approval level.

One Identity Manager 8.2.1 IT Shop Administration Guide

157
Request sequence
Table 53: Meaning of the colors in an approval sequence (in
order of decreasing importance)

Color Meaning

Blue This approval level is currently being processed.

Green This approval level has been granted approval.

Red This approval level has been denied approval.

Yellow This approval level has been deferred due to a question.

Gray This approval level has not (yet) been reached.

Displaying the approval history

The approval history displays each step of the request process. Here you can follow all the
approvals in the approval process in a chronological sequence. The approval history is
displayed for both pending and closed requests.

To view the approval history for a request

1. In the Manager, select the IT Shop | Requests | <filter> category.

2. Select a request procedure in the result list.
3. Select the Approval history task.

These elements are shown in color, the color code reflecting the status of the
approval steps.

Table 54: Meaning of colors in the approval history

Color Meaning

Yellow Request triggered.

Green Approver has granted approval.

Red Approver has denied approval.

Request has been escalated.
Approver has recalled the approval decision.

Gray Product has been canceled.

Request has been canceled.
Request has been assigned to an additional approver.
Additional attestor has withdrawn approval decision.
Approval has been delegated
New attestor has withdrawn the delegation.

One Identity Manager 8.2.1 IT Shop Administration Guide

158
Request sequence
Color Meaning

Request has been transferred to another shop.

Request recipient has been changed.
Request has been converted into a direct assignment.

Purple Request renewed.

Orange Approver has a query.

The query has been answered.
Query was canceled due to change of approver.

Blue Approver has rerouted approval.

The approval step was reset automatically.

Requesting products more than once

The IT Shop distinguishes between single or multiple requestable products. Single
request products are, for example, software, system roles, or Active Directory groups.
These products cannot be requested if they have already been be requested for the same
time period.
Furthermore, an employee may need several of one type of company resources, for
example, consumables. You can find company resources such as these mapped in
One Identity Manager as Multi-request resource or Multi
requestable/unsubscribable resources.

Request sequence of multi-request resources

1. A customer requests a multi-request resource in the Web Portal.

2. The request goes through the appropriate approval process and is approved.
The request is only saved in the PersonWantsOrg table. No entry is created in the
PersonInITShopOrg table.
3. The resource can be canceled immediately. The request contains the Unsubscribed
status (PersonWantsOrg.OrderState = 'Unsubscribed').
The resource cannot be canceled by the customer.

Request sequence of multi requestable/unsubscribable resources

1. A customer requests a multi requestable/unsubscribable resource in the Web Portal.

2. The request goes through the appropriate approval process and is approved.
The request is only saved in the PersonWantsOrg table. No entry is created in the
PersonInITShopOrg table.

One Identity Manager 8.2.1 IT Shop Administration Guide

159
Request sequence
3. The request contains the Assigned status (PersonWantsOrg.OrderState =
'Assigned').
The resource can be unsubscribed by means of the Web Portal.

TIP: A customer-specific implementation of a process with the PersonWantsOrg root object

for the OrderGranted result can be made in order to start a specified action when a multi-
request resource is approved. For more information about defining processes, see One
Identity Manager Configuration Guide.

Related topics
l Multi-request resources on page 19
l Examples of request results on page 258

Requests with limited validity period

Customers keep their requested products on the shelf until they themselves unsubscribe
from them. Sometimes, however, products are only required for a certain length of time
and can be canceled automatically after this time. Products that are intended to have a
limited shelf life need to be labeled with the validity period. For more information, see
Products for requests with time restrictions on page 46.
When a product with a limited request period is requested, One Identity Manager calculates
the date and time at which the product is automatically unsubscribed (Valid until/expiry
date of the request) from the current date and validity period specified in the service item.
This deadline can be adjusted when the request is made.
As soon as a request is approved by all approvers, the expiration date is recalculated from
the actual date and the validity period. This ensures that the validity period is valid from the
day of assignment.
A Valid from date can also be entered at the time of request. This specifies the date that
an assignment starts to apply. If this date is given, the expiry date is calculated from the
Valid from date and the validity period. If the validity period has already expired when
approval is granted, the request can no longer be approved. The request is canceled and an
error message is displayed.
Cancellations can include a validity period, which means a deadline for the cancellation is
set for unlimited requests. Use this method to change the expiry date for requests with a
validity period. Once the cancellation has been granted approval, the cancellation's validity
period is taken as the new expiry date of the request. The request cannot be extended
beyond the validity period.

Multiple requests for a product with limited validity period

One Identity Manager 8.2.1 IT Shop Administration Guide

160
Request sequence
However, the validity periods of different requests may not overlap. You can define the
desired behavior for the validity period over configuration parameters. For more
information, see Checking request validity periods on page 162.

Related topics
l Renewing requests on page 161
l Canceling or unsubscribing requests on page 162

Renewing requests
The request recipient receives a message before reaching the expiry date and has the
possibility to extend the period. For more information, see Sequence for limited requests on
page 172. The request is canceled once the expiry date has been reached.
The customer has the option to renew a request. If the customer uses this option, the
extension (as in the original request) needs to approved through an approval process. The
renewal workflow stored with the approval policy is used for this purpose. If the extension
is denied, the original request runs out at the given date. You can also limit renewals in the
same way. The renewal's expiration date is calculated from the date of the renewal's
approval and the validity period of the product if no Valid until date was specified at the
time of the renewal.
A limited request might look like the following a sequence:

Service item Validity period: 90 days

Requested on: 1/2/2017 Valid until: 4/1/2017 11:59 PM
Approved on: 1/5/2017 Valid until: 4/5/2017 11:59 PM
Renewed until: 3/31/2017 Renewal valid until: 4/30/2017 12:00 PM
Approved on: 4/2/2017 Valid until: 4/30/2017 12:00 PM
Canceled on: 4/10/2017 Unsubscribed as from: 4/14/2017 11:59 PM
Approved on: 4/11/2017 Valid until: 4/11/2017 11:59 PM

NOTE: Ensure that times in the One Identity Manager tools, for example, the Web Portal,
are in the user's local time.

Related topics
l Requests with limited validity period on page 160
l Canceling or unsubscribing requests on page 162

One Identity Manager 8.2.1 IT Shop Administration Guide

161
Request sequence
Canceling or unsubscribing requests
DBQueue Processor checks whether the request's expiry date has passed using a scheduled
One Identity Manager task, which compares it against current UTC time. If the expiry date
has passed, the request is canceled; the resulting assignments removed. You can configure
this behavior.
If necessary, temporary requests can be unsubscribed. If the expiry date has passed, the
unsubscription workflow stored at the decision guideline is run in this case. The
unsubscription must be approved; only then will the assignment be permanently removed.
If another request exists for the product, perhaps with the status Pending, the expired
request will be canceled and replaced by the pending request.

To unsubscribe temporary requests on expiry

l In the Designer, set the QER | ITShop | ExceededValidUntilUnsubscribe
configuration parameter.

If the configuration parameter is set, requests with the status Assigned or Renewal will
be unsubscribed. The unsubscription workflow entered in the approval policy runs through
if no other request exists for the product, which now takes effect. Once the unsubscription
is approved, the assignment will be removed. Expired requests with the status approved,
pending, request are canceled.
NOTE: If the unsubscription is denied, the approver must enter a new Valid until
date. Otherwise, the request is given Assigned status and the unsubscription
workflow runs again.

Related topics
l Requests with limited validity period on page 160
l Renewing requests on page 161

Checking request validity periods

If a customer has requested a product with a limited validity period, the validity period
must be tested for validity in subsequent requests for this product for the same customer.
If the validity period is not in effect, the request is not permitted. By default, new requests
are permitted if they fall in a time period that is not covered by another pending request.
However, the validity periods of different requests may not overlap. You can define the
desired behavior for the validity period over configuration parameters. The configuration
parameters are set by default. In this check, all requests of the same product for the same
request recipient are taken into account even if the product came from different shelves.

One Identity Manager 8.2.1 IT Shop Administration Guide

Table 55: Effect of the QER | ITShop | GapBehavior | GapDefinition

configuration parameter

Option Description

0 Only pending requests are taken into account by the check. (default)

1 Only approved requests are taken into account by the check.

2 Only assigned requests are taken into account by the check.

Table 56: Effect of the QER | ITShop | GapBehavior | GapFitting configuration

parameter

Option Description

0 Validity periods can overlap. (default)

A new request is accepted if its validity period fits into at least one free time
slot between two existing requests.

1 Validity periods cannot overlap.

A new request is accepted if its validity period fits exactly into a free time slot
between two existing requests.

2 The validity period is not checked.

A request is accepted even if there is already a request for the same validity
period.

If the configuration parameters are disabled, One Identity Manager behaves as in option 0.

Figure 10: Example of possible validity period for GapDefinition = 0 and

GapFitting = 0

One Identity Manager 8.2.1 IT Shop Administration Guide

163
Request sequence
Figure 11: Example of possible validity period for GapDefinition = 1 and
GapFitting = 1

Related topics
l Request statuses on page 256

Relocating a customer or product to

another shop
If a customer requests a product from a shop or shopping center and then changes to
another at a later date, the product request is closed and the product is canceled. The same
applies if a requested product is moved to another shelf.
You can label product service items with Retain service item assignment on
relocation to retain their requests when they relocate. All pending or approved requests in
the shop are transferred to any shop in which the employee is a customer and that contains
the requested products. In connection with this, pending requests are reset, which means
the requests have to go through the approval process from the beginning again.

Detailed information about this topic

l Product request on customer or product relocation on page 46

Related topics
l Removing customers from a shop on page 62

Changing approval workflows of

pending requests
When approval workflows are changed, a decision must be made as to whether these
changes should be applied to pending requests. Configuration parameters are used to
define the desired procedure.

One Identity Manager 8.2.1 IT Shop Administration Guide

164
Request sequence
Scenario: Another approval workflow was stored with the approval
policy

If changes have been made to the approval, renewal, or cancellation workflow in an

approval policy, any pending approval processes are continued by default with the original
workflow. The newly stored workflow is only used in new requests. You can configure
different behavior.

To specify how to handle pending requests

l In the Designer, enable the QER | ITShop | OnWorkflowAssign configuration
parameter and select one of the following values.
l CONTINUE: Ongoing approval processes are continued with the originally
applicable workflow. The newly stored workflow is only used in new requests.
This behavior also applies if the configuration parameter is not set.
l RESET: In ongoing approval processes, all approval decisions already
taken are reset. The approval processes are restarted with the newly
stored workflow.
l ABORT: Ongoing approval processes are stopped. All pending requests
are closed. The customer must request, renew, or cancel the product
again, if required.

A working copy of the originally applicable workflow is saved. The working copy is retained
as long as it is used in ongoing approval processes. All unused working copies are regularly
deleted using the Maintenance approval workflows schedule.
If the assigned renewal or cancellation workflow is deleted, any ongoing approval
processes are stopped.

Scenario: A change was made to an approval workflow in use

If changes have been made to an approval workflow that is being used in pending requests,
any pending approval processes are continued by default with the original workflow. The
changes to the approval workflow are only implemented for new requests. You can
configure different behavior.

To specify how to handle pending requests

l In the Designer, enable the QER | ITShop | OnWorkflowUpdate configuration
parameter and select one of the following values.
l CONTINUE: Ongoing approval processes are continued with the originally
applicable approval workflow. The changes to the approval workflow are only
implemented for new requests.
This behavior also applies if the configuration parameter is not set.
l RESET: In ongoing approval processes, all approval decisions already
taken are reset. The approval processes are restarted with the changed
approval workflow.

One Identity Manager 8.2.1 IT Shop Administration Guide

165
Request sequence
l ABORT: Ongoing approval processes are stopped. All pending requests
are closed. The customer must request, renew, or cancel the product
again, if required.

A working copy of the approval workflow that contains the original version is saved.
This working copy is retained as long as it is used in ongoing approval processes. All
unused working copies are regularly deleted using the Maintenance approval
workflows schedule.

Related topics
l Determining the responsible approvers on page 122

Requests for employees

In the Web Portal default installation, approvers can request and cancel products for other
users. Approvers can only request products for users of shops they manage and where the
user is an customer. Furthermore, department managers and their deputies may edit the
data for employees belonging to their department.
The responsibilities are evaluated through the following database view (View).

QER_ This view displays the department manager, their deputies, and
VEditEmployee employees whose data can be edited.

Requesting change of manager for an

employee
Managers can edit main data of their employees in the Web Portal. In the same context, it
is possible to define a new manager for an employee. To do this, the previous manager
requests assignment of another manager. If the other manager agrees to the assignment,
they are assigned to the employee as manager.

Prerequisites

The following objects are made available in the One Identity Manager database by default:

Table 57: Default objects for the change of manager

Objects Description

New manager Is used to request the other manager in the IT Shop. The
assignment multi- product is canceled the moment the new manager has been

One Identity Manager 8.2.1 IT Shop Administration Guide

166
Request sequence
Objects Description

request resource assigned.

The New manager assignment service item is assigned.

New manager Product that is ordered when another manager is assigned.

assignment service item
The New manager assignment approval policy is
assigned.

Identity & Access The service item is assigned by default to the Identity
Lifecycle | Identity Lifecycle shelf in the Identity & Access Lifecycle shop.
Lifecycle IT Shop
structure

New manager This specifies the approval workflow by which the change of
assignment approval manager is approved.
policy
It is assigned to the approval workflow, New manager
assignment.

New manager This determines the other manager as an approver.

assignment approval
If this is denied, the request is returned to the previous
workflow
manager.
VI_ESS_PersonWantsOrg_ Allocates the other manager to the employee as manager as
Set_New_Person.Manager soon as the change of manager was approved and the
process validity period of the request is reached.

Procedure for changing managers

1. The previous manager edits the main data of the employee the other manager is
going to take on. They select an employee as manager and specify a date from which
the changes take effect.

Table 58: Changes that are requested

Property Description

New manager Employee to be assigned as a new manager for the employee.

Effective date The date on which the change takes effect.

Changes to be Changes that should be run after approval has been granted and
run after the new manager has been assigned, for example, deleting user
approval is accounts or removing memberships in system entitlements.
granted
The previous manager can decide which of the changes listed
should be run.

2. A request with the following properties is triggered.

One Identity Manager 8.2.1 IT Shop Administration Guide

167
Request sequence
Table 59: Properties of the manager change request

Property Description

Requester Previous manager.

Recipient Employee.

Additional request data New manager.

Approver New manager.

Valid from The date on which the change takes effect.

Additional data Additional changes to be run.

3. The request is assigned for approval to the new manager, who can also specify what
other changes should be made after the manager has been replaced.
a. If the manager denies approval, the request is returned to the previous
manager.
This manager can select another manager and approve the request. The
request is assigned to this other manager for approval.
The previous manager can deny request approval. The change of manager is
closed. The employee’s manager is not changed.
b. If the new manager grants approval to the request, they are assigned as
manager to the employee from the validity date of the request. All selected
additional changes are also run on the validity date.
4. Product is unsubscribed. The request is closed.

For more information about assigning a new manager, see the One Identity Manager Web
Designer Web Portal User Guide.

Canceling requests
Request recipients, requesters, and the members of the chief approval team can cancel
requests that have not already be approved in the Web Portal. The approval process is
canceled immediately. The request is given the Canceled status.
For more information about canceling processes in the Web Portal, see the One Identity
Manager Web Designer Web Portal User Guide.

To cancel a request in the Manager

1. In the Manager, select the IT Shop > Requests > Pending requests > <filter>
> <request> category.
2. Select a request procedure in the result list.
3. Click Cancel request.

One Identity Manager 8.2.1 IT Shop Administration Guide

168
Request sequence
4. Confirm the security prompt with Yes.
5. Click OK.

Unsubscribe products
Assigned products that are no longer needed can be unsubscribed. Each request undergoes
an approval process. If an unsubscription workflow is stored with the approval policy,
unsubscription is approved or denied by an approver. If there is no unsubscription workflow
given, unsubscription is approved immediately.
If the request's Valid until date has already expired and unsubscription is likely to be
denied, the approver must enter a new Valid until date.
Request recipients can be notified if a request is unsubscribed by another employee.

Related topics
l Request sequence on page 155
l Requests with limited validity period on page 160
l General main data of approval policies on page 82
l Unsubscribing approved requests on page 177

Notifications in the request process

In a request process, various email notifications can be sent to requesters and approvers.
The notification procedure uses mail templates to create notifications. The mail text in a
mail template is defined in several languages. This ensures that the language of the
recipient is taken into account when the email is generated. Mail templates are supplied in
the default installation with which you can configure the notification procedure.
Messages are not sent to the chief approval team by default. Fallback approvers are only
notified if not enough approvers could be found for an approval step.

To use notification in the request process

1. Ensure that the email notification system is configured in One Identity Manager. For
more information, see the One Identity Manager Installation Guide.
2. In the Designer, set the QER | ITShop | DefaultSenderAddress configuration
parameter and enter the sender address used to send the email notifications.
3. Ensure that all employees have a default email address. Notifications are sent to this
address. For more information, see the One Identity Manager Identity Management
Base Module Administration Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

169
Request sequence
4. Ensure that a language can be determined for all employees. Only then can they
receive email notifications in their own language. For more information, see the One
Identity Manager Identity Management Base Module Administration Guide.
5. Configure the notification procedure.

Related topics
l Custom mail templates for notifications on page 227

Requesting approval
When a customer requests a product, the approver is notified that new approvals
are pending.

Prerequisite
l The QER | ITShop | MailTemplateIdents | RequestApproverByCollection
configuration parameter is not set.

To set up the notification procedure

l On the Mail templates tab of the approval step, enter the following data:
Mail template request: IT Shop Request - approval required
TIP: To allow approval by email, select the IT Shop Request - approval
required (by email) mail template.

NOTE: You can schedule requests for approval to send a general notification if there are
requests pending. This replaces single requests for approval at each approval step.

Related topics
l Email notification: Scheduled request for approval on page 172
l Approval by mail on page 179
l Editing approval steps on page 90

Reminding approvers
If an approver has not made a decision by the time the reminder timeout expires,
notification can be sent by email as a reminder. The approvers working hours are taken into
account when the time is calculated.

One Identity Manager 8.2.1 IT Shop Administration Guide

170
Request sequence
Prerequisite
l The QER | ITShop | MailTemplateIdents | RequestApproverByCollection
configuration parameter is not set.

To set up the notification procedure

l Enter the following data for the approval step.
l Reminder after (minutes):
Number of minutes to elapse after which the approver is notified by mail that
there are still pending requests for approval. The input is converted into
working hours and displayed additionally.
NOTE: Ensure that a state, county, or both is entered into the employee's
main data of determining the correct working hours. If this information is
missing, a fallback is used to calculate the working hours. For more
information about calculating employees' working hours, see the One
Identity Manager Identity Management Base Module Administration Guide.
TIP: Weekends and public holidays are taken into account when working
hours are calculated. If you want weekends and public holidays to be dealt
with in the same way as working days, set the QBM | WorkingHours |
IgnoreHoliday or QBM | WorkingHours | IgnoreWeekend
configuration parameter. For more information about this, see the One
Identity Manager Configuration Guide.
If more than one approver was found, each approver will be notified. The same
applies if an additional approver has been assigned.
If an approver delegated the approval, the time point for reminding the
delegation recipient is recalculated. The delegation recipient and all the other
approvers are notified. The original approver is not notified.
If an approver has made an inquiry, the time point for reminding the queried
employee is recalculated. As long as the inquiry has not been answered, only
this employee is notified.
l Mail template reminder: Select the IT Shop request - remind approver
mail template.
TIP: To allow approval by email, select the IT Shop Request - remind
approver (by email) mail template.

NOTE: You can schedule requests for approval to send a general notification if there are
requests pending. This replaces single requests for approval at each approval step.

Related topics
l Email notification: Notifications with questions on page 176
l Email notification: Scheduled request for approval on page 172
l Approval by mail on page 179
l Editing approval steps on page 90

One Identity Manager 8.2.1 IT Shop Administration Guide

171
Request sequence
Scheduled request for approval
Approvers can be regularly notified of requests that are pending. These regular
notifications replace the individual prompts and approval reminders that are configured in
the approval step.

To send regular notifications about pending requests

1. Enable the QER | ITShop | MailTemplateIdents |

RequestApproverByCollection configuration parameter in the Designer.
By default, a notification is sent with the IT Shop request - pending requests for
approver mail template.
TIP: To use something other than the default mail template for these notifications,
change the value of the configuration parameter in the Designer.
2. In the Designer, configure and enable the Inform approver about pending
requests schedule.
For detailed information, see One Identity Manager Operational Guide.

Sequence for limited requests

A recipient keeps a product on the shelf up to a specific point in time when they unsubscribe
the products again. Sometimes, however, products are only required for a certain length of
time and can be canceled automatically. The recipient is notified by email before the expiry
date is reached and has the option to renew the request.

To set up the notification procedure

1. In the Designer, set the QER | ITShop | ValidityWarning configuration parameter

and enter the warning period (in days) for expiring requests.
2. In the Designer, configure and activate the Reminder for IT Shop requests that
expire soon schedule.
3. Enter the following data for the approval policy:
l Mail template expired: Select the mail template to be used for the email
notification. The default installation provides the IT Shop request - product
expires and IT Shop request - expired mail templates.
4. Save the changes.

Related topics
l Requests with limited validity period on page 160
l Approval policies for requests on page 81

One Identity Manager 8.2.1 IT Shop Administration Guide

172
Request sequence
Approving or denying request approval
When a request is granted approval or denied, the request recipient is notified by email.
Notification may occur after approval or denial of a single approval step or once the
entire approval process is complete. Requests can be automatically granted or denied
approval once a specified time period has expired. The recipient is notified in the same
way in this case.

To set up the notification procedure

l If notification should be sent immediately after an approval decision is made for a
single approval step, enter the following data on the Mail templates tab of the
approval step.
l Mail template approved: IT Shop request - approval granted for
approval step
l Mail template denied: IT Shop request - approval not granted for
approval step
l Enter the following data in the approval policy when notification should immediately
follow the approval decision of the entire approval process:
l Mail template approved: IT Shop request - approval granted
l Mail template denied: IT Shop request - approval not granted

Related topics
l Approval policies for requests on page 81
l Editing approval steps on page 90

Notifying delegates
If required, a delegator can receive notifications if the deputy or recipient of the single
delegation has made a request in the IT Shop. Notification is sent once an employee has
been determined as an approver due to delegation and has made an approval decision for
the request.

To send notification when the employee who was delegated an approval

approves or denies the request
l In the Designer, set the QER | ITShop | Delegation | MailTemplateIdents |
InformDelegatorAboutDecisionITShop configuration parameter.
By default, a notification is sent with the Delegation - inform delegator about
decided request mail template.

TIP: To use custom mail templates for emails of this type, change the value of the config-
uration parameter.
Delegations are taken into account in the following default approval procedures.

One Identity Manager 8.2.1 IT Shop Administration Guide

173
Request sequence
Table 60: Delegation relevant default approval procedures

Delegation of Approval procedure

Department responsibilities D0, D1, D2, DM, DP, MS

Cost center responsibilities P0, P1, P2, PM, PP, MS

Location responsibilities MS

Business role responsibilities OM, MS

Employee responsibilities CM

IT Shop structure H0, H1, H2

responsibilities

Memberships in business roles OR

Memberships in application DI, DR, ID, IL, IO, IP, OA, OC, OH, PI, PR, RD, RL, RO,
roles RP, TO

Example

Jon Blogs is responsible for the R1 business role. He delegates his responsibility
for the business role to Clara Harris. Clara Harris is herself responsible for R2
business role.
A member of the R1 business role requests a product in the IT Shop. Jon Bloggs is
established as an approver through the OM - Manager of a specific role approval
process. The request is assigned to Clara Harris for approval through delegation. Jon
Blogs is notified as soon as Clara Harris has made her approval decision.
A member of the R2 business role requests a product in the IT Shop. Clara Harris is
established as the approver through the OM - Manager of a specific role approval
process. No notification is sent because Clara Harris does not make the approval
decision due to delegation.

Bulk delegation

You have the option to delegate all your responsibilities to one person in the Web Portal. If
you have a lot of responsibilities, it is possible that not all the delegations are carried out. A
delegator can send a notification to themselves if an error occurs.

Detailed information about this topic

l Bulk delegation notifications on page 179

One Identity Manager 8.2.1 IT Shop Administration Guide

174
Request sequence
Related topics
l Default approval procedures on page 100
l Using additional approvers to approve requests on page 177

Canceling requests
Requests can be automatically canceled for various reasons, for example, when a specified
time period has expired or if no approver can be found. The request recipient is notified.

To set up the notification procedure

l In the approval policy, on the Mail templates tab, enter the following data.
Mail template stopped: IT Shop request - canceled

Related topics
l Editing approval steps on page 90

Escalating requests
Requests can be escalated if a specified time period has expired. If a request is escalated,
the requester can be notified by email.

To set up the notification procedure

l On the Mail templates tab of the approval step, enter the following data:
Mail template escalation: IT Shop request - Escalation

Related topics
l Editing approval steps on page 90

Delegating approvals
If, in an approval step, other approvers can be authorized to make the approval decision,
the additional approvers can be prompted to approve by email. The same applies if the
approval can be delegated.

One Identity Manager 8.2.1 IT Shop Administration Guide

175
Request sequence
To set up the notification procedure
l On the Mail templates tab of the approval step, enter the following data:
Mail template delegation: IT Shop Purchase order - Delegated/additional approval
TIP: To enable approval by email, select the IT ShopRequest -
delegated/additional approval (by email) mail template.

Related topics
l Approval by mail on page 179
l Appointing other approvers on page 142
l Editing approval steps on page 90

Rejecting approvals
The original approver must be notified if an additional approver or employee to whom an
approval has been delegated refuses the approval.

To set up the notification procedure

l On the Mail templates tab of the approval step, enter the following data:
Mail template rejection: IT Shop Purchase order - Reject approval
TIP: If you allow approval by email, select the mail template IT Shop request -
reject approval (by mail).

Related topics
l Approval by mail on page 179
l Editing approval steps on page 90

Notifications with questions

Employees can be notified when a question about a request is asked. Similarly, the
approvers can also be notified as soon as the question is answered.

To send a notification when an approver asks a question

l In the Designer, enable the QER | ITShop | MailTemplateIdents |
QueryFromApprover configuration parameter.
A notification is sent by default with the IT Shop Request - question mail
template.

One Identity Manager 8.2.1 IT Shop Administration Guide

176
Request sequence
To send a notification to the approver when the queried employee
answers a question
l In the Designer, set the QER | ITShop | MailTemplateIdents |
AnswerToApprover configuration parameter.
A notification is sent by default with the IT Shop Request - answer mail template.

TIP: To use custom mail templates for emails of this type, change the value of the config-
uration parameter.

Using additional approvers to approve

requests
The original approver can be notified when an additional approver or an employee who has
been delegated an approval has granted or denied the request. This mail is send the
moment the approval step has been decided.

To send a notification when the additional approver approves or denies

the request
l In the Designer, set the QER | ITShop | MailTemplateIdents |
InformAddingPerson configuration parameter.
A notification is sent by default with the IT Shop request - approval of added
step mail template.

To send notification when the employee who was delegated an approval

approves or denies the request
l In the Designer, set the QER | ITShop | MailTemplateIdents |
InformDelegatingPerson configuration parameter.
A notification is sent by default with the IT Shop request - approval of delegated
step mail template.

TIP: To use custom mail templates for emails of this type, change the value of the config-
uration parameter.

Unsubscribing approved requests

Request recipients can be notified if a request is unsubscribed by another employee. The
email is sent immediately after approval has been granted for unsubscribing.

To set up the notification procedure

l Enter the following data for the approval policy:
Mail template canceled: IT Shop request - Canceled

One Identity Manager 8.2.1 IT Shop Administration Guide

177
Request sequence
Related topics
l Approval policies for requests on page 81

Renewing approved requests

Request recipients can be notified when a request has been renewed. The email notification
is sent immediately after approval for the renewal has been granted.

To set up the notification procedure

l Enter the following data for the approval policy:
Mail template renewed: IT Shop request - Renewed

Related topics
l Approval policies for requests on page 81

Product change notifications

Employees can be notified when a product is replaced by another product on a fixed date.
The request recipient is automatically notified by email once notification procedures are in
place and the Change product task is run.
TIP:

To use different mail template than the default for this notification

1. Open the VI_ESS_PersonWantsOrg Send Mail Product Expires Soon process in

the Designer.
2. Change the process properties in the pre-script for generating the UID_RichMail.
3. Select the Database > Save to database and click Save.

Detailed information about this topic

l Notifications in the request process on page 169

Default mail templates

One Identity Manager supplies mail templates by default. These mail templates are
available in English and German. If you require the mail body in other languages, you can
add mail definitions for these languages to the default mail template.

One Identity Manager 8.2.1 IT Shop Administration Guide

178
Request sequence
To edit a default mail template
l In the Manager, select the IT Shop > Basic configuration data > Mail
templates > Predefined category.

Related topics
l Custom mail templates for notifications on page 227

Bulk delegation notifications

To send a notification if bulk delegation fails

l In the Designer, set configuration parameter QER | ITShop |
MailTemplateIdents | InformRequestorAboutMassDelegationErrors.
By default, a notification using the Delegation - mass delegation errors
occurred mail template is sent.

TIP: To use something other than the default mail template for these notifications,
change the value of the configuration parameter in the Designer.

Related topics
l Bulk delegation errors on page 240

Approval by mail
To provide approvers who are temporarily unable to access One Identity Manager tools
with the option of making approval decisions on requests, you can set up approvals by
email. In this process, approvers are notified by email when a request attestation case is
pending their approval. Approvers can use the relevant links in the email to make approval
decisions without having to connect to the Web Portal. This generates an email that
contains the approval decision and in which approvers can state the reasons for their
approval decision. This email is sent to a central mailbox. One Identity Manager checks this
mailbox regularly, evaluates the incoming emails and updates the status of the request
procedures correspondingly.
IMPORTANT: An approval cannot be sent by email if multi-factor authentication is
configured for the requested product. Approval mails for such requests produce an
error message.

One Identity Manager 8.2.1 IT Shop Administration Guide

179
Request sequence
Prerequisites
l If you use a Microsoft Exchange mailbox, configure the Microsoft Exchange with:
l Microsoft Exchange Client Access Server version 2007, Service Pack 1 or higher
l Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit
l If you use an Exchange Online mailbox, register an application in your Azure Active
Directory tenant in the Microsoft Azure Management Portal. For example, One
Identity Manager <Approval by mail>.
For detailed information about how to register an application, see
https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-
services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-
application.
l The One Identity Manager Service user account used to log into Microsoft Exchange
or Exchange Online requires full access to the mailbox given in the QER | ITShop |
MailApproval | Inbox configuration parameter.
l The QER | ITShop | MailTemplateIdents | RequestApproverByCollection
configuration parameter is not set.

To set up approval by email

1. In the Designer, set the QER | ITShop | MailApproval | Inbox configuration

parameter and enter the mailbox to which the approval mails are to be sent.
2. Set up mailbox access.
l If you use a Microsoft Exchange mailbox:
l By default, One Identity Manager uses the One Identity Manager
Service user account to log in to the Microsoft Exchange Server and
access the mailbox.
- OR -
l You enter a separate user account for logging in to theMicrosoft
Exchange Server for mailbox access.
l In the Designer, set the QER | ITShop | MailApproval |
Account configuration parameter and enter the user account's
name.
l In the Designer, set the QER | ITShop | MailApproval |
Domain configuration parameter and enter the user account's
domain.
l In the Designer, set the QER | ITShop | MailApproval |
Password configuration parameter and enter the user
account's password.
l If you use an Exchange Online mailbox:
l In the Designer, set the QER | ITShop | MailApproval | AppId
configuration parameter and enter the application ID that was generated

One Identity Manager 8.2.1 IT Shop Administration Guide

180
Request sequence
when the application was registered in the Azure Active Directory tenant.
l In the Designer, set the QER | ITShop | MailApproval | Domain
configuration parameter and enter the domain for logging into Azure
Active Directory.
l In the Designer, set the QER | ITShop | MailApproval | Password
configuration parameter and enter the client secret (application
password) for the application.
3. In the Designer, set the QER | ITShop | MailTemplateIdents | ITShopApproval
configuration parameter.
The mail template used to create the approval decision mail is stored with this
configuration parameter. You can use the default mail template or add a custom
mail template.
TIP: In this case, also change the VI_MailApproval_ProcessMail script.
4. Assign the following mail templates to the approval steps.

Table 61: Mail templates for approval by mail

Property Mail template

Mail template request IT Shop request - approval required (by mail)

Mail template reminder IT Shop request - remind approver (by mail)

Mail template IT Shop request - delegated/additional approval (by

delegation mail)

Mail template rejection IT Shop request - reject approval (by mail)

5. In the Designer, configure and enable the Processes IT Shop mail

approvals schedule.
Based on this schedule, One Identity Manager regularly checks the mailbox for new
approval mails. The mailbox is checked every 15 minutes. You can change how
frequently it checks, by altering the interval in the schedule as required.

To clean up a mail box

l In the Designer, set the QER | ITShop | MailApproval | DeleteMode
configuration parameter and select one of the following values.
l HardDelete: The processed email is immediately deleted.
l MoveToDeletedItems: The processed email is moved to the Deleted
objects mailbox folder.
l SoftDelete: The processed email is moved to the Active Directory recycling
bin and can be restored if necessary.
NOTE: If you use the MoveToDeletedItems or SoftDelete cleanup method, you
should empty the Deleted objects folder and the Active Directory recycling bin on
a regular basis.

One Identity Manager 8.2.1 IT Shop Administration Guide

181
Request sequence
Related topics
l Editing approval emails on page 182
l Custom mail templates for notifications on page 227
l Requesting approval on page 170
l Reminding approvers on page 170
l Delegating approvals on page 175
l Rejecting approvals on page 176
l Preparing the IT Shop for multi-factor authentication on page 55
l Adaptive cards approval on page 183

Editing approval emails

The Processes IT Shop mail approvals schedule starts the VI_ITShop_Process
Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script,
which searches the mailbox for new approval decision mails and updates the request
procedures in the One Identity Manager database. The contents of the approval decision
mail are processed at the same time.
NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate
script. You can customize this script to suit your security requirements. Take into account
that this script is also used for attestations by email.
If an self-signed root certification authority is used, the user account under which the
One Identity Manager Service is running, must trust the root certificate.
TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that
uses AutoDiscover through the given mailbox as default. This assumes that the
AutoDiscover service is running.
If this is not possible, enter the URL in the QER | ITShop | MailApproval |
ExchangeURI configuration parameter.
Approval decision mails are processed with the VI_MailApproval_ProcessMail script. The
script finds the relevant approval, sets the Approved option if approval is granted, and
stores the reason for the approval decision with the request procedures. The approver is
found through the sender address. Then the approval decision mail is removed from the
mailbox depending on the selected cleanup method.
NOTE: If you use a custom mail template for the approval decision mail, check the
script and modify it as required. Take into account that this script is also used for
attestations by email.

One Identity Manager 8.2.1 IT Shop Administration Guide

182
Request sequence
Adaptive cards approval
To allow approvers who temporarily do not have access to One Identity Manager tools to
approve requests, you can send adaptive cards. Adaptive cards contain all the information
about the product required for approving a request. These include:
l Current and next approver
l Approval history
l Rule violations by the request
l Option to select a default reason or enter a reason as free text
l Option to adjust the request's validity period
l Link to the request in the Web Portal

One Identity Starling Cloud Assistant uses a specified channel to post the adaptive cards to
the approver, waits for a response, and send this to One Identity Manager. Currently Slack
and Microsoft Teams can be used to post adaptive cards. In Starling Cloud Assistant,
channels are configured and can be allocated to each recipient separately.
NOTE: In previous versions of One Identity Manager, the Starling 2FA app was available
for approving requests. Starling Two-Factor Authentication and the Starling 2FA app will
not be supported in future versions. Instead, use the new functionality of adaptive cards
with Starling Cloud Assistant to approve requests. There is still support in the Starling
2FA app in version 8.2.1 for request approvals, but it is already disabled. It can be
temporarily enabled again until adaptive cards are set up and functional.

To enable the functionality for approving requests with the Starling 2FA app

1. In the Designer, enable the VI_ESS_PWOHelperPWO approve anywhere process.

2. In the Designer, disable the QER_PWOHelperPWO approve anywhere process.

Prerequisites
l The Starling Cloud Assistant service is enabled and the usable channels are
configured.
For more information, see the One Identity Starling Cloud Assistant User Guide
under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-
documents.
Access to the following endpoints must be ensured to reach a Starling organization in
the respective data center.
l United States of America:
https://sts.cloud.oneidentity.com (to receive an authentication token)
https://cloud-assistant-supervisor.cloud.oneidentity.com (to address the
Starling Cloud Assistant API)
l European Union:

One Identity Manager 8.2.1 IT Shop Administration Guide

183
Request sequence
https://sts.cloud.oneidentity.eu (to receive an authentication token)
https://cloud-assistant-supervisor.cloud.oneidentity.eu (to address the
Starling Cloud Assistant API)
l One Identity Manager is connected to One Identity Starling.

To connect One Identity Manager to One Identity Starling

1. Start the Launchpad.
2. Select Connection to Starling Cloud and click Run.
This starts the Starling Cloud configuration wizard.
3. Follow the Starling Cloud configuration wizard’s instruction.
For more information about One Identity Starling, see the One Identity Starling User
Guide under https://support.oneidentity.com/starling-cloud-
assistant/hosted/technical-documents.

Detailed information about this topic

l Using adaptive cards for approvals on page 184

Using adaptive cards for approvals

Approvers must be registered as recipients in Starling Cloud Assistant to be able to make
approval decisions about requests. Each recipient must be allocated to a channel that will
be used to post the adaptive card. One Identity Manager provides adaptive cards for
requesting approval of IT Shop requests in German and English. These can be customized
if necessary.
By default, an approval decision must be made within 5 minutes. If this deadline is
exceeded, the Web Portal must be used to approve the request. You can configure
the deadline.

To use adaptive cards for approvals

1. In the Designer, set the QER | Person | Starling | UseApprovalAnywhere

configuration parameter.
2. Ensure that a default email address is stored in One Identity Manager for each
employee that will use adaptive cards. This address must correspond to the email
address that the employee uses to log in to Microsoft Teams or Slack.
For detailed information about the default email address, see the One Identity
Manager Identity Management Base Module Administration Guide.
3. Ensure that a language can be identified for each employee that will use adaptive
cards. This allows approvers to obtain adaptive cards in their own language.
For more information, see the One Identity Manager Identity Management Base
Module Administration Guide.

One Identity Manager 8.2.1 IT Shop Administration Guide

184
Request sequence
4. Any service items that will be requested by sending adaptive cards must not have the
Approval by multi-factor authentication option enabled.
Adaptive cards are only sent if there is no multi-factor authorization is use for
approving the request.
5. Register all the employees, who are going to use adaptive cards for approving, as
recipients in Starling Cloud Assistant and assign them to the channel to use.
6. Install the Starling Cloud Assistant app that matches the channel.
Every registered employee must install this app.
For more information, see the One Identity Starling Cloud Assistant User Guide
under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-
documents.
7. (Optional) Change the timeout for adaptive cards.
l In the Designer, set the QER | Person | Starling | UseApprovalAnywhere
| SecondsToExpire configuration parameter and adjust the value. Enter a
timeout in seconds.
8. (Optional) Provide a country-specific template for adaptive cards or make adjust the
adaptive cards settings.
If a language cannot be identified or there is no suitable template for the language
found, en-US is used as fallback.

Detailed information about this topic

l General main data for service items on page 22
l Adding and deleting recipients and channels on page 185
l Creating, editing, and deleting adaptive cards for requests on page 186
l Creating, editing, and deleting adaptive cards templates for requests on page 188
l Deploying and evaluating adaptive cards for requests on page 189

Adding and deleting recipients and channels

Approvers can be registered in Starling Cloud Assistant as recipients through an IT Shop
request and allocated to a channel. By default, the requests are approved immediately by
self-service. Then the recipients are registered and the requested channel is assigned to
them. Once the approver has installed the Starling Cloud Assistant app, they can use
adaptive cards to attest.

To add a recipient in Starling Cloud Assistant

l In the Web Portal, request the New Starling Cloud Assistant recipient product.

One Identity Manager 8.2.1 IT Shop Administration Guide

185
Request sequence
To allocate Microsoft Teams as a channel in Starling Cloud Assistant

1. In the Web Portal, request the Teams channel for Starling Cloud Assistant
recipient product.
2. Install the Starling Cloud Assistant app for Microsoft Teams.
For more information, see the One Identity Starling Cloud Assistant User Guide
under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-
documents.

To allocate Slack as a channel in Starling Cloud Assistant

1. In the Web Portal, request the Slack channel for Starling Cloud Assistant
recipient product.
2. Install the Starling Cloud Assistant app for Slack.
For more information, see the One Identity Starling Cloud Assistant User Guide
under https://support.oneidentity.com/starling-cloud-assistant/hosted/technical-
documents.

To delete a recipient in Starling Cloud Assistant

l Cancel the New Starling Cloud Assistant recipient product.

To remove a channel
l Cancel the respective product.

For more information about requesting and unsubscribing products, see the One Identity
Manager Web Portal User Guide.

Related topics
l Adaptive cards approval on page 183
l Using adaptive cards for approvals on page 184

Creating, editing, and deleting adaptive

cards for requests
One Identity Manager provides adaptive cards for demanding approval of IT Shop requests
in German and English. These can be displayed in the Manager. You can create your own
templates for adaptive cards, for example to make changes to the content or to provide
adaptive cards in other languages. The recipient's language preferences are taken into
account when an adaptive card is generated. If a language cannot be identified or there is
no suitable template for the language found, en-US is used as fallback.
To use your own adaptive cards for approving requests, configure the QER_PWOHelperPWO
approve anywhere process accordingly.

One Identity Manager 8.2.1 IT Shop Administration Guide

186
Request sequence
To display an adaptive card

1. In the Manager, select the IT Shop > Basic configuration data > Adaptive
cards category.
2. Select the adaptive card in the result list.
3. Select the Change main data task.
4. In the Adaptive card templates menu, select a template.
This displays the adaptive card's definition in the Template field.
l To display the entire JSON code, click .

To create an adaptive card.

1. In the Manager, select the IT Shop > Basic configuration data > Adaptive
cards category.
2. Click in the result list.
3. Edit the adaptive card's main data.
4. Create a new template for adaptive cards.
5. Save the changes.
6. Create additional language-specific templates for this adaptive card as required and
save the changes.

To use your customized adaptive card

1. In the Designer, edit the QER_PWOHelperPWO approve anywhere process.

a. Select the Send Adaptive Card to Starling Cloud Assistant process step.
b. Edit the value of the ParameterValue2 parameter and replace the name and
UID with the values of your customized adaptive card.
2. Save the changes.

To delete an adaptive card.

1. In the Manager, select the IT Shop > Basic configuration data > Adaptive
cards category.
2. Select the adaptive card in the result list.
3. Click in the result list.
This deletes the adaptive card and all the templates belonging to it.

Related topics
l Creating, editing, and deleting adaptive cards templates for requests on page 188
l Using adaptive cards for approvals on page 184
l Adding and deleting recipients and channels on page 185
l Deploying and evaluating adaptive cards for requests on page 189

One Identity Manager 8.2.1 IT Shop Administration Guide

187
Request sequence
Creating, editing, and deleting adaptive
cards templates for requests
To use your own adaptive cards or to provide adaptive cards in other languages, create
your own adaptive card's templates.

To create an adaptive card template

1. In the Manager, select the IT Shop > Basic configuration data > Adaptive
cards category.
2. Select the adaptive card in the result list.
3. Edit the adaptive card's main data.
4. Next to the Adaptive card templates menu, click .
5. In the Language menu, select a language for the adaptive card.
All active languages are shown. To use another language, in the Designer, enable the
corresponding countries. For more information, see the One Identity Manager
Configuration Guide.
6. In the Template field, enter a definition for the adaptive card.
l To display the entire JSON code, click .
You can use the Adaptive Card Designer from Microsoft or the Visual Studio Code
Plugin to help.
7. Save the changes.
8. In the Designer, check the QER_CloudAssistant_ApprovalAnywhere script and modify it
to suit your requirements.

To edit an adaptive card template

1. In the Manager, select the IT Shop > Basic configuration data > Adaptive
cards category.
2. In the result list, select the adaptive card whose template you want to edit.
3. Select the Change main data task.
4. In the Adaptive card templates menu, select a template.
5. In the Template field, edit the adaptive card definition.
l To edit the entire JSON code, click .
6. Save the changes.

To delete an adaptive card template

1. In the Manager, select the IT Shop > Basic configuration data > Adaptive
cards category.
2. In the result list, select the adaptive card whose template you want to delete.

One Identity Manager 8.2.1 IT Shop Administration Guide

188
Request sequence
3. Edit the adaptive card's main data.
4. In the Adaptive card templates menu, select the template.
5. Click next to the menu.
6. Save the changes.

Related topics
l Creating, editing, and deleting adaptive cards for requests on page 186
l Deploying and evaluating adaptive cards for requests on page 189

Deploying and evaluating adaptive cards

for requests
Once an approver is determined in an approval step, the QER_PWOHelperPWO approve
anywhere process runs. The process is generated if the following conditions are fulfilled:
l The approver is registered as the recipient in Starling Cloud Assistant.
l A default email address is stored for the approver.
l The QER | Person | Starling | UseApprovalAnywhere configuration
parameter is set.
l An expiry date is entered in the QER | Person | Starling |
UseApprovalAnywhere | SecondsToExpire configuration parameter.
l Approval by multi-factor authentication is not set on the requested service item.

The process runs the QER_CloudAssistant_CreateMessage_PWOHelperPWO script passing to it

the name and the UID of the adaptive card to send. The script created the adaptive card
from the JSON template for adaptive cards and the data in the request and then sends it to
the approver. The QER_CloudAssistant_CheckMessage_PWOHelperPWO script checks if the
approver has sent a response, evaluates the response and updates the request process
according to the approval decision.
NOTE: If you want to use your own adaptive cards template, check the QER_
CloudAssistant_CreateMessage_PWOHelperPWO, QER_CloudAssistant_CreateData_
PWOHelperPWO, and QER_CloudAssistant_CheckMessage_PWOHelperPWO scripts and adjust
them if necessary to reflect content changes in the template. For more information about
overriding scripts, see the One Identity Manager Configuration Guide.

Related topics
l Creating, editing, and deleting adaptive cards templates for requests on page 188
l Creating, editing, and deleting adaptive cards for requests on page 186
l Using adaptive cards for approvals on page 184

One Identity Manager 8.2.1 IT Shop Administration Guide

189
Request sequence
Requests with limited validity period for
changed role memberships
If an employee changes their primary department (business role, cost center, or location),
they lose all company resources and system entitlements inherited through it. However, it
may be necessary for the employee to retain these company resources and system
entitlements for a certain period. Use temporary requests to retain the state of the
employee's current memberships. Inherited assignments are not removed until after the
validity period for this request has expired. The employee can renew the request with the
validity period.

Prerequisites
l Employee main data is modified by import.
l The import sets the session variable FullSync=TRUE.

To configure automatic requests for removal of role memberships

1. In the Designer, set the QER | ITShop | ChallengeRoleRemoval

configuration parameter.
2. In the Designer, set the QER | ITShop | ChallengeRoleRemoval |
DayOfValidity configuration parameter and enter a validity period for the request.
3. In the Designer, set the configuration parameters under QER | ITShop |
ChallengeRoleRemoval for roles whose primary memberships need to remain
intact when modified.
4. Commit the changes to the database.

NOTE: The configuration parameters are set by default. The validity period is set
to seven days.
If employee main data is modified by importing, One Identity Manager checks if a primary
role (for example Person.UID_Department) was modified or deleted on saving. If this is the
case, VI_CreateRequestForLostRoleMembership is run. The script create a temporary
assignment request for this role, which is granted approval automatically. Thus, the
employee remains a members of the role and retains their company resources and system
entitlements. The request is automatically canceled when the validity period expires.
The request can be renewed during the validity period. The request renewal must be
approved by the role manager. The request becomes permanent if approval is granted.
Role membership stays the same until the assignment is canceled.
TIP: The QER | ITShop | ChallengeRoleRemoval | ITShopOrg configuration
parameter specifies which product nodes to use for a limited validity period request of
modified role memberships. The Challenge loss of role membership product is
available by default in the Identity & Access Lifecycle | Identity Lifecycle shelf. You
can also add this product to your own IT Shop solution.

One Identity Manager 8.2.1 IT Shop Administration Guide

190
Request sequence
To use the "Challenge loss of role membership" product in your own IT Shop

1. Assign the Challenge loss of role membership assignment resource to one of

your own shelves.
2. In the Designer, edit the value of the QER | ITShop | ChallengeRoleRemoval |
ITShopOrg configuration parameter.
l Enter the full name or the UID of the new product node.

Related topics
l Configuration parameters for the IT Shop on page 242

Requests from permanently inactive

employees
By default, permanently deactivated employees remain members in all the customer
nodes. This ensures that all pending request and resulting assignments are retained. One
Identity Manager can be configured such that employees are automatically removed from
all custom nodes once they are permanently deactivated. This means that all pending
requests are broken off and remaining assignments are removed.

To remove employees from all customer nodes if they are permanently

deactivated
l In the Designer, set the QER | ITShop | AutoCloseInactivePerson
configuration parameter.

Deleting requests
To limit request procedures in the One Identity Manager database, you can remove closed
request procedures from the database. The request procedure properties are logged in the
approval history at the same time. The requests are subsequently deleted. Only closed
requests with unexpired retention periods are kept in the database.
If the request to be deleted still contains dependent requests, the request is only deleted
after the dependent requests have been deleted. Dependent requests are requests that are
entered into PersonWantsOrg.UID_PersonWantsOrgParent.

One Identity Manager 8.2.1 IT Shop Administration Guide

191
Request sequence
To delete requests automatically

1. In the Designer, set the QER | ITShop | DeleteClosed configuration parameter.

a. To delete canceled requests, set the QER | ITShop | DeleteClosed |
Aborted configuration parameter and set the retention period in days.
b. To delete denied requests, set the QER | ITShop | DeleteClosed |
Dismissed configuration parameter and set the retention period in days.
c. To delete canceled requests, set the QER | ITShop | DeleteClosed |
Unsubscribed configuration parameter and specify its retention period in
days.
2. In the Designer, set the Common | ProcessState | PropertyLog configuration
parameter and compile the database.
If you disable the configuration parameter at a later date, model components and
scripts that are not longer required, are disabled. SQL procedures and triggers are
still carried out. For more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the One Identity Manager
Configuration Guide.
This activates logging for deleted request procedures and their approval history. For
more detailed information about logging data changes, see the One Identity Manager
Configuration Guide.
INFORMATION: Ensure that the recorded request procedures are archived for audit
reasons. For more detailed information about the archiving process, see the One
Identity Manager Data Archiving Administration Guide.

Closed requests are deleted by the DBQueue Processor once the request's retention
period has expired. As the basis for calculating the retention period, the request's
cancellation date is used. If this date cannot be given, the time at which the request was
last changed, is used. The DBQueue Processor determines the requests to be deleted in
the context of daily maintenance tasks. All request procedure properties are logged in the
approval history.

One Identity Manager 8.2.1 IT Shop Administration Guide

192
Request sequence
4

Managing an IT Shop

Depending on your company structure, you can use the supplied default shop, Identity &
Access Lifecycle, and extend it or set up your own IT Shop solution. Set up different IT
Shop structures for your custom IT Shop solution. Specify which employees are authorized
to make request in the shops.

To set up an IT Shop solution with the help of the IT Shop Wizard.

l In the Manager, select the My One Identity Manager > IT Shop wizards >
Create shop category.
The wizard includes the most important configuration stages for setting up an
IT Shop. After completing the wizard, there may be other configuration steps
necessary.

IT Shop structures such as shopping centers, shops, and shelves are mapped in the IT
Shop > IT Shop category. An IT Shop solution is displayed hierarchically.
The following sections describe the procedure for manually setting up an IT Shop.

IT Shop base data

Various base data is required to construct an IT Shop:
l Processing status
Processes statuses pass on the status of single approval steps. You can set the
processing status for each approval step in the approval workflow depending on
whether the approval decision was negative or positive. Depending on the result of
the approval decision, the appropriate processing status is set for the request.
For more information, see Processing status on page 195.
l Standard reasons
Standard reasons are predefined reasons that can be selected in the Web Portal when
making approval decisions.
For more information, see Standard reason for requests on page 196.

One Identity Manager 8.2.1 IT Shop Administration Guide

193
Managing an IT Shop
l Approval policies
One Identity Manager uses approval policies to determine the approver for each
request process.
For more information, see Approval policies for requests on page 81.
l Approval workflows
Approval workflows define all the necessary steps for making approval decisions for
request processes.
For more information, see Approval workflows for requests on page 85.
l Approval procedure
Approval procedures are used to find the approvers required for an approval step.
For more information, see Setting up approval procedures on page 117.
l Mail templates
Mail templates are used to send email messages to requesters and approvers.
For more information, see Custom mail templates for notifications on page 227.
l Adaptive cards
To allow approvers who temporarily do not have access to One Identity Manager
tools to approve requests, you can send adaptive cards.
For more information, see Creating, editing, and deleting adaptive cards for requests
on page 186.
l Role classes
Use role classes to specify which company resources can be requested through the IT
Shop. At the same time, you decide which company resources may be assigned as
products to shelves and IT Shop templates.
For more information, see Role classes for the IT Shop on page 198.
l Role types
Role types are used to group roles into a role class. Within the IT Shop, role types can
e used to group shop and to restrict the effective approval policies for a shelf.
For more information, see Role types for the IT Shop on page 199.
l Business Partners
In One Identity Manager, you can enter the data for external businesses that could
be act as manufacturers, suppliers, or partners. You assign a manufacturer to a
service item.
For more information, see Business partners on page 199.
l Functional areas
To analyze rule checks for different areas of your company in the context of identity
audit, you can set up functional areas. Moreover, functional areas can be replaced by
peer group analysis during request approvals or attestation cases. Functional areas
can be assigned to service items.

One Identity Manager 8.2.1 IT Shop Administration Guide

194
Managing an IT Shop
For more information, see Functional areas on page 201.
l Service categories
Service categories are used to group service items and make them available in the
Web Portal.
For more information, see Entering service categories on page 35.
l Tags
Product owners are able to add tags to their products. These tags can be used as
search criteria by requests in the Web Portal.
For more information, see Entering tags on page 49.
l Request properties
Requests can be given additional information though product-specific request
properties such as the specific details of a product, its size, or color. A request
property gathers all additional features together that can be given when
requesting a product.
For more information, see Entering product-specific request properties on page 39.
l Chief approval team
There is a default application role in One Identity Manager for the chief approval
team. Assign employees to this application role, who are authorized to approve,
deny, cancel requests, or to authorize other approvers in special cases.
For more information, see Chief approval team on page 202.
l Product owners
A default application role for product owners is available in One Identity Manager.
Assign the employees to this application role, who are authorized to approve
requests and edit the main data of service items or service categories.
For more information, see Product owners on page 203.
l Attestors
A default application role for attestors is available in One Identity Manager. Assign
the employees to this application role, who are authorized to attest IT Shop
structures.
For more information, see Attestors on page 204.

Processing status
Processes statuses pass on the status of single approval steps. You can set the processing
status for each approval step in the approval workflow depending on whether the approval
decision was negative or positive. Depending on the result of the approval decision, the
appropriate processing status is set for the request.

One Identity Manager 8.2.1 IT Shop Administration Guide

195
Managing an IT Shop
To edit processing statuses

1. In the Manager, select the IT Shop > Basic configuration data > Processing
status category.
2. In the result list, select a processing status and run the Change main data task.
- OR -
Click in the result list.
3. Edit the processing status's main data.
4. Save the changes.

Enter the following properties for a processing status.

Table 62: General main data of a processing status

Property Description

Processing status Name of the processing status.

Success The processing status marks the success of the processing step.

Closed The processing status marks whether processing is complete.

Sort order Order in which processing status can be set.

Description Text field for additional explanation.

Related topics
l Properties of an approval step on page 90

Standard reason for requests

For requests or the approval of requests, you can specify reasons in the Web Portal that
explain the request sequence and the individual approval decisions. You can freely
formulate this text. You also have the option to predefine reasons. The approvers can select
a suitable text from these standard reasons in the Web Portal and store it with the request.
Standard reasons are displayed in the approval history and the request details.

To create or edit standard reasons

1. In the Manager, select the IT Shop > Basic configuration data > Standard
reasons category.
2. Select a standard reason in the result list and run the Change main data task.
- OR -
Click in the result list.

One Identity Manager 8.2.1 IT Shop Administration Guide

196
Managing an IT Shop
3. Edit the main data of a standard reason.
4. Save the changes.

Enter the following properties for the standard reason.

Table 63: General main data of a standard reason

Property Description

Standard Reason text as displayed in the Web Portal and in the approval history.
reason

Description Text field for additional explanation.

Automatic Specifies whether the reason text is only used for automatic approvals by
Approval One Identity Manager. This standard reason cannot be selected by manual
approvals in the Web Portal.
Do not set the option if the you want to select the standard reason in the
Web Portal.

Additional Specifies whether an additional reason should be entered in free text for
text required the approval.

Usage type Usage type of standard reason. Assign one or more usage types to allow
filtering of the standard reasons in the Web Portal.

Related topics
l Predefined standard reasons for requests on page 197

Predefined standard reasons for requests

One Identity Manager provides predefined standard reasons. These are added to the
request by One Identity Manager during automatic approval. You can use the usage type to
specify which standard reasons can be selected in the Web Portal.

To change the usage type

1. In the Manager, select the IT Shop > Basic configuration data > Standard
reasons > Predefined category.
2. Select the standard reason whose usage type you want to change.
3. Select the Change main data task.
4. In the Usage type menu, set all the actions where you want to display the standard
reason in the Web Portal.
Unset all the actions where you do not want to display the default reason.
5. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

197
Managing an IT Shop
Related topics
l Standard reason for requests on page 196

Role classes for the IT Shop

Role classes form the basis for mapping IT Shop structures in One Identity Manager. The
following role classes are available by default in One Identity Manager:
l IT Shop structure
l IT Shop template (if the QER | ITShop | Templates configuration parameter is set)

Use role classes to specify which company resources can be requested through the IT Shop.
At the same time, you decide which company resources may be assigned as products to
shelves and IT Shop templates.
The following options define which company resources may be assigned to IT Shop
structures and IT Shop templates:
l Assignments allowed
This option specifies whether the assignment of the relevant company resources is
permitted in general.
l Direct assignments allowed
This option specifies whether the relevant company resources can be directly
assigned.

NOTE: Company resources are always assigned directly to shelves and IT Shop
templates. Therefore, always enable and disable both options.

To configure assignment to IT Shop structures and IT Shop templates

1. In the Manager, select the IT Shop > Basic configuration data > Role
classes category.
2. In the result list, select the role class.
3. Select the Configure role assignments task.
4. In the Role assignments column, select a company resource.
Enable the Assignments permitted option, to specify whether an assignment is
generally allowed.
Enable the Direct assignment permitted options, to specify whether a direct
assignment is allowed.
Disable the options if the assignment is not allowed.
INFORMATION: You can only disable the options if there are no assignments of the
respective objects to IT Shop structures or IT Shop templates.
5. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

198
Managing an IT Shop
Role types for the IT Shop
Create role types in order to classify roles. You can use role types to limit the approval
policies in effect for shelves. To do this, assign role types to shelves and approval policies.
You can also assign role types to shops if you want to apply further criteria to distinguish
between shops. Role types for shops do not, however, influence how the approval policies
in effect are determined.

To edit a role type

1. In the Manager, select the IT Shop | Basic configuration data | Role types.
2. In the result list, select the role type and run the Change main data task.
- OR -
Click in the result list.
3. Enter a name and detailed description for the role type.
4. Save the changes.

Related topics
l Determining the effective approval policies on page 98

Business partners
In One Identity Manager, you can enter the data for external businesses that could be act
as manufacturers, suppliers, or partners. You assign a manufacturer to a service item.

To edit business partners

1. In the Manager, set the IT Shop | Basic configuration data | Business

partners.
2. In the result list, select a business partner and run the Change main data task.
- OR -
Click in the result list.
3. Edit the business partner's main data.
4. Save the changes.

Enter the following data for a company.

Table 64: General main data of a company

Property Description

Company Short description of the company for the views in One Identity

One Identity Manager 8.2.1 IT Shop Administration Guide

199
Managing an IT Shop
Property Description

Manager tools.

Name Full company name.

Surname prefix Additional company name.

Short name Company's short name.

Contact Contact person for the company.

Partner Specifies whether this is a partner company.

Customer Customer number at the partner company.

number

Supplier Specifies whether this is a supplier.

Customer Customers number at supplier.

number

Leasing partner Specifies whether this is a leasing provider or rental firm.

Manufacturer Specifies whether this is a manufacturer.

Remarks Text field for additional explanation.

Table 65: Company address

Property Description

Street Street or road.

Building Building

Zip code Zip code.

City City.

State State.

Country Country.

Phone Company's telephone number.

Fax Company's fax number.

Email Company's email address.

address

Website Company's website. Click the button to display the web page in the
default web browser.

One Identity Manager 8.2.1 IT Shop Administration Guide

200
Managing an IT Shop
Functional areas
To analyze rule checks for different areas of your company in the context of identity audit,
you can set up functional areas. Functional areas can be assigned to hierarchical roles and
service items. You can enter criteria that provide information about risks from rule
violations for functional areas and hierarchical roles. To do this, you specify how many rule
violations are permitted in a functional area or a role. You can enter separate assessment
criteria for each role, such as a risk index or transparency index.
Moreover, functional areas can be replaced by peer group analysis during request
approvals or attestation cases.

Example: Use of functional areas

To assess the risk of rule violations for service items. Proceed as follows:

1. Set up functional areas.

2. Assign service items to the functional areas.
3. Specify the number of rule violations allowed for the functional area.
4. Assign compliance rules required for the analysis to the functional area.
5. Use the One Identity Manager report function to create a report that prepares
the result of rule checking for the functional area by any criteria.

To create or edit a functional area

1. In the Manager, select the IT Shop > Basic configuration data > Functional
areas category.
2. In the result list, select a function area and run the Change main data task.
- OR -
Click in the result list.
3. Edit the function area main data.
4. Save the changes.

Enter the following data for a functional area.

Table 66: Functional area properties

Property Description

Functional area Description of the functional area

Parent Functional Parent functional area in a hierarchy.

area
Select a parent functional area from the list for organizing your
functional areas hierarchically.

One Identity Manager 8.2.1 IT Shop Administration Guide

201
Managing an IT Shop
Property Description

Max. number of rule List of rule violation valid for this functional area. This value can be
violations evaluated during the rule check.
NOTE: This property is available if the Compliance Rules Module
is installed.

Description Text field for additional explanation.

Related topics
l Approval by peer group analysis on page 139

Chief approval team

Sometimes, approval decisions cannot be made for requests because the approver is not
available or does not have access to One Identity Manager tools. To complete these
requests, you can define a chief approval team whose members are authorized to intervene
in the approval process at any time.
There is a default application role in One Identity Manager for the chief approval team.
Assign this application role to all employees who are authorized to approve, deny, cancel
requests in special cases, or to authorize other approvers. For detailed information about
application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 67: Default application role for chief approval team

User Tasks

Chief Chief approvers must be assigned to the Request & Fulfillment | IT

approval Shop | Chief approval team application role.
team
Users with this application role:
l Approve through requests.
l Assign requests to other approvers.

To add members to the chief approval team

One Identity Manager 8.2.1 IT Shop Administration Guide

202
Managing an IT Shop
To remove an assignment
l Select the employee and double-click .
3. Save the changes.

Detailed information about this topic

l Approval by the chief approval team on page 149

Product owners
Employees who are approvers in approval processes for requesting service items can be
assigned to these service items. To do this, assign a service item or a service category to
an application for Product owners. Assign employees to this application role who are
authorized to approve requests in the IT Shop and to edit service item or service
category main data.
A default application role for product owners is available in One Identity Manager. You may
create other application roles as required. For detailed information about application roles,
see the One Identity Manager Authorization and Authentication Guide.

Table 68: Default application roles for product owners

User Tasks

Product Product owners must be assigned to the Request & Fulfillment | IT Shop |
owners Product owners application role or a child application role.
Users with this application role:
l Approve through requests.
l Edit service items and service categories under their management.

To add employees to the default application role for product owners

1. In the Manager, select the IT Shop > Basic configuration data > Product
owners category.
2. Select the Assign employees task.
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove employee assignments.

To remove an assignment
l Select the employee and double-click .
3. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

203
Managing an IT Shop
To add another application role for product owners

1. In the Manager, select the IT Shop > Basic configuration data > Product
owners category.
2. Click in the result list.
3. Enter at least the application role's name and, in the Parent application role menu,
select the Request & Fulfillment | IT Shop | Product owners application role or
a child role.
4. Save the changes.
5. Assign employees to the application role.

Related topics
l Deleting unused application roles for product owners on page 79

Attestors
NOTE: This function is only available if the Attestation Module is installed.
In One Identity Manager, you can assign employees, who are brought in as attestors to
attest these objects, to IT Shop structures (shelves, shops, shopping centers, service
categories, and shelf templates). To do this, assign the IT Shop structures to application
roles for attestors. Assign these application roles to employees who are authorized to attest
these objects and their assignments.
For detailed information about attestation, see the One Identity Manager Attestation
Administration Guide.
A default application role for attestors is available in One Identity Manager. You may create
other application roles as required. For detailed information about application roles, see the
One Identity Manager Authorization and Authentication Guide.

Table 69: Default application roles for attestors

User Tasks

Attestors for Attestors must be assigned to the Request & Fulfillment | IT Shop |
IT Shop Attestors application role.
Users with this application role:
l Attest correct assignment of company resource to IT Shop
structures for which they are responsible.
l Attest objects that have service items assigned to them.
l Can view main data for these IT Shop structures but not edit them.

NOTE: This application role is available if the Attestation Module is

installed.

One Identity Manager 8.2.1 IT Shop Administration Guide

204
Managing an IT Shop
To add employees to default application roles for attestors

1. In the Manager, select the IT Shop > Basic configuration data >
Attestors category.
2. Select the Assign employees task.
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove employee assignments.

To remove an assignment
l Select the employee and double-click .
3. Save the changes.

To add another application role for attestors

1. In the Manager, select the IT Shop > Basic configuration data >
Attestors category.
2. Click in the result list.
3. Enter at least the application role's name and, in the Parent application role
menu, select the Request & Fulfillment | IT Shop | Attestor application role or
a child role.
4. Save the changes.
5. Assign employees to the application role.

Related topics
l General main data for service items on page 22
l Main data for service categories on page 35
l General main data of IT Shop structures on page 206
l General main data of a shelf template on page 221

Setting up IT Shop structures

Depending on the company structure, you can optionally define shopping centers for your
IT Shop solution where several shops can be bought together under one roof. Always add
the shopping center to the top level of the IT Shop. Shopping centers may not be
hierarchical.
Each shop contains a number of shelves that the customer can request products from. You
can add a shop to the top level of the IT Shop or under a shopping center. Shops may not
be hierarchical.
There are various products available for request on shelves. Shelves are set up
under each shop.

One Identity Manager 8.2.1 IT Shop Administration Guide

205
Managing an IT Shop
IMPORTANT:If a shop contains a large number of customers, the calculations in the IT
Shop can cause a heavy load on the DBQueue Processor and therefore on the database
server, as well.
Structure the IT Shop so that no more than 30,000 customers can make requests in
each shop. If necessary, set up your own shopping center with several shops and
customer nodes.

Detailed information about this topic

l Adding IT Shop structures on page 206
l Additional tasks for IT Shop structures on page 208
l Deleting IT Shop structures on page 215

Adding IT Shop structures

To set up a shopping center, a shop or a shelf

1. In the Manager, select the IT Shop > IT Shop category.

2. Click in the result list.
3. Edit the shopping center, shop, or shelf's main data.
4. Save the changes.

Detailed information about this topic

l General main data of IT Shop structures on page 206
l Custom main data of IT Shop structures on page 208

General main data of IT Shop structures

On the General tab, enter the following main data of a shopping center, shop, or a shelf.

Table 70: General main data of an IT Shop structure

Property Description

IT Shop node IT Shop structure name.

Internal Internal IT Shop structure name.

name

IT Shop The structure of the IT Shop is governed by this data The IT Shop
information structure is regulated by this data. In the menu, select Shopping
center, Shop, or Shelf.

One Identity Manager 8.2.1 IT Shop Administration Guide

206
Managing an IT Shop
Property Description

The menu is only displayed when you insert a new IT Shop structure.

Role type Role types for classifying shops and shelves. In the menu, select a role
type.
l Shopping center: N/A
l Shop: You can use role types to classify shops further. The role type
for shops does not influence how the approval policies in effect are
determined.
l Shelf: You can use role types to limit the approval policies in effect.

Shelf Template to automatically fill shelves.

template
l Shopping center: Select a shopping center template from the
menu. A shopping center template cannot be assigned until the
shopping center has been saved in the database.
l Shop: N/A
l Shelf: For shelves created by automatic filling of the shop, the
reference to the shelf template used is entered. Shelf templates are
only assigned automatically.

Parent IT Parent IT Shop nodes in the IT Shop hierarchy.

Shop node
l Shopping center: Leave this empty. Shopping centers always form
the root node of an IT Shop.
l Shop: If the shop is at the top level of an IT Shop, this field stays
empty.
If the shop is in a shopping center, select the shopping center from
the menu. You can use this input field to add shops to shopping
centers later.
l Shelf: In the menu, select the shop to add the shelf to.
After saving the rule, the shop cannot be changed again.

Full name Full name of the IT Shop structure.

Location Location of the IT Shop structure. You can use this input when creating
approval policies for making requests from this shopping
center/shop/shelf.

Department Department the IT Shop structure is in. You can use this input when
creating approval policies for making requests from this shopping
center/shop/shelf.

Cost center Cost enter of the IT Shop structure. You can use this input when creating
approval policies for making requests from this shopping
center/shop/shelf.

One Identity Manager 8.2.1 IT Shop Administration Guide

207
Managing an IT Shop
Property Description

Owner The employee responsible for the IT Shop structure. You can use this
input when creating approval policies for making requests from this
shopping center/shop/shelf.

2nd Manager The owner's deputy. You can use this input when creating approval
policies for making requests from this shopping center/shop/shelf.

Attestors Applications role whose members are authorized to approve attestation

cases for this IT Shop structure.
To create a new application role, click . Enter the application role name
and assign a parent application role.
NOTE:This property is available if the Attestation Module is installed.

Description Text field for additional explanation.

Certification Certification status of the IT Shop structure. You can select the following
status certification statuses:
l New: The IT Shop structure was newly added to the One Identity
Manager database.
l Certified: The IT Shop structure's main data was granted approval
by the manager.
l Denied: The IT Shop structure's main data was denied approval by
the manager.

Detailed information about this topic

l Role types for the IT Shop on page 199
l Templates for automatically filling the IT Shop on page 217
l Attestors on page 204

Related topics
l Determining the effective approval policies on page 98

Custom main data of IT Shop structures

Additional company-specific information. Use the Designer to customize display names,
formats, and templates for the input fields.

Additional tasks for IT Shop structures

After you have entered the main data, you can run the following tasks.

One Identity Manager 8.2.1 IT Shop Administration Guide

208
Managing an IT Shop
The IT Shop structure overview
To obtain an overview of a shopping center

1. In the Manager, select the IT Shop > IT Shop category.

2. Select the shopping center template in the result list.
3. Select the Shopping center overview task.

To obtain an overview of a shop

1. In the Manager, select the IT Shop > IT Shop or the IT Shop > IT Shop >
<shopping center> category.
2. Select the shop in the result list.
3. Select the Shop overview task.

To obtain an overview of a shelf

1. In the Manager, select the IT Shop > IT Shop > <shop> or the IT Shop > IT
Shop > <shopping center> > <shop> category.
2. Select the shelf in the result list.
3. Select the Shelf overview task.

Assigning approval policies

You can assign approval policies to a shopping center, shops, and shelves. These are
applied to all request from this IT Shop structure if a child IT Shop structure or the
requested service items are not assigned to approval policies. The approval policy that
takes effect on the IT Shop structure is shown in the overview.

To assign an IT Shop structure to an approval policy.

1. In the Manager, select the IT Shop > IT Shop or the IT Shop > IT Shop > <IT
Shop Structure> category.
2. Select the IT Shop structure in the result list.
3. Select the Assign approval policies task.
In the Add assignments pane, assign the approval policies.
TIP: In the Remove assignments pane, you can remove approval policy
assignments.

To remove an assignment
l Select the approval policy and double-click .
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

209
Managing an IT Shop
Related topics
l Approval processes for IT Shop requests on page 81

Assigning requestable products to shelves

Assign a shelf those company resources that the shop customers are permitted to request
as products. These company resources are added as product nodes below the shelf. You
can only select those company resources that are labeled with the IT Shop option and to
which a service item is assigned.
To assign company resources, select one of the tasks in the task view. The tasks are only
shown if the Assignments permitted and Direct assignment permitted options are
enabled for the IT Shop structure role class.

To assign company resources as products to a shelf

1. In Manager, select the IT Shop > IT Shop > <shop> category or the IT Shop >
IT Shop > <shopping center> > <shop> category.
2. Select the shelf in the result list.
3. Select the Assign <company resource> task.
In the Add assignments pane, assign company resources..
TIP: In the Remove assignments pane, you can remove company assignments.

To remove an assignment
l Select the company resource and double-click .
4. Save the changes.

Related topics
l Preparing products for requesting on page 21
l Assigning and removing products on page 51
l Role classes for the IT Shop on page 198

Setting up a customer node

Set up only one customer node for each shop to facilitate customer administration. Add the
employees to this customer node who are permitted to request products from this shop.
IMPORTANT:If a shop contains a large number of customers, the calculations in the IT
Shop can cause a heavy load on the DBQueue Processor and therefore on the database
server, as well.

One Identity Manager 8.2.1 IT Shop Administration Guide

210
Managing an IT Shop
Ensure that no more than 30,000 employees are members in a customer node. If
necessary, set up your own shopping center with several shops and customer nodes.

Adding customer nodes

To set up a customer node

1. In Manager, select the IT Shop > IT Shop > <shop> category or the IT Shop >
IT Shop > <shopping center> > <shop> category.
2. Click in the result list.
3. Edit the customer node's main data.
4. Save the changes.

General main data of customer nodes

Enter the following main data of a customer node:

Table 71: General main data of a customer node

Property Description

IT Shop node IT Shop structure name.

Internal Internal IT Shop structure name.

name

IT Shop Labels the IT Shop structure as customer node. In the menu, select
information Customers.
The menu is only displayed when you insert a new IT Shop structure.

Role type Not relevant

Shelf N/A.
template

Parent IT Parent IT Shop nodes in the IT Shop hierarchy. Select the shop to which
Shop node the customer node will be added. Only one customer node is allowed per
shop.

Full name Full identifier of the customer node.

Location N/A.

Department N/A.

Cost center N/A.

One Identity Manager 8.2.1 IT Shop Administration Guide

211
Managing an IT Shop
Property Description

Owner N/A.

Deputy N/A.
manager

Attestors N/A.

Description Text field for additional explanation.

Dynamic Specifies whether a dynamic role can be created for the customer node.
roles not
allowed

Related topics
l Assigning employees through dynamic roles on page 213

Custom main data of customer nodes

Additional company-specific information. Use the Designer to customize display names,
formats, and templates for the input fields.

Additional tasks for customer nodes

After you have entered the main data, you can run the following tasks.

The entitled customers overview

To obtain an overview of a customer node

1. In the Manager, select the IT Shop > IT Shop > <shop> > Customers or IT
Shop > IT Shop > <shopping center> > <shop> > Customers category.
2. Select the Entitled customers overview task.

Assigning employees directly

One Identity Manager 8.2.1 IT Shop Administration Guide

212
Managing an IT Shop
IMPORTANT:If a shop contains a large number of customers, the calculations in the IT
Shop can cause a heavy load on the DBQueue Processor and therefore on the database
server, as well.
Never assign more than 30,000 employees to a customer node.

To assign employees directly to a custom node

1. In the Manager, select the IT Shop > IT Shop > <shop> > Customers or IT
Shop > IT Shop > <shopping center> > <shop> > Customers category.
2. Select the Assign employees task.
In the Add assignments pane, assign the employees authorized to make requests.
TIP: In the Remove assignments pane, you can remove assigned employees.

To remove an assignment
l Select the employee and double-click .
3. Save the changes.

If an employee is removed from a customer node, all pending requests for this employee
are canceled.

Related topics
l Assigning employees through dynamic roles on page 213

Assigning employees through dynamic roles

Add an employee who is authorized to make requests for the shop to the customer node.
You have two possible ways of doing this. Employees can be assigned to a customer node
either directly or through a dynamic role.
NOTE: Create dynamic role is only available for customer nodes that do not have
Dynamic roles not allowed set.
IMPORTANT:If a shop contains a large number of customers, the calculations in the IT
Shop can cause a heavy load on the DBQueue Processor and therefore on the database
server, as well.
Formulate the condition for the dynamic role so that no more than 30,000
employees are found.

To create a dynamic role

1. In the Manager, select the IT Shop > IT Shop > <shop> > Customers or IT
Shop > IT Shop > <shopping center> > <shop> > Customers category.
2. Select the Create dynamic role task.
3. Enter the required main data.
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

213
Managing an IT Shop
To edit a dynamic role

1. In the Manager, select the IT Shop > IT Shop > <shop> > Customers or IT
Shop > IT Shop > <shopping center> > <shop> > Customers category.
2. Select the Entitled customers overview task.
3. Select the Dynamic roles form element and click on the dynamic role.
4. Select the Change main data task and edit the dynamic role's main data.
5. Save the changes.

For more information about dynamic roles, see the One Identity Manager Identity
Management Base Module Administration Guide. The following features apply to dynamic
roles for customer nodes:

Table 72: Properties of a customer node dynamic role

Property Description

IT Shop This data is initialized with selected customer nodes. If the employee
node objects meet the dynamic role conditions, they are added to this customer
node.

Object class Employee

Dynamic The dynamic role name is made up of the object class and the full name of
role the IT Shop node by default.

Calculation Schedule for calculating dynamic roles. Employees with request permis-
schedule sions for the shop are determined regularly at the times specified in the
schedule.
In the default installation of One Identity Manager, the Dynamic roles
check schedule is already defined. All dynamic role memberships are
checked using this schedule and recalculation operations are sent to the
DBQueue Processor if necessary. Use the Designer to customize schedules
or set up new ones to meet your requirements. For more information, see
the One Identity Manager Operational Guide.

To delete a dynamic role

1. In the Manager, select the IT Shop > IT Shop > <shop> > Customers or IT
Shop > IT Shop > <shopping center> > <shop> > Customers category.
2. Select the Entitled customers overview task.
3. Select the Dynamic roles form element and click on the dynamic role.
4. In the Manager's toolbar, click .
5. Confirm the security prompt with Yes.

Related topics
l Assigning employees directly on page 212

One Identity Manager 8.2.1 IT Shop Administration Guide

214
Managing an IT Shop
Deleting IT Shop structures
In order to delete IT Shop structures, you have to remove all the child IT Shop structures.
This applies to manually added IT Shop structures in the same way as it does for shelves
and products created from shelf templates.

Detailed information about this topic

l Deleting customer nodes on page 215
l Deleting shelves on page 215
l Deleting shops on page 216
l Deleting shopping centers on page 216

Deleting customer nodes

To delete a customer node

1. In Manager, select the IT Shop > IT Shop > <shop> category or the IT Shop >
IT Shop > <shopping center> > <shop> category.
2. Select the customer node in the result list.
3. Remove all assigned employees.
l If the customer node was filled using a dynamic role, delete the
dynamic role first.
4. Click in the result list.
5. Confirm the security prompt with Yes.

Detailed information about this topic

l Additional tasks for customer nodes on page 212

Deleting shelves
If a shelf is going to be completely dissolved, you need to remove all the product
assignments from the shelf first.

To delete a shelf

1. In Manager, select the IT Shop > IT Shop > <shop> category or the IT Shop >
IT Shop > <shopping center> > <shop> category.
2. Select the shelf in the result list.

One Identity Manager 8.2.1 IT Shop Administration Guide

215
Managing an IT Shop
3. Remove all product assignments to the shelf.
The next time the DBQueue Processor runs, all pending requests for the products are
closed and approved requests are canceled. Then you can delete the shelf.
4. Click in the result list.
5. Confirm the security prompt with Yes.

To delete a shelf that resulted from a special shelf template

1. Cancel approved requests from this shelf.

2. Cancel pending request.
3. Remove shelf template assignments to the shop.

NOTE: Shelves that have been created from a global shelf template or a shopping center
template cannot be deleted.

Detailed information about this topic

l Removing products from shelves on page 53
l Assigning shelf templates to shops and shopping center templates on page 224

Deleting shops
If you want to delete a shop, delete the customer node and existing shelves beforehand.

To delete a shop

1. In the Manager, select the IT Shop > IT Shop or the IT Shop > IT Shop >
<shopping center> category.
2. Select the shop in the result list.
3. Delete the customer node.
4. Delete all shelves.
5. Click in the result list.
6. Confirm the security prompt with Yes.

Detailed information about this topic

l Deleting customer nodes on page 215
l Deleting shelves on page 215

Deleting shopping centers

If you want to delete a shopping center, delete all shops first.

One Identity Manager 8.2.1 IT Shop Administration Guide

216
Managing an IT Shop
To delete a shopping center

1. In the Manager, select the IT Shop > IT Shop category.

2. Select the shopping center template in the result list.
3. Delete all shops.
4. Click in the result list.
5. Confirm the security prompt with Yes.

Detailed information about this topic

l Deleting shops on page 216

Templates for automatically filling the

IT Shop
You can create templates for setting up shelves automatically. Use templates when you
want to set up shelves in several shops or shopping centers with the same products.

Table 73: Templates overview

Template Description

Global shelf A global shelf template is automatically distributed to all shops within the IT
templates Shop solution. A corresponding shelf with products is added to each shop.
If a new shop is created within the IT Shop solution, the global shelf
template is immediately applied to the shop.
NOTE: Global shelf templates are not distributed to default shops.

Special A special shelf template is manually assigned to one or more shops. A

shelf corresponding shelf with products is added in these shops. A special
templates template can be distributed additionally to shopping center templates.

Shopping A shopping center template references one or more shopping centers. You
center can only assign shopping center template to shopping center. Once you
templates assign a special shelf template to a shopping center template, a corres-
ponding shelf is added to all the shops in the shopping center.

In order to simplify understanding, these templates are given the umbrella term shelf
templates in the following.

One Identity Manager 8.2.1 IT Shop Administration Guide

217
Managing an IT Shop
To use shelf templates
l In the Designer, set the QER | ITShop | Templates configuration parameter.
NOTE: If you disable the configuration parameter at a later date, model compon-
ents and scripts that are not longer required, are disabled. SQL procedures and
triggers are still carried out. For more information about the behavior of prepro-
cessor relevant configuration parameters and conditional compiling, see the One
Identity Manager Configuration Guide.

The following is valid for all shelf templates:

l If a template is modified, the changes are passed on to all shelves created from this
shelf template.
l If a shelf template is deleted, all the shelves that originated from it are deleted from
the shop. Outstanding requests are completed.
l Shelf templates can only be deleted when their assigned products and approval
policies have been removed.

The following diagram illustrates the shelf templates that can be set up, their assignments,
and the resulting IT Shop solution.

One Identity Manager 8.2.1 IT Shop Administration Guide

218
Managing an IT Shop
Figure 12: Assigning shelf templates

One Identity Manager 8.2.1 IT Shop Administration Guide

219
Managing an IT Shop
Using shelf templates in an IT Shop solution
To create different shelf templates and implements in an IT Shop solution, do the following:

Global shelf templates

1. Create a global shelf template.

2. Assign products and approval policies to global shelf template.

The global shelf template is automatically reproduced in all shops in IT Shop. The shelves
that created are linked to the global shelf template from which they originate. The products
are transferred from the template to the shelf that is created from the template.
NOTE: Global shelf templates are not distributed to default shops.

Special shelf template

1. Create a special shelf template.

2. Assign products and approval policies to the special shelf template.
3. Assign the special shelf template to one or more shops.

The special shelf template is automatically copied to all shops in the IT Shop. The shelves
that created are linked to the special shelf template from which they originate. The
products are transferred from the template to the shelf that is created from the template.

Shopping center template

1. Create a shopping center template.

2. Create a special shelf template.
3. Assign products and approval policies to the special shelf template.
4. Assign the special shelf template to the shop center template.
5. Assign the shopping center template to the desired shopping centers.

The special shelf template is automatically copied to the shopping center template.
Subsequently, the shelf created form the shopping center template is distributed to all the
shops in the shopping center. The shelves that are created obtain a link to the shelf that
they originated from.

Detailed information about this topic

l Editing shelf templates on page 221
l Additional tasks for shelf templates on page 222
l Assigning shelf templates to shops and shopping center templates on page 224
l General main data of IT Shop structures on page 206

One Identity Manager 8.2.1 IT Shop Administration Guide

220
Managing an IT Shop
Editing shelf templates
To edit a shelf template

1. In the Manager, select the IT Shop > Shelf templates category.

2. In the result list, select a mail template in and run the Change main data task.
- OR -
Click in the result list.
3. Edit the shelf template's main data.
4. Save the changes.

General main data of a shelf template

Enter the following properties for a shelf template.

Table 74: General main data of a shelf template

Property Description

IT Shop node Identifier of the IT Shop structure for creating the shelf template.

Internal Internal name of the shelf template.

name

IT Shop Type of shelf template. In the menu, select Shopping center template,
information Global shelf template, or Shelf template.

Role type Role types for classifying shops and shelves. In the menu, select a role
type.
l Shopping center template: N/A
l Global and special templates: You can use role types to limit the
approval policies in effect. The role type is applied to the new shelf.

Location Location of the shelf. You can use this data in approval workflows for
determining the approver responsible for requests from the shelves that
have been created.

Department Department the shelf belongs to. You can use this data in approval
workflows for determining the approver responsible for requests from the
shelves that have been created.

Cost center Cost center of the shelf. You can use this data in approval workflows for
determining the approver responsible for requests from the shelves that
have been created.

Owner Employee responsible for the shelf. You can use this data in approval

One Identity Manager 8.2.1 IT Shop Administration Guide

221
Managing an IT Shop
Property Description

workflows for determining the approver responsible for requests from the
shelves that have been created.

Deputy The owner's deputy. You can use this data in approval workflows for
manager determining the approver responsible for requests from the shelves that
have been created.

Attestors Applications role whose members are authorized to approve attestation

cases for this business role.
To create a new application role, click . Enter the application role name
and assign a parent application role.
NOTE:This property is available if the Attestation Module is installed.

Description Text field for additional explanation.

Certification The shelf template's certification status. You can select the following certi-
status fication statuses:
l New: The shelf template was newly added to the One Identity
Manager database.
l Certified: A manager granted approval to the shelf template’s
main data.
l Denied: A manager denied approval to the shelf template’s main
data.

Detailed information about this topic

l Role types for the IT Shop on page 199
l Attestors on page 204

Related topics
l Determining the effective approval policies on page 98

Custom main data of shelf templates

Additional company-specific information. Use the Designer to customize display names,
formats, and templates for the input fields.

Additional tasks for shelf templates

After you have entered the main data, you can run the following tasks.

One Identity Manager 8.2.1 IT Shop Administration Guide

222
Managing an IT Shop
Assigning approval policies
You can assign approval policies to global and special templates. These approval policies
are passed on to every new shelf.

To assign a shelf template to an approval policy

1. In the Manager, select the IT Shop > Shelf templates category.

2. Select the rule template in the result list.
3. Select the Assign approval policies task.
In the Add assignments pane, assign the approval policies.
TIP: In the Remove assignments pane, you can remove approval policy
assignments.

To remove an assignment
l Select the approval policy and double-click .
4. Save the changes.

Related topics
l Approval processes for IT Shop requests on page 81

Assigning requestable products to shelf templates

Assign global and special shelf templates to company resources. These company
resources are added as product nodes to all the shelves that are created. You can only
select those company resources that are labeled with the IT Shop option and to which a
service item is assigned.
Select one of the tasks in the task view to assign company resources. The tasks are only
shown if the Assignments permitted and Direct assignment permitted options are
enabled for the IT Shop template role class.

To assign company resources as products to a shelf

1. In the Manager, select the IT Shop > Shelf templates category.

2. Select the rule template in the result list.
3. Select the Assign <company resource> task.
In the Add assignments pane, assign company resources..
TIP: In the Remove assignments pane, you can remove company assignments.

One Identity Manager 8.2.1 IT Shop Administration Guide

223
Managing an IT Shop
To remove an assignment
l Select the company resource and double-click .
4. Save the changes.

Related topics
l Preparing products for requesting on page 21
l Assigning and removing products on page 51
l Role classes for the IT Shop on page 198

Shelf-filling wizard
Use this task to assign special shelf templates to shops and shopping centers. For
more information, see Assigning shelf templates to shops and shopping center
templates on page 224.

Assigning shelf templates to shops and

shopping center templates
Global shelf templates are immediately distributed to all shops. Assign special shelf
templates manually to shops and shopping center templates. You also need to assign
shopping center templates to the desired shopping center. This assignment takes place in
the shopping center.

To assign a special shelf template to shops and shopping center templates

1. In the Manager, select the IT Shop > Shelf templates category.

2. Select a shelf template in the result list.
3. Select Shelf Filling Wizard.
4. Select Create/remove shelves.
5. In the Shelf template, select a special shelf template.
6. Enable the shops and shopping center template to which to assign this shelf
template.
7. Click Apply.

Table 75: Settings in the shelf filling wizard

Property Description

Create/remove This shows shops and shopping centers to which shelf templates can
shelves tab be assigned and removed again.

One Identity Manager 8.2.1 IT Shop Administration Guide

224
Managing an IT Shop
Property Description

Shelf template This list displays all available special shelf templates. By default, the
shelf template list is preset with the name of shelf template from
which the wizard is started.

Filter This limits the number of shops and shopping center templates
displayed. All entries that contain strings that are entered in the
filter condition are displayed. Uppercase and lowercase are not
taken into account. The filter takes effect after the shelf template
has been reselected in the Shelf templates list.
The filter also affects the view on Assignment by shopping
center templates.

List of Shops and l To assign a shelf template, select the check box next to the
Shopping Center desired shop or shopping center template.
Templates l Use Assign all to assign a template to all shops and shopping
center templates.
l In order to remove the assignments from all shops, click the
Remove all button.
l You can select several entries at one time (Ctrl + left mouse
button or Shift + left mouse button ) and change the
assignments using the Invert selection button.
l Click Apply to save the changes.

Assignment by Once the DBQueue Processor has calculated the assignments, the
shopping center shops in which a shelf was created from a shopping center template,
templates tab are displayed on this tab. This only provides an overview. You
cannot edit the assignments.
The shops displayed are limited through the filter.

Related topics
l General main data of IT Shop structures on page 206

Deleting shelf templates

If a shelf template is deleted, the QER | ITShop | Templates | DeleteRecursive
configuration parameter is taken into account. If the configuration parameter is set, you
can delete a shelf template without requiring any further steps. When this shelf template is
deleted, the shelves and products connected with this template are also deleted from the
shops. Pending requests in these shelves are closed; approved requests are canceled. If
the parameter is not set, templates cannot be deleted as long as shelves reference it.

One Identity Manager 8.2.1 IT Shop Administration Guide

225
Managing an IT Shop
To delete shelf templates recursively

1. In the Designer, set the QER | ITShop | Templates | DeleteRecursive

configuration parameter.
2. In the Manager, select the IT Shop > Shelf templates category.
3. Select a shelf template in the result list.
4. Click in the result list.
The next time the DBQueue Processor runs, the shelves and products connected with
this template are also deleted from the shops. Pending requests from these shelves
are closed, approved request are canceled.

If the configuration parameter is not set, proceed as follows to delete the shelf template:

To delete a global shelf template

1. In the Manager, select the IT Shop > Shelf templates category.

2. Select the global shelf template in the result list.
3. Remove all assigned products.
4. Save the changes.
All assignments of these products to shelves are removed when the DBQueue
Processor runs the next time. Then, the shelf template can be deleted.
5. Click in the result list.
All shelves based on this template are deleted when the DBQueue Processor runs
the next time.

To delete a special shelf template

1. In the Manager, select the IT Shop > Shelf templates category.

2. Select the special shelf template in the result list.
3. Remove all assigned products.
4. Save the changes.
All assignments of these products to shelves are removed when the DBQueue
Processor runs the next time.
5. Remove all assignments of the shelf template to shops and shopping center
templates.
All shelves based on this template are deleted when the DBQueue Processor runs
the next time.
6. Click in the result list.

To delete a shopping center template

1. In the Manager, select the IT Shop > Shelf templates category.

2. Select the shopping center template in the result list.
3. Delete all shopping center assignments.

One Identity Manager 8.2.1 IT Shop Administration Guide

226
Managing an IT Shop
All shelves based on this template are deleted when the DBQueue Processor runs
the next time.
4. Delete all special shelf template assignments to the shopping center template.
5. Click in the result list.

Detailed information about this topic

l Assigning requestable products to shelf templates on page 223
l Assigning shelf templates to shops and shopping center templates on page 224
l General main data of IT Shop structures on page 206

Custom mail templates for notifications

Mail templates are used to send email messages to requesters and approvers.
For more information about creating and editing mail template, see the One Identity
Manager Operational Guide.
A mail template consists of general main data such as target format, importance, or mail
notification confidentiality, and one or more mail definitions. Mail text is defined in several
languages in the mail template. This ensures that the language of the recipient is taken into
account when the email is generated.

Related topics
l Notifications in the request process on page 169

Creating and modifying IT Shop mail

templates
To create and edit mail templates

1. In the Manager, select the IT Shop > Basic configuration data > Mail
templates category.
The result list shows all the mail templates that can be used for IT Shop requests.

2. Select a mail template in the result list and run the Change main data task.
- OR -
Click in the result list.
This opens the mail template editor.

One Identity Manager 8.2.1 IT Shop Administration Guide

227
Managing an IT Shop
3. Edit the mail template.
4. Save the changes.

Detailed information about this topic

l General properties of mail templates on page 228
l Creating and editing mail definitions on page 229

General properties of mail templates

The following general properties are displayed for a mail template.

Table 76: Mail template properties

Property Meaning

Mail template Name of the mail template. This name will be used to display the mail
templates in the administration tools and in the Web Portal. Translate
the given text using the button.

Base object Mail template base object. A base object only needs to be entered if the
mail definition properties of the base object are referenced.
Use the PersonWantsOrg or PWOHelperPWO base object for notifications in
the IT Shop.

Report Report, made available through the mail template.

(parameter set)

Description Mail template description. Translate the given text using the button.

Target format Format in which to generate email notification. Permitted values are:
l HTML: The email notification is formatted in HTML. Text formats,
for example, different fonts, colored fonts, or other text
formatting, can be included in HTML format.
l TXT: The email notification is formatted as text. Text format
does not support bold, italics, or colored font, or other text
formatting. Images displayed directly in the message are not
supported.

Design type Design in which to generate the email notification. Permitted values
are:
l Mail template: The generated email notification contains the
mail body in accordance with the mail definition.
l Report: The generated email notification contains the report
specified under Report (parameter set) as its mail body.

One Identity Manager 8.2.1 IT Shop Administration Guide

228
Managing an IT Shop
Property Meaning
l Mail template, report in attachment: The generated email
notification contains the mail body in accordance with the mail
definition. The report specified under Report (parameter set)
is attached to the notification as a PDF file.

Importance Importance for the email notification. Permitted values are Low,
Normal, and High.

Confidentiality Confidentiality for the email notification. Permitted values are Normal,
Personal, Private, and Confidential.

Can Specifies whether the recipient can unsubscribe email notification. If

unsubscribe this option is set, the emails can be unsubscribed through the Web
Portal.

Deactivated Specifies whether this mail template is disabled.

Mail definition Selects the mail definition in a specific language.

NOTE: If the Common | MailNotification | DefaultCulture
configuration parameter is set, the mail definition is loaded in the
default language for email notifications when the template is opened.

Language Language that applies to the mail template. The recipient's language
preferences are taken into account when an email notification is
generated.

Subject Subject of the email message.

Mail body Content of the email message.

Creating and editing mail definitions

Mail texts can be defined in these different languages in a mail template. This ensures that
the language of the recipient is taken into account when the email is generated.

To create a new mail definition

1. In the Manager, select the IT Shop > Basic configuration data > Mail
templates category.
The result list shows all the mail templates that can be used for IT Shop requests.

2. Select a mail template in the result list and run the Change main data task.
3. In the result list, select the language for the mail definition in the Language menu.
All active languages are shown. To use another language, in the Designer, enable the
corresponding countries. For more information, see the One Identity Manager
Configuration Guide.
4. Enter the subject in Subject.

One Identity Manager 8.2.1 IT Shop Administration Guide

229
Managing an IT Shop
5. Edit the mail text in the Mail definition view with the help of the Mail Text Editor.
6. Save the changes.

To edit an existing mail definition

1. In the Manager, select the IT Shop > Basic configuration data > Mail
templates category.
The result list shows all the mail templates that can be used for IT Shop requests.

1. Select a mail template in the result list and run the Change main data task.
2. In the Mail definition menu, select the language for the mail definition.
NOTE: If the Common | MailNotification | DefaultCulture configuration
parameter is set, the mail definition is loaded in the default language for email
notifications when the template is opened.
3. Edit the mail subject line and the body text.
4. Save the changes.

Using base object properties

In the subject line and body text of a mail definition, you can use all properties of the object
entered under Base object. You can also use the object properties that are referenced by
foreign key relation.
To access properties use dollar notation. For more information, see the One Identity
Manager Configuration Guide.

Example:

An IT Shop requester should receive email notification about the status of the
request.

Table 77: Email notification properties

Property Value

Base object PersonWantsOrg

Subject "$DisplayOrg[D]$" status change

Mail body Dear $FK(UID_PersonOrdered).Salutation[D]$ $FK(UID_

PersonOrdered).FirstName$ $FK(UID_PersonOrdered).LastName$,
The status was changed on the following request on
$DateHead:Date$.

One Identity Manager 8.2.1 IT Shop Administration Guide

230
Managing an IT Shop
Property Value

Requested by: $DisplayPersonInserted$

Requested by: $DisplayPersonInserted$
Reason: $OrderReason$
Current status of your request:
Approval: granted
Approver: $DisplayPersonHead[D]$
Reason: $ReasonHead[D]$

The generated email notification could look like the following, for example, once it
has been formatted.

Use of hyperlinks to the Web Portal

You can add hyperlinks to the Web Portal in the mail text of a mail definition. If the
recipient clicks on the hyperlink in the email, the Web Portal opens on that web page and
further actions can be carried out. In the default version, this method is implemented for
IT Shop requests.

Prerequisites for using this method

l The QER | WebPortal | BaseURL configuration parameter is enabled and contains
the URL path to the Web Portal. You edit the configuration parameter in the Designer.
http://<server name>/<application>
with:
<server name> = name of server
<application> = path to the Web Portal installation directory

One Identity Manager 8.2.1 IT Shop Administration Guide

231
Managing an IT Shop
To add a hyperlink to the Web Portal in the mail text

1. Click the position in the mail text of the mail definition where you want to insert
a hyperlink.
2. Open the Hyperlink context menu and enter the following information.
l Display text: Enter a caption for the hyperlink.
l Link to: Select the File or website option.
l Address: Enter the address of the page in the Web Portal that you
want to open.
NOTE: One Identity Manager provides a number of default functions that you
can use to create hyperlinks in the Web Portal.
3. To accept the input, click OK.

Default functions for creating hyperlinks

Several default functions are available to help you create hyperlinks. You can use
the functions directly when you add a hyperlink in the mail body of a mail definition
or in processes

Direct function input

You can reference a function when you add a hyperlink in the Address field of the
Hyperlink context menu.
$Script(<Function>)$
Example:
$Script(VI_BuildITShopLink_Show_for_Requester)$

Default functions for IT Shop requests

The VI_BuildITShopLinks script contains a collection of default functions for composing

hyperlinks to directly grant or deny approval of IT Shop requests from email notifications.

Table 78: Functions of the VI_BuildITShopLinks script

Function Usage

VI_BuildITShopLink_ Opens the overview page for request approval in the Web Portal.
Show_for_Approver

VI_BuildITShopLink_ Opens the overview page for requests in the Web Portal.
Show_for_Requester

VI_BuildITShopLink_ Approves a request and opens the approvals page in the Web
Approve Portal.

One Identity Manager 8.2.1 IT Shop Administration Guide

232
Managing an IT Shop
Function Usage

VI_BuildITShopLink_ Denies a request and opens the approvals page in the Web
Deny Portal.

VI_BuildITShopLink_ Opens the page for answering a question in the Web Portal.
AnswerQuestion

VI_BuildITShopLink_ Opens the page with denied requests in the Web Portal.
Reject

VI_ Opens the page with pending requests in the Web Portal.
BuildAttestationLink_
Pending

VI_BuildITShopLink_ Creates the link for canceling email notification. This function is
Unsubscribe used in processes for unsubscribing email notifications.

Customize email signatures

Configure the email signature for mail templates using the following configuration
parameters. Edit the configuration parameters in the Designer.

Table 79: Configuration parameters for email signatures

Configuration parameter Description

Common | MailNotification | Data for the signature in email automatically

Signature generated from mail templates.

Common | MailNotification | Signature under the salutation.

Signature | Caption

Common | MailNotification | Company name.

Signature | Company

Common | MailNotification | Link to the company's website.

Signature | Link

Common | MailNotification | Display text for the link to the company's website.
Signature | LinkDisplay

VI_GetRichMailSignature combines the components of an email signature according to the

configuration parameters for use in mail templates.

One Identity Manager 8.2.1 IT Shop Administration Guide

233
Managing an IT Shop
Copying IT Shop mail templates
To copy a mail template

1. In the Manager, select the IT Shop > Basic configuration data > Mail
templates category.
The result list shows all the mail templates that can be used for IT Shop requests.

2. Select the mail template that you want to copy in the result list and run the Change
main data task.
3. Select the Copy mail template task.
4. Enter the name of the new mail template in the Name of copy field.
5. Click OK.

Displaying IT Shop mail template previews

To display a mail template preview

1. In the Manager, select the IT Shop > Basic configuration data > Mail
templates category.
The result list shows all the mail templates that can be used for IT Shop requests.

2. Select a mail template in the result list and run the Change main data task.
3. Select the Preview task.
4. Select the base object.
5. Click OK.

Deleting IT Shop mail templates

To delete a mail template

1. In the Manager, select the IT Shop > Basic configuration data > Mail
templates category.
The result list shows all the mail templates that can be used for IT Shop requests.

2. Select the template in the result list.

3. Click in the result list.
4. Confirm the security prompt with Yes.

One Identity Manager 8.2.1 IT Shop Administration Guide

234
Managing an IT Shop
Custom notification processes
Set up customized processes to send more email notifications within a request. For detailed
information, see the One Identity Manager Configuration Guide.
You can use following events for generating processes.

Table 80: PWOHelperPWO object events

Event Triggered by

DecisionRequired Creating a new request.

Remind Sequence of reminder intervals.

Request templates
If you want to request products in the Web Portal, select the products you want from a
service catalog and place them in the cart. The products remain in the cart until you send
the request. You can save all the products in your cart or just individual ones in a request
template so that you can reuse the products in the cart for future requests. You can add or
delete products to request templates at anytime.

To use a request template

l In the Designer, set the QER | ITShop | ShoppingCartPattern
configuration parameter.

You can create request templates in the Web Portal and in the Manager. In the following
you will learn how to set up request templates with the Manager. For more information
about how to set up request templates in the Web Portal, see the One Identity Manager
Web Designer Web Portal User Guide.

Creating and modifying request templates

To edit a request template

1. In the Manager, select the IT Shop > Request templates category.

2. In the result list, select a request template and run the Change main data task.
- OR -
Click in the result list.
3. Edit the request template's main data.
4. Save the changes.

One Identity Manager 8.2.1 IT Shop Administration Guide

235
Managing an IT Shop
Detailed information about this topic
l General main data of a request template on page 236
l Cart items on page 237

General main data of a request template

Enter the following properties on the General tab.

Table 81: General main data of a request template

Property Description

Request Name of the request template.

template

Name Any additional name for the request template.

Short name Short name for the request template.

Voucher A combination of any characters to uniquely identify the request template.

number If you leave this field empty, One Identity Manager automatically allocates
a number when you save.

Owner Owner of the request template. The employee that created the template is
automatically entered as the owner. This value can be changed at any
time.

Description Text field for additional explanation.

Public Specifies whether the request template is available to all One Identity
template Manager users.

Shared Specifies whether the request template is can be used by all One Identity
Manager users. This option can only be changed in the Manager through
the user with the Request & Fulfillment | IT Shop | Administrators
application role.
If Public template is not set on a shared template, Shared is also
disabled.

Request templates can be automatically share once Public template has been set.

To automatically share request templates

l In the Designer, set the QER | ITShop | ShoppingCartPattern | AutoQualified
configuration parameter.

One Identity Manager 8.2.1 IT Shop Administration Guide

236
Managing an IT Shop
Cart items
Use Cart items to assign the product.

To add a new request item to the request template

l Click .
The data fields for entering properties are shown.

Table 82: Cart items

Property Description

product Products that can be requested with this request template. All service items
are shown in the menu, whose products are assigned to at least one shelf in
the IT Shop.
l To add other products to the request template, click .
l To delete a cart item, click .

Quantity Number of products to request.

You need to customize your Web Portal in order to use these values. For
detailed information, see One Identity Manager Web Designer Reference
Guide.

Additional Additional information is required for the request.

request
data

Deleting request templates

To delete a request template

1. In the Manager, select the IT Shop > Request templates category.

2. Select a request template in the result list.
3. Click in the result list.

NOTE: Every owner can delete his own request templates in the Web Portal. One Identity
Manager users with the Request & Fulfillment | IT Shop | Administrators
application role can delete the request templates of all owners.

One Identity Manager 8.2.1 IT Shop Administration Guide

237
Managing an IT Shop
Recommendations and tips for
transporting IT Shop components with
the Database Transporter
For detailed about working with change labels and about transporting changes with the
Database Transporter, see the One Identity Manager Operational Guide.
To transport IT Shop components with the Database Transporter, take the following
into account:
l In one transport package, only include a maximum of one shop with shelves and
customer nodes including the dynamic roles and, if necessary, associated
approval policies.
l You should not transport products that reference target system entitlements. Target
system entitlements are loaded into the database by synchronization and obtain
different UIDs in different databases. This means that references to these
entitlements do not match up in the products.
l Approval policies, approval workflows, approval steps, and approval procedures
should be transported together. If necessary, mail templates and mail definitions
must be transported as well.
l If IT Shop components reference application or business roles, they must also be
transported along with their child roles.
l Transport translations if required.
l If you want to group several objects and dependencies and other changes into a
transport package, work with change labels where possible. In the Database
Transporter, you can export change labels to a transport package. You can import the
transport package with the Database Transporter.
l Alternatively, you can transport a single object with its dependencies by creating an
export in transport format. Then you can import the export with the Database
Transporter.

One Identity Manager 8.2.1 IT Shop Administration Guide

238
Managing an IT Shop
5

Troubleshooting errors in the IT

Shop

Timeout on saving requests

If new requests are saved in bulk in the database a timeout may occur, after importing
data, for example.

Probable reason

By default, the approvers responsible are determined during saving. This delays the
saving process. No more actions can take place in One Identity Manager until all
requests are saved and, therefore, all approvers have been found. Depending on the
system configuration, this may cause a timeout to occur when large amounts of data are
being processed.

Solution
l In the Designer, disable the QER | ITShop | DecisionOnInsert
configuration parameter.

Effect
l The requests are saved and a calculation task for determining approvers is queued in
the DBQueue. Approvers responsible are determined outside the save process.
l If the requester is also the approver, the approval step is not automatically granted
approval. Approvers must explicitly approve their own requests. For more
information, see Automatically approving requests on page 136.
l Automatic approval decisions are also met if necessary, but are delayed. This affects
requests with self-service, for example.

One Identity Manager 8.2.1 IT Shop Administration Guide

239
Troubleshooting errors in the IT Shop
Bulk delegation errors
You have the option to delegate all your responsibilities to one person in the Web Portal. If
you have a lot of responsibilities, it is possible that not all the delegations are carried out. A
delegator can send a notification to themselves if an error occurs.

Probable reason

An error occurred processing delegations. VI_ITShop_Person Mass Delegate was stopped,

although only a fraction of the delegations has been applied.

Solution

1. Configure the notification procedure.

2. Run all remaining delegations again in the Web Portal.

Related topics
l Bulk delegation notifications on page 179

Process monitoring for requests

For more information about process monitoring in One Identity Manager, see the One
Identity Manager Configuration Guide.

To configure process monitoring for requests

1. In the Designer, check whether the Common | ProcessState configuration

parameter is set. If not, set the configuration parameter.
If this configuration parameter is set, a process monitoring entry (DialogProcess
table) is created when the request is created.
2. In the Designer, check the Common | ProcessState | UseGenProcIDFromPWO
configuration parameter.
If this configuration parameter is set, the GenProcID of an IT Shop request is retained
for the entirety of the approval process.
If the configuration parameter is not set, a new GenProcID is used for each
approval decision.
3. In the Designer, check the QER | ITShop | GenProcIDBehavior
configuration parameter
Set the configuration parameter and use the value to specify how many GenProcIDs
should be generated for a shopping cart's requests.

One Identity Manager 8.2.1 IT Shop Administration Guide

240
Troubleshooting errors in the IT Shop
l MultiID: Generates a new GenProcID for each shopping cart request.
l SingleID: Generates one GenProcID for the entire shopping cart. All requests
created through the shopping cart are given the same GenProcID.
If the configuration parameter is not set, a separate GenProcID is generated for each
shopping cart request.

One Identity Manager 8.2.1 IT Shop Administration Guide

241
Troubleshooting errors in the IT Shop
Appendix A

Appendix: Configuration parameters for the

IT Shop

Additional configuration parameters for the IT Shop are available in One Identity
Manager. The following table contains a summary of all applicable configuration
parameters for the IT Shop.

Table 83: Overview of configuration parameters

Configuration parameter Description

QER | ITShop Preprocessor relevant configuration parameter to

control the component parts for the IT Shop. If the
parameter is set, the IT Shop components are
available. Changes to this parameter require the
database to be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.

QER | ITShop | This configuration parameter defines whether

AutoCloseInactivePerson employees are removed from all customer nodes
when they are permanently disabled.

QER | ITShop | AutoDecision This configuration parameter controls automatic

approval of IT Shop requests over several approval
levels.

QER | ITShop | AutoPublish General configuration parameter that defines

automatic assignment of system entitlements to the
IT Shop.

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

AADDeniedServicePlan automatically adding Azure Active Directory service

One Identity Manager 8.2.1 IT Shop Administration Guide

242
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

plans to the IT Shop. If the parameter is set, all

service plans are automatically assigned as products
to the IT Shop. Changes to this parameter require
the database to be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Azure Active Directory Module

QER | ITShop | AutoPublish | List of all Azure Active Directory service plans that
AADDeniedServicePlan | must not be automatically assigned to the IT Shop.
ExcludeList Each entry is part of a regular search pattern and
supports regular expression notation.

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

AADGroup automatically adding Azure Active Directory groups
to the IT Shop. If the parameter is set, all groups are
automatically assigned as products to the IT Shop.
Changes to this parameter require the database to
be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Azure Active Directory Module

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

AADSubSku automatically adding Azure Active Directory
subscriptions to the IT Shop. If the parameter is set,
all subscriptions are automatically assigned as

One Identity Manager 8.2.1 IT Shop Administration Guide

243
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

products to the IT Shop. Changes to this parameter

require the database to be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Azure Active Directory Module

QER | ITShop | AutoPublish | List of all Azure Active Directory subscriptions that
AADSubSku | ExcludeList must not be automatically assigned to the IT Shop.
Each entry is part of a regular search pattern and
supports regular expression notation.

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

ADSGroup automatically adding Active Directory groups to the
IT Shop. If the parameter is set, all groups are
automatically assigned as products to the IT Shop.
Changes to this parameter require the database to
be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in modules: Active Directory Module, Active
Roles Module

QER | ITShop | AutoPublish | The configuration parameter specifies whether the

ADSGroup | AutoFillDisplayName template should be applied to the
ADSGroup.DisplayName column.

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

One Identity Manager 8.2.1 IT Shop Administration Guide

244
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

O3EDL automatically adding Exchange Online mail-enabled

distribution groups to the IT Shop. If the parameter
is set, all distribution groups are automatically
assigned as products to the IT Shop. Changes to this
parameter require the database to be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Exchange Online Module

QER | ITShop | AutoPublish | List of all Exchange Online mail-enabled distribution

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

O3EUnifiedGroup automatically adding Office 365 groups to the IT
Shop. If the parameter is set, all groups are
automatically assigned as products to the IT Shop.
Changes to this parameter require the database to
be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Exchange Online Module

QER | ITShop | AutoPublish | List of all Office 365 groups that must not be
O3EUnifiedGroup | ExcludeList automatically assigned to the IT Shop. Each entry is
part of a regular search pattern and supports regular
expression notation.

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

O3TTeam automatically adding Microsoft Teams teams to the
IT Shop. If the parameter is set, all teams are

One Identity Manager 8.2.1 IT Shop Administration Guide

245
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

automatically assigned as products to the IT Shop.

Changes to this parameter require the database to
be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Microsoft Teams Module

QER | ITShop | AutoPublish | List of all Microsoft Teams teams that must not be
O3TTeam | ExcludeList automatically assigned to the IT Shop. Each entry is
part of a regular search pattern and supports regular
expression notation.

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

PAGUsrGroup automatically adding PAM user groups to the IT
Shop. If the parameter is set, all user groups are
automatically assigned as products to the IT Shop.
Changes to this parameter require the database to
be recompiled.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: Privileged Account Governance
Module

QER | ITShop | AutoPublish | Preprocessor relevant configuration parameter for

SPSGroup automatically adding SharePoint groups to the IT
Shop. If the parameter is set, all groups are
automatically assigned as products to the IT Shop.
Changes to this parameter require the database to
be recompiled.

One Identity Manager 8.2.1 IT Shop Administration Guide

246
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

If you disable the configuration parameter at a later

date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.
In effect in module: SharePoint Module

QER | ITShop | General configuration parameter for dealing with

ChallengeRoleRemoval role assignments that are modified by data import.
Removal of role memberships can be challenged
with the help of temporary requests.

QER | ITShop | This configuration parameter contains the validity

ChallengeRoleRemoval | period (in days) of temporary requests for
DaysOfValidity challenged role memberships.

QER | ITShop | Temporary requests of department memberships

ChallengeRoleRemoval | are supported.
Department

QER | ITShop | Temporary membership of the previous department

ChallengeRoleRemoval | is requested if changes are made to the primary
Department | Primary membership in departments.

QER | ITShop | This configuration parameter contains the product

ChallengeRoleRemoval | node that is assigned to the requested assignment
ITShopOrg resource.

QER | ITShop | Temporary requests of location memberships are

ChallengeRoleRemoval | Locality supported.

QER | ITShop | Temporary membership of the previous location is

ChallengeRoleRemoval | Locality | requested if changes are made to the primary
Primary membership in locations.

QER | ITShop | Temporary requests of business role memberships

ChallengeRoleRemoval | Org are supported.

One Identity Manager 8.2.1 IT Shop Administration Guide

247
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

QER | ITShop | Temporary membership of the previous business

ChallengeRoleRemoval | Org | role is requested if changes are made to the primary
Primary membership in business roles.

QER | ITShop | Temporary requests of cost center memberships are

ChallengeRoleRemoval | supported.
ProfitCenter

QER | ITShop | Temporary membership of the previous cost center

ChallengeRoleRemoval | is requested if changes are made to the primary
ProfitCenter | Primary membership in cost centers.

QER | ITShop | DecisionOnInsert This configuration parameter controls approval of a

request the moment is it added.

QER | ITShop | Sender's default email address for sending automat-

DefaultSenderAddress ically generated notifications about requests.
Replace the default address with a valid email
address.
Syntax:
sender@example.com
Example:
NoReply@company.com
You can enter the sender's display name in addition
to the email address. In this case, ensure that the
email address is enclosed in chevrons (<>).
Example:
One Identity <NoReply@company.com>

QER | ITShop | Delegation Preprocessor relevant configuration parameter for

controlling model components for delegation and
role membership. Changes to the parameter require
recompiling the database. If the parameter is set,
delegation components are available.
If you disable the configuration parameter at a later
date, model components and scripts that are not
longer required, are disabled. SQL procedures and
triggers are still carried out. For more information
about the behavior of preprocessor relevant config-
uration parameters and conditional compiling, see
the One Identity Manager Configuration Guide.

QER | ITShop | DeleteClosed This configuration parameter specifies whether

closed requests are deleted.

One Identity Manager 8.2.1 IT Shop Administration Guide

248
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

QER | ITShop | DeleteClosed | This configuration parameter specifies the maximum

Aborted retention time (in days) of canceled requests.

QER | ITShop | DeleteClosed | This configuration parameter specifies the maximum

Dismissed retention time (in days) of denied requests.

QER | ITShop | DeleteClosed | This configuration parameter specifies the maximum

Unsubscribed retention time (in days) of canceled requests.

QER | ITShop | ExceededVal- The configuration parameter specifies whether

idUntilUnsubscribe requests of limited validity are unsubscribed or
canceled once their limit is exceeded. If the
parameter is set and the request has the status
Assigned or Renewal, the request is unsubscribed
if not other request exist for the product that is
currently in effect. Expired requests with the status
Unsubscription and Unsubscribed are no longer
taken into account. Expired requests with the status
approved, pending, request are canceled. If the
parameter is not set, the request will be canceled in
any case.

QER | ITShop | GapBehavior Defines behavior when checking the validity period
of new requests.

QER | ITShop | GapBehavior | This configuration parameter specifies which

GapDefinition requests are checked.

QER | ITShop | GapBehavior | This configuration parameter specifies whether

GapFitting validity periods of two or more pending requests can
overlap.

QER | ITShop | GenProcIDBehavior This configuration parameter specifies how many

GenProcIDs should be generated for a shopping
cart's requests. If the configuration parameter is not
set, a separate GenProcID is generated for each
shopping cart request.

QER | ITShop | LimitOfNodeCheck Maximum number of product nodes that can be

generated or deleted by a DBQueue Processor run.
Once this number is exceeded, a task for generating
the rest of the nodes is queued in the DBQueue.

QER | ITShop | MailApproval | Name of the user account for authenticating the
Account mailbox used for approval by mail.

QER | ITShop | MailApproval | Exchange Online application ID for authentication

AppID with OAuth 2.0. If the value is not set, the Basic or
the NTML authentication method is used.

One Identity Manager 8.2.1 IT Shop Administration Guide

249
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

QER | ITShop | MailApproval | Specifies the way emails are deleted from the inbox.
DeleteMode

QER | ITShop | MailApproval | Domain of the user account for authenticating the
Domain mailbox used for approval by mail.

QER | ITShop | MailApproval | URL of the Microsoft Exchange web service for
ExchangeURI accessing the mailbox. If this is not given,
AutoDiscover mode is used to detect the URL.

QER | ITShop | MailApproval | Microsoft Exchange mailbox to which approvals by

Inbox mail are sent.

QER | ITShop | MailApproval | Password of the user account for authenticating the
Password mailbox used for approval by mail.

QER | ITShop | This mail template is used to send a notification with

MailTemplateIdents | an answer to a question from an approver.
AnswerToApprover

QER | ITShop | This mail template is used to notify approvers that

MailTemplateIdents | an approval decision has been made for the step
InformAddingPerson they added.

QER | ITShop | This mail template is used to notify approvers that

MailTemplateIdents | an approval decision has been made for the step
InformDelegatingPerson they delegated.

QER | ITShop | Mail template used for requests made through

MailTemplateIdents | "Approval by mail".
ITShopApproval

QER | ITShop | This mail template is used to send a notification with

MailTemplateIdents | a question from an approver to an employee.
QueryFromApprover

QER | ITShop | This mail template is used for generating an email

MailTemplateIdents | when there are pending requests for an approver. If
RequestApproverByCollection this configuration parameter is not set, a "Mail
template demand" or "Mail template reminder" for
single approval steps can be entered to send an
email for each request. If this configuration
parameter is set, single mails are not sent.

QER | ITShop | OnWorkflowAssign This configuration parameter specifies how pending

orders are handled when an approval, change, or
cancellation workflow is reassigned to the approval
policy.

QER | ITShop | OnWorkflowUpdate This configuration parameter specifies how pending

orders are handled when the approval workflow is

One Identity Manager 8.2.1 IT Shop Administration Guide

250
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

changed.

QER | ITShop | PeerGroupAnalysis This configuration parameter allows automatic

approval of requests by peer group analysis.

QER | ITShop | PeerGroupAnalysis This configuration parameter defines a threshold for

| ApprovalThreshold peer group analysis between 0 and 1. The default
value is 0.9.

QER | ITShop | PeerGroupAnalysis This configuration parameter specifies whether

| CheckCrossfunctionalAssignment functional areas should be take into account in peer
group analysis. If the parameter is set, the request
is only approved if the request's recipient and the
requested product belong to the same functional
area.

QER | ITShop | PeerGroupAnalysis This configuration parameter specifies whether

| IncludeManager employees can be added to the peer group who have
the same manager as the request's recipient.

QER | ITShop | PeerGroupAnalysis This configuration parameter determines whether

| IncludePrimaryDepartment employees who are primary members of the primary
department of the request's recipient are included in
the peer group.

QER | ITShop | PeerGroupAnalysis This configuration parameter determines whether

| IncludeSecondaryDepartment employees who are a secondary members of the
primary or secondary department of the request's
recipient are included in the peer group.

QER | ITShop | This configuration parameter specifies whether the

PersonInsertedNoDecide employee that triggered the request may approve it.

QER | ITShop | This configuration parameter specifies whether the

PersonOrderedNoDecide employee for whom the request was triggered, may
approve it.

QER | ITShop | This configuration parameter specifies whether the

PersonInsertedNoDecideComplian employee who initiated the request can issue
ce exception if compliance rules are violated by the
request.

QER | ITShop | This configuration parameter specifies whether the

PersonOrderedNoDecideComplian employee for whom the request was initiated can
ce issue exception if compliance rules are violated by
the request.

QER | ITShop | This configuration parameter specifies, which

ReducedApproverCalculation approval steps are recalculated if the IT Shop
approver must be recalculated.

One Identity Manager 8.2.1 IT Shop Administration Guide

251
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

QER | ITShop | ReplaceAssign- If an employee leaves a customer node, all assigned

mentRequestOnLeaveCU requests are canceled and assignment requests are
converted to direct assignments. If this parameter is
set, then assignment requests can be transferred to
the manager or central approver group, and to the
UID_PersonFallback if necessary. (Note: These
employees must have approval authorization for this
assignment).

QER | ITShop | ReplaceAssign- UID_Person is an employee who is set as the

mentRequestOnLeaveCU | UID_ fallback if no other request recipient can be found
PersonFallback for an assignment request. This employee must be a
customer in all shops in which assignments can be
requested.

QER | ITShop | ReuseDecision This configuration parameter specifies if approval

granted by one approver to all approval steps of an
approval process is transferred. If the parameter is
set, the current step is approved if an approval step
is reached in the approval process for which an
employee with approval authorization has already
granted approval. If the parameter is not set, the
approver must separately approve each step for
which they have approval authorization. If approval
has not been granted, it is not transferred.

QER | ITShop | This configuration parameter specifies whether

ShoppingCartPattern request templates can be used in the IT Shop.

QER | ITShop | This configuration parameter specifies whether

ShoppingCartPattern | public request templates are automatically labeled
AutoQualified as "shared" or whether they have to be manually
shared by a manager.

QER | ITShop | This configuration parameter specifies whether the

ShowClosedAssignmentOrders manager of an organization or business role can
view completed assignment requests for their organ-
ization or business role.
If this parameter is not set, the manager can only
view open assignment requests for their organ-
ization or business role.

QER | ITShop | Templates Preprocessor relevant configuration parameter for

controlling the database model components for the
Shelf Filling Wizard. Changes to the parameter
require recompiling the database. Shelf templates
can be used. Changes to this parameter require the
database to be recompiled.

One Identity Manager 8.2.1 IT Shop Administration Guide

252
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

If you disable the configuration parameter at a later

QER | ITShop | Templates | This configuration parameter specifies whether the

DeleteRecursive recursive deletion is allowed from shelf templates.
This configuration parameter is disabled by default.

QER | ComplianceCheck | Excludes rule violators from becoming exception

DisableSelfExceptionGranting approvers. If this parameter is set, no one can
approve their own rule violations.

QER | ComplianceCheck | IT Shop properties for the compliance rule are

EnableITSettingsForRule visible and can be edited.

QER | Person | Defender This configuration parameter specifies whether

classic Starling Two-Factor Authentication integ-
ration is supported.

QER | Person | Starling This configuration parameter specifies whether One

Identity Starling Cloud is supported.
Initiate your subscription within your One Identity
on-prem product and join your on-prem solutions to
our One Identity Starling cloud platform. Giving your
organization immediate access to a number of
cloud-delivered microservices, which expand the
capabilities of your One Identity on-prem solutions.
We will continuously make available new products
and features to One Identity Starling. For a free trial
of our One Identity Starling offerings and to get the
latest product feature updates, visit cloud.oneiden-
tity.com.

QER | Person | Starling | UseAp- This configuration parameter defines whether

provalAnywhere requests can be approved by Starling 2FA app.

QER | Person | Starling | UseAp- This configuration parameter specifies the timeout
provalAnywhere | Second- in seconds after which approval by Starling 2FA app
sToExpire expires.

QER | WebPortal General configuration parameter for Web Portal

settings.

QER | WebPortal | BaseURL Web Portal URL. This address is used in mail
templates to add hyperlinks to the Web Portal.

One Identity Manager 8.2.1 IT Shop Administration Guide

253
Appendix: Configuration parameters for the IT Shop
Configuration parameter Description

QER | WebPortal | DisplayName This configuration parameter contains the display

name of the Web Portal. This name is used in mail
templates.

QER | WebPortal | Password Reset Portal URL. This address is used to

PasswordResetURL navigate within the Web Portal.

QER | WebPortal | This configuration parameter specifies whether Web

PersonChangeWorkdesk Portal users can change their default workdesk. If
the configuration parameter is set, users can
relocate their workdesk through the Web Portal.

QER | WebPortal | This configuration parameter specifies whether

ShowProductImages pictures of products are displayed in the Web Portal.

Hardware | Workdesk | If this configuration parameter is set, creating a

WorkdeskAutoPerson workdesk automatically creates an associated
employee object. This employee object can be used
to make requests for this workstation.

Some general configuration parameters are also relevant for the IT Shop.

Table 84: Additional configuration parameters

Configuration Description
parameter

Common | Data for the signature in email automatically generated from

MailNotification | mail templates.
Signature

Common | Signature under the salutation.

MailNotification |
Signature | Caption

Common | Company name.

MailNotification |
Signature | Company

Common | Link to the company's website.

MailNotification |
Signature | Link

Common | Display text for the link to the company's website.

MailNotification |
Signature | LinkDisplay

Common | ProcessState If this configuration parameter is set, a process monitoring

entry (DialogProcess table) is created when the request is
created.

One Identity Manager 8.2.1 IT Shop Administration Guide

254
Appendix: Configuration parameters for the IT Shop
Configuration Description
parameter

Common | ProcessState | When this configuration parameter is set, changes to

PropertyLog individual values are logged and shown in the process view.
Changes to the parameter require recompiling the database.
If you disable the configuration parameter at a later date,
model components and scripts that are not longer required,
are disabled. SQL procedures and triggers are still carried
out. For more information about the behavior of preprocessor
relevant configuration parameters and conditional compiling,
see the One Identity Manager Configuration Guide.

Common | ProcessState | If this configuration parameter is set, the GenProcID of an IT

UseGenProcIDFromPWO Shop request is retained for the entirety of the approval
process. If the configuration parameter is not set, a new
GenProcID is used for each approval decision.

TargetSystem | ADS | Preprocessor relevant configuration parameter for controlling

ARS_SSM the database model components for Active Roles Self-Service
Management in the One Identity Manager IT Shop. If the
parameter is set, Self-Service Management components are
available. Changes to this parameter require the database to
be recompiled.
If you disable the configuration parameter at a later date,
model components and scripts that are not longer required,
are disabled. SQL procedures and triggers are still carried
out. For more information about the behavior of preprocessor
relevant configuration parameters and conditional compiling,
see the One Identity Manager Configuration Guide.
In effect in module: Active Roles Module

One Identity Manager 8.2.1 IT Shop Administration Guide

255
Appendix: Configuration parameters for the IT Shop
Appendix B

Appendix: Request statuses

The following table gives an overview of all statuses a request can have.

Table 85: Request statuses

Status Description
(technical name)

New A product was requested. The request was added in the

(New) database.

Request The request is currently in the approval process. An approval

(OrderProduct) decision has not yet been reached.

Approved The approval process is complete. The request is granted

(Granted) approval.

Pending The request is granted approval. A valid from date was given in
(Waiting) the request. This date has not been reached yet.

Assigned The request was granted approval and assigned.

(Assigned)

Renewal The request with limited validity was assigned. A renewal has
(OrderProlongate) been applied for and is in the approval process. An approval
decision has not yet been reached.

Unsubscription This product was canceled. The cancellation is currently in the

(OrderUnsubscribe) approval process. An approval decision has not yet been
reached.

Unsubscribed The approval process is complete. The cancellation was granted

(Unsubscribed) approval.

Denied The approval process is complete. The request was denied.

(Dismissed)

Canceled The request was canceled by a user or for technical reasons.

(Aborted)

One Identity Manager 8.2.1 IT Shop Administration Guide

256
Appendix: Request statuses
Pending requests Requests with the status request, renewal, canceled.
Approved requests Requests with the status approved, pending, assigned, renewal,
canceled.
Assigned requests Requests with the status assigned, renewal, canceled.
Closed requests Requested with the status unsubscribed, denied, canceled.

One Identity Manager 8.2.1 IT Shop Administration Guide

257
Appendix: Request statuses
Appendix C

Appendix: Examples of request results

Request results differ depending on whether a simple or multiple request resource or an

assignment is requested. The following figures illustrate the differences.

Figure 13: Request for a single request resource

One Identity Manager 8.2.1 IT Shop Administration Guide

258
Appendix: Examples of request results
Figure 14: Request for a multi-request resource

Figure 15: Request for a requestable/unsubscribable resource

One Identity Manager 8.2.1 IT Shop Administration Guide

259
Appendix: Examples of request results
Figure 16: Request for a department membership

Figure 17: Request for assignment of an Active Directory group to a department

One Identity Manager 8.2.1 IT Shop Administration Guide

260
Appendix: Examples of request results
About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

One Identity Manager 8.2.1 IT Shop Administration Guide

261
About us
Index
Index

A create 81

adaptive card 183-184 determine 98

apply 186 effective 98

approver 185 mail template 82

channel 185 overview form 83

create 186, 189 priority 82

delete 186 renewal workflow 82

edit 186 role type 82

evaluate 189 validity check 83

process QER_PWOHelpterPWO verify 84

approve anywhere 186 approval procedure 90, 100
request template 188 Active Directory group product owner
script 189 and additional owner 108

template 186 add 117

administrator 12 additional owner of the Active

Directory group 107
Application Governance Module 16
application entitlement approver 109
application role
application owner 108
administrator 12
approvals made externally 115
attestors 204
attestor assigned service item 107
chief approval team 122, 202
calculated approval 114
clean up 79
Complianceprüfung
delete 79 (vereinfacht) 126
delete obsolete product owner 79 condition 119
product owners 12, 203 copy 121
approval 95 custom 117
approval level delete 122
connect 95 escalation 143
edit 89 exception approver for worst rule
approval policies violation 128
approval workflow 82-83 manager of cost center provided in
request 111
assign 209, 223
cancellation workflow 82

One Identity Manager 8.2.1 IT Shop Administration Guide

262
Index
manager of department in access request 108
request 112
product owners 107
manager of recipient's cost
query 119
center 106
recipient's manager 106
manager of recipient's
department 106 self-service 105

manager of shelf's cost center 105 shelf owner 105

manager of shelf's department 105 shop owner 105

manager of shop's cost center 105 shopping center owner 105

manager of shop's department 105 specific role Manager 106

manager of shopping center's cost target system manager of the

center 105 requested system
entitlement 108
manager of shopping center's depart-
ment 105 violation rule exception approver 128

manager of the requested business waiting for further approval 112

role or organization 112 approval process 81, 83, 98
members of a certain role 106 approval reason 196
named approvers of cost center approval step
provided in request 109, 111
approval procedure 90
named approvers of department
provided in request 112 edit 90

named approvers of recipient's cost escalation 143

center 109 mail template 90
named approvers of recipient's relevance for compliance 90
location 109
reminder interval 90
named approvers of recipient's
rule check 90
primary role 109
timeout behavior 90
named IT approvers of cost center
provided in request 111 timeout interval 90
named IT approvers of department approval workflow
provided in request 112 copy 97
named IT approvers of recipient's delete 97
cost center 109
overview form 96
named IT approvers of recipient's
department 109 renewal 99

named IT approvers of recipient's set up 85

location 109 system halt 88
named IT approvers of recipient's timeout interval 88
primary role 109
unsubscribe 100
owner of the requested privileged

One Identity Manager 8.2.1 IT Shop Administration Guide

263
Index
approver C
adaptive card 183-185
cancellation workflow 100, 162, 169
approval by email 179
cart item 237
approving own request 134
change of manager 166
channel 185
chief approval team 122, 202
notification 170, 172, 176-177
comparison value 124
recalculate 122
connector
restrictions 134
on approval 95
select 100
on escalation 95
assignment request 57
on rejection 95
approver 61
on reroute 95
convert to direct assignment 62
cost center
grant approval 61
assign service item 28-29
obtain 64
create product nodes 53
prepare 57
cross-functional product 139-140
remove recipient from customer
currency 25
node 62
customer
service item 57
delete 215
unsubscribe 62
dynamic assignments 213
assignment resource 57
relocate 46, 62, 164
add 61
customer node
assign shelf 66
delete 215
for a business role 59
direct employee assignment 212
for an application role 60
new 211
overview form 66
overview form 212
remove from shelf 67
remove employee 62
resource type 64
set up 210
risk index 64
service item 64
D

B decision
by peer group 139-140
business partner 199
default approval policy 83
business role
default approval workflow 98
assign service item 29

One Identity Manager 8.2.1 IT Shop Administration Guide

264
Index
default assignment resources 66 F
default mail template 178
fallback approver 145
default service category 37
functional area 201
default service item 26
assign service item 29
delayed decision 112
delegation
G
approval notification 173
deputize 67 GenProcID 240

error 179 going live with an IT Shop 14

grant approval 70
notification 177, 179 I
prepare 69 Identity Lifecycle 14
service item 69 IT Shop
single delegation 67 approval process 81
deny 95 edit 193
department IT Shop structure 205
assign service item 28-29
dynamic role
L
customer node 213
location
assign service item 28-29
E
email notification
M
set up 169
mail template
employee
approval policies 82
assign to customer node 212
approval step 90
transform existing assignment in
request 72 base object 228, 230
escalation 95 confidentiality 228
exception approver 128 design type 228
approving own request 131 edit 227
limit 131 hyperlink 231
on self-service 134 importance 228
expiry date 160-162, 172 language 229
extended property mail definition 229
assign service item 30

One Identity Manager 8.2.1 IT Shop Administration Guide

265
Index
report 228 processing status 195
target format 228 product 16
unsubscribe 228 assign 53, 210
manufacturer 199 assign to template 223
Multi-factor authentication 55 change 31, 55
cross-functional 139-140

N dependent 26
move 54
notification
multi requestable 19
approval 173, 177
not available 47
default mail template 178
prepare 21
delegation 177
relocate 46, 54, 164
deny 173, 177
remove 53
deny approval 176
replace 31, 55
escalation 175
report 33
expiry 172
service item 21-22
mail template 169
terms of use 48
on delegation 173
unsubscribe 169
product change 178
validity period 46
query 176
product owners 12, 77
quit 175
clean up 79
recipient 169
delete 79
refuse approval 176
delete unused application role 79
reject approval 176
reminder 170
renewal 178 R
request 170, 175 reason 196
sender 169 renewal
unsubscribe 177 approver 99
renewal workflow 99, 161

P request
approval by mail 179
peer group analysis
approval by Starling Cloud
configure for request 140 Assistant 183-184
for request 139 approval history 158
price 25 approval sequence 157

One Identity Manager 8.2.1 IT Shop Administration Guide

266
Index
approve automatically 136, 146 request parameter 39
approved 256 settings 40
assigned 256 request procedure
assignment request 57 archiving 191
unsubscribe 62 record 191
by approver 134 request property
cancel 168, 191 copy 45
change approval workflow 164 log 39
close pending 164 main data 40
closed 191, 256 request recipient
copy existing assignment 71 accept terms of use 150
delete 191 notification 177-178
details 157 request status 256
escalate 143 request template 235
expiry date 160-162, 172 administrator 236
extend 161 cart item 237
for employees 166 create 235
monitor 240 delete 237
multi-request 159 product 237
new manager 166 public template 236
notification 169, 172 share 236
open 256 reroute 95
overview 157 resource
query 141 multi requestable 19
quit 54, 147 risk assessment 124
reject approval 164 functional area 201
relocate 164 risk index 64, 124
role 57, 190 role
sequence 155 request membership
automatically 190
status 256
transform existing assignment in
timeout 143, 146-147
request 76
unsubscribe 162, 169
role classes 198
validity period 160, 162
role type 199, 206, 221
withdraw 168

One Identity Manager 8.2.1 IT Shop Administration Guide

267
Index
rule check 125 open site 30
Complianceprüfung overview form 33
(vereinfacht) 126
overview of all assignments 34
find exception approver 128
parent 27
on self-service 134
product description 30
product owners 22
S relocate 22, 46

security code 55 replace 31

service catalog 26, 35, 37 report 33

service category request property 22

approval policies 35 risk assessment 28

attestors 35 subordinate 27

log 35 terms of use 48

object dependent xref 38 validity 22

process information 35 validity period 46

product owners 35 shelf

request property 35 administrator 206

service item approval policies 209, 223

approval policies 22 assign product 210

assign business role 29 attestors 206

assign cost center 28-29 cost center 206

assign department 28-29 delete 215

assign extended properties 30 department 206

assign function area 29 deputy 206

assign hierarchical role 28 location 206

assign location 28-29 overview form 209

assign tag 31 role type 206

attestors 22 set up 206

cost center 22 shelf filling wizard 224

enter tag 49 shelf template

image 26 administrator 221

log 22 assign 206, 224

manufacturer 22 assign product 223

multi-request 22 attestors 221

object dependent xref 32 cost center 221

One Identity Manager 8.2.1 IT Shop Administration Guide

268
Index
create 220-221 delete 225
delete 225 single delegation 69
delete shelf 215 standard reason 196
department 221 usage type 197
deputy 221 Starling 2FA 55
global 217, 220 Starling Cloud Assistant
location 221 approver 185
role type 221 channel 185
special 217, 220 Starling Two-Factor Authentication 55
shop status
administrator 206 request 256
approval policies 209 system entitlement
attestors 206 add to IT Shop (automatic) 77
cost center 206
delete 216 T
department 206
tag 49
deputy 206
assign service item 31, 50
location 206
create 31
overview form 209
overview form 51
set up 206
template
shopping center
request template 235
administrator 206
shelf template 217
approval policies 209
terms of use 48
attestors 206
accept 150
cost center 206
assign service item 49
delete 216
overview form 49
department 206
deputy 206
location 206 U
overview form 209 unsubscribe
set up 206 approver 100
shelf template 206 user account
shopping center template 217 transform existing assignment in
request 74
assign 224
create 220

One Identity Manager 8.2.1 IT Shop Administration Guide

269
Index
V
valid from date 160
valid until date 160
validity period
verify 162

W
workdesk
transform existing assignment in
request 75
Workflow Editor 85

One Identity Manager 8.2.1 IT Shop Administration Guide

270
Index

ActiveRoles AdministrationGuide
No ratings yet
ActiveRoles AdministrationGuide
984 pages
OneIM AzureActiveDirectory Administration
No ratings yet
OneIM AzureActiveDirectory Administration
248 pages
SPP - 7.0.5 LTS - AdministrationGuide
No ratings yet
SPP - 7.0.5 LTS - AdministrationGuide
660 pages
SAP Apparel Footwear
100% (1)
SAP Apparel Footwear
56 pages
OneIM Configuration
No ratings yet
OneIM Configuration
512 pages
ActiveRoles Predefined Access Templates Guide
No ratings yet
ActiveRoles Predefined Access Templates Guide
51 pages
ActiveRoles Administration Guide
No ratings yet
ActiveRoles Administration Guide
1,068 pages
ActiveRoles SyncService AdminGuide
No ratings yet
ActiveRoles SyncService AdminGuide
453 pages
ACM PV6.3.0 SV101 Instructions
No ratings yet
ACM PV6.3.0 SV101 Instructions
64 pages
Documentation Guide - WritingSample
No ratings yet
Documentation Guide - WritingSample
137 pages
1E Shopping Datasheet
No ratings yet
1E Shopping Datasheet
4 pages
SAP Supply Chain Management 70 Security GuideE
100% (1)
SAP Supply Chain Management 70 Security GuideE
45 pages
DP-900 Questions
No ratings yet
DP-900 Questions
19 pages
ActiveRoles 7.4.1 Administration Guide
No ratings yet
ActiveRoles 7.4.1 Administration Guide
870 pages
NSMADMG
No ratings yet
NSMADMG
734 pages
One Identity Manager Installation Guide
No ratings yet
One Identity Manager Installation Guide
189 pages
OneIM WebPortal UserGuide
No ratings yet
OneIM WebPortal UserGuide
472 pages
Synchronization Service Administration Guide: Active Roles 8.1.3
No ratings yet
Synchronization Service Administration Guide: Active Roles 8.1.3
435 pages
Developer Guide PDF
100% (1)
Developer Guide PDF
1,263 pages
Im Admin Enu
No ratings yet
Im Admin Enu
559 pages
OneIM Domino Administration
No ratings yet
OneIM Domino Administration
243 pages
CA IdentityMinder Implement Guide
No ratings yet
CA IdentityMinder Implement Guide
111 pages
Identity Apps Admin
No ratings yet
Identity Apps Admin
712 pages
IT Department Operations Manual
No ratings yet
IT Department Operations Manual
20 pages
OneIM OperationalGuide
No ratings yet
OneIM OperationalGuide
197 pages
OneIdentitySafeguardAuthenticationServices 5.0 AdministrationGuide En-Us
No ratings yet
OneIdentitySafeguardAuthenticationServices 5.0 AdministrationGuide En-Us
217 pages
OneIM ToolsUserInterface UserGuide
No ratings yet
OneIM ToolsUserInterface UserGuide
108 pages
ActiveRoles Web Interface Administration Guide
No ratings yet
ActiveRoles Web Interface Administration Guide
97 pages
IS 910 IIR 00 Overview en
No ratings yet
IS 910 IIR 00 Overview en
5 pages
ActiveRoles WebInterfaceUserGuide
No ratings yet
ActiveRoles WebInterfaceUserGuide
202 pages
ActiveRoles WebInterfaceConfigurationGuide
No ratings yet
ActiveRoles WebInterfaceConfigurationGuide
112 pages
ActiveRoles UserGuide
No ratings yet
ActiveRoles UserGuide
137 pages
One Identity Technical - Hossam
No ratings yet
One Identity Technical - Hossam
54 pages
Smart Cloud Enterprise Tivoli Service Automation Manager Security Guide
No ratings yet
Smart Cloud Enterprise Tivoli Service Automation Manager Security Guide
68 pages
UNIT III - PIC Architecture, Data Serialization, RAM ROM Allocation
100% (1)
UNIT III - PIC Architecture, Data Serialization, RAM ROM Allocation
44 pages
ActiveRoles Web Interface User's Guide
No ratings yet
ActiveRoles Web Interface User's Guide
42 pages
User Provisioning Best Practices
No ratings yet
User Provisioning Best Practices
41 pages
OneIM TargetSystemBaseModule Administration
No ratings yet
OneIM TargetSystemBaseModule Administration
54 pages
OneIM OperationsSupportWebPortal UserGuide
No ratings yet
OneIM OperationsSupportWebPortal UserGuide
48 pages
OneIM AzureActiveDirectory Administration
No ratings yet
OneIM AzureActiveDirectory Administration
160 pages
OneIdentityManagerOnDemand QuickStart
No ratings yet
OneIdentityManagerOnDemand QuickStart
18 pages
OneIM WebApplication Configuration
No ratings yet
OneIM WebApplication Configuration
32 pages
SecurityGuide - 2 0 1 - Mar13 PDF
No ratings yet
SecurityGuide - 2 0 1 - Mar13 PDF
184 pages
1e Software Solutions
No ratings yet
1e Software Solutions
6 pages
MFT 1053 ManagedFileTransferUserGuide en
No ratings yet
MFT 1053 ManagedFileTransferUserGuide en
852 pages
Score Report
33% (3)
Score Report
2 pages
MOBILE - Workspace ONE Flyer
No ratings yet
MOBILE - Workspace ONE Flyer
2 pages
Chapter 8 Organizing Information Technology Services Chapter 9 Privacy and Security
No ratings yet
Chapter 8 Organizing Information Technology Services Chapter 9 Privacy and Security
18 pages
Document 6
No ratings yet
Document 6
11 pages
User Guide
No ratings yet
User Guide
58 pages
HP OV SD - User Guide
No ratings yet
HP OV SD - User Guide
206 pages
ActiveRoles 7.3 Product Overview Guide
No ratings yet
ActiveRoles 7.3 Product Overview Guide
32 pages
Part 6-10
No ratings yet
Part 6-10
72 pages
Sap Promotion Management 4.0 fps01
No ratings yet
Sap Promotion Management 4.0 fps01
64 pages
MCS-220 2024-25 em
No ratings yet
MCS-220 2024-25 em
60 pages
CIS Dump
No ratings yet
CIS Dump
22 pages
Me Solutions Guide Ebook
No ratings yet
Me Solutions Guide Ebook
98 pages
IDM Master Guide
No ratings yet
IDM Master Guide
46 pages
eTOM Fundamentals
No ratings yet
eTOM Fundamentals
77 pages
1 FRS Document
No ratings yet
1 FRS Document
11 pages
Data Analytics Conference
No ratings yet
Data Analytics Conference
15 pages
DX 1053 AdministratorGuide en
No ratings yet
DX 1053 AdministratorGuide en
135 pages
Myit 2 0 Solution Whitepaper
No ratings yet
Myit 2 0 Solution Whitepaper
14 pages
SC-900: Microsoft Security, Compliance, and Identity Fundamentals Sample Questions
No ratings yet
SC-900: Microsoft Security, Compliance, and Identity Fundamentals Sample Questions
21 pages
MDM MSP Presentation
No ratings yet
MDM MSP Presentation
25 pages
300 IT Manual
No ratings yet
300 IT Manual
47 pages
Green Codes EHS Software - Fact Sheet - Chemical
No ratings yet
Green Codes EHS Software - Fact Sheet - Chemical
3 pages
Regulatory Compliance Using Identity Management
No ratings yet
Regulatory Compliance Using Identity Management
16 pages
Resume - Kiran Kumar Sahu - Ir Engineer
No ratings yet
Resume - Kiran Kumar Sahu - Ir Engineer
2 pages
Technologies - Digital Technologies - Year 5 - Teaching and Learning Exemplar
No ratings yet
Technologies - Digital Technologies - Year 5 - Teaching and Learning Exemplar
128 pages
VDM Viewtype #Consumption
No ratings yet
VDM Viewtype #Consumption
9 pages
Week 05 Lectures
No ratings yet
Week 05 Lectures
24 pages
Chapter 3 Pivot Table
No ratings yet
Chapter 3 Pivot Table
32 pages
Experiment No. 11: Write A Java Program For Database Connectivity Using JDBC
No ratings yet
Experiment No. 11: Write A Java Program For Database Connectivity Using JDBC
4 pages
Jobs Database
No ratings yet
Jobs Database
6 pages
Informatica Product Lifecycle Guide v2023-04
No ratings yet
Informatica Product Lifecycle Guide v2023-04
11 pages
Definitions
No ratings yet
Definitions
3 pages
LaserNet SAP Connector UK
No ratings yet
LaserNet SAP Connector UK
2 pages
Check Point Cyber Security Administrator (Ccsa) : Course Topics Course Objectives
No ratings yet
Check Point Cyber Security Administrator (Ccsa) : Course Topics Course Objectives
1 page
Computer Organization
No ratings yet
Computer Organization
2 pages
SuryaTeja - Kamisetti Full Time-W2
No ratings yet
SuryaTeja - Kamisetti Full Time-W2
3 pages
ICT Notes
No ratings yet
ICT Notes
3 pages
Fortinet FortiGate - Next-Gen SIEM Third-Party Integrations - Falcon Next-Gen SIEM - Fotigate
No ratings yet
Fortinet FortiGate - Next-Gen SIEM Third-Party Integrations - Falcon Next-Gen SIEM - Fotigate
4 pages
My Top 10 Best BIM Software Programs - Plannerly
No ratings yet
My Top 10 Best BIM Software Programs - Plannerly
1 page
Mastercard Foundation - Data Architect Partner - JD - vFINAL
No ratings yet
Mastercard Foundation - Data Architect Partner - JD - vFINAL
2 pages
SAP MDG Functional Design Session For Finance
No ratings yet
SAP MDG Functional Design Session For Finance
17 pages
DevSecOps Guide - 1
No ratings yet
DevSecOps Guide - 1
16 pages
Project Manager
No ratings yet
Project Manager
2 pages
The Product Manager's Desk Reference, Third Edition
From Everand
The Product Manager's Desk Reference, Third Edition
Steven Haines
No ratings yet
BIRT Technical Reference: Definitive Reference for Developers and Engineers
From Everand
BIRT Technical Reference: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.