Refer to our Web site ( for regional and international office information.

Transcription

1 IT Shop 5.0

2 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDI- TIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABIL- ITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIA- BLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA legal@quest.com Refer to our Web site ( for regional and international office information. Patents This product includes patent pending technology. Trademarks Quest, Quest Software, the Quest Software logo and Quest One Identity Manager are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s trademarks, please see Other trademarks and registered trademarks are property of their respective owners.

3 Third Party Contributions Quest One Identity Manager contains some third party components (listed below). Copies of their licenses may be found at COMPONENT ExplorerCanvas Release 3 MochiKit Mono.Security Novell.Directory.LDAP PlotKit LICENSE OR ACKNOWLEDGEMENT Copyright 2006 Google Inc. Apache 2.0 License. Copyright 2005 Bob Ippolito. All rights reserved. MIT License. Copyright 2004 Novell, Inc. ( MIT License. Copyright 2003 Novell, Inc. ( MIT License. Copyright 2006 Alastair Tse. BSD Simple License. Quest One Identity Manager - IT Shop Updated Software Version

4

5 CONTENTS CHAPTER 1 ABOUT THIS GUIDE QUEST ONE IDENTITY MANAGER INTENDED AUDIENCE DOCUMENTATION MANUALS CONVENTIONS ABOUT QUEST SOFTWARE, INC CONTACTING QUEST SOFTWARE, INC CONTACTING QUEST SUPPORT CHAPTER 2 SETTING UP AN IT SHOP SOLUTION INTRODUCTION SETTING UP THE IT SHOP REQUESTABLE PRODUCTS PREPARING PRODUCTS FOR REQUESTING ENTERING SERVICE ITEMS GENERAL MASTER DATA FOR A SERVICE ITEM EXTENDED MASTER DATA FOR AN SERVICE ITEM ADDITIONAL TASKS FOR MANAGING SERVICE ITEMS DEFINING DEPENDENCIES BETWEEN PRODUCTS REPORTS ABOUT SERVICE ITEMS ENTERING SERVICE CATEGORIES ADDITIONAL TASKS FOR MANAGING SERVICE CATEGORIES ENTERING PRODUCT SPECIFIC REQUEST PROPERTIES MULTIPLE REQUEST PRODUCTS PRODUCTS WITH A LIMITED REQUEST PERIOD REQUESTING PRODUCTS WHEN THE CUSTOMER CHANGES SHOP ASSIGNMENT REQUESTS AND DELEGATING PREPARING ASSIGNMENT REQUESTS PREPARING FOR DELEGATION ASSIGNING AND REMOVING PRODUCTS ASSIGNING A PRODUCT REMOVING A PRODUCT MOVING A PRODUCT TO ANOTHER SHELF CHANGING A PRODUCT REQUEST TEMPLATES EDITING REQUEST TEMPLATES DELETING REQUEST TEMPLATES APPROVAL PROCEDURES FOR IT SHOP REQUESTS EDITING APPROVAL POLICIES ADDITIONAL TASKS FOR APPROVAL POLICIES WORKING WITH THE WORKFLOW EDITOR SETTING UP APPROVAL WORKFLOWS EDITING APPROVAL LEVELS AND APPROVAL STEPS

6 Quest One Identity Manager COPYING AN APPROVAL WORKFLOW DELETING APPROVAL WORKFLOWS DETERMINING EFFECTIVE APPROVAL POLICIES SELECTING AN APPROVER SELF-SERVICE USING IT SHOP STRUCTURES TO FIND APPROVERS USING CUSTOMERS TO FIND APPROVERS FINDING A BUSINESS ROLE OWNER FINDING THE PRODUCT OWNER USING AN APPLICATION ROLE TO FIND APPROVERS USING A PURCHASE REQUEST TO FIND APPROVERS DYNAMICALLY CALCULATED EMPLOYEE GROUP DEFERRED REQUEST APPROVAL CALCULATED APPROVAL EXTERNAL APPROVALS TESTING REQUESTS FOR RULE COMPLIANCE REQUEST RISK ANALYSIS FULL REQUEST TESTING FINDING AN EXCEPTION APPROVER APPROVING A REQUEST FROM AN APPROVER AUTOMATIC REQUEST APPROVAL OBTAINING OTHER INFORMATION ABOUT REQUESTS BY AN APPROVER ESCALATING AN APPROVAL STEP AUTOMATIC APPROVAL ON TIMEOUT ABORT REQUEST ON TIMEOUT NOTIFICATIONS IN THE REQUEST PROCESS PROMPTING FOR APPROVAL REMIND APPROVER LIMITED PERIOD REQUEST SEQUENCE REQUEST GRANTING OR DENYING APPROVAL REQUEST ABORT REQUEST ESCALATION REQUEST SEQUENCE REQUESTS OVERVIEW REQUEST DETAILS SEQUENCE OF APPROVAL APPROVAL HISTORY MULTIPLE PRODUCT REQUESTS REQUESTS WITH LIMITED VALIDITY PERIOD CUSTOMER CHANGES SHOP REQUESTS FOR EMPLOYEES MANAGING AN IT SHOP IT SHOP BASE DATA ROLE TYPE APPROVAL POLICIES AND WORKFLOWS PROCESSING STATUS

7 APPLICATION ROLES MAIL TEMPLATES BUSINESS PARTNERS SERVICE CATEGORIES REQUEST PROPERTIES SETTING UP A SHOPPING CENTER ASSIGNING SHOPPING CENTER TEMPLATE ADDITIONAL TASKS FOR SHOPPING CENTERS SETTING UP A SHOP ADDITIONAL TASKS FOR SHOPS SETTING UP A CUSTOMER NODE ADDITIONAL INFORMATION ABOUT CUSTOMER NODES SETTING UP A SHELF ADDITIONAL TASKS FOR SHELVES DELETING IT SHOP STRUCTURES TEMPLATES FOR AUTOMATICALLY FILLING THE IT SHOP PROCEDURE FOR CREATING SHELF TEMPLATES SETTING UP SHELF TEMPLATES ADDITIONAL TASKS FOR SHELF TEMPLATES ASSIGNING SHELF TEMPLATES TO SHOPS AND SHOPPING CENTER TEMPLATES DELETING SHELF TEMPLATES CREATING IT SHOP REQUESTS FROM EXISTING USER ACCOUNTS, GROUP ASSIGNMENTS AND ROLE MEMBERSHIPS USER ACCOUNT REQUESTS REQUESTS FOR GROUP ASSIGNMENTS REQUEST FOR ROLE ASSIGNMENTS CREATING REQUESTS FOR EXISTING USER ACCOUNTS: AN EXAMPLE CREATING CUSTOM MAIL TEMPLATES FOR NOTIFICATIONS GENERAL PROPERTIES OF A MAIL TEMPLATE CREATING AND EDITING AN DEFINITION USING BASE OBJECT PROPERTIES USE OF HYPERLINKS IN THE WEB PORTAL DEFAULT FUNCTIONS FOR CREATING HYPERLINKS CUSTOM PROCESSES FOR NOTIFICATIONS IT SHOP INFO SYSTEM GLOSSARY INDEX

8 Quest One Identity Manager 8

9 1 About this Guide Quest One Identity Manager Intended Audience Conventions About Quest Software, Inc.

10 Quest One Identity Manager Quest One Identity Manager Quest One Identity Manager streamlines the process of managing user identities, access privileges and security enterprise wide. It empowers IAM to be driven by business needs, not IT capabilities. Quest One Identity Manager is based on an automation-optimized architecture that addresses major IAM challenges at a fraction of the complexity, time, or expense of traditional solutions. Intended Audience The IT Shop manual explains to you IT Shop functionality. The job of the IT Shop is to allow employees to provide themselves with the company resources they require to complete their tasks. You will discover how to set up an IT Shop solution in the Identity Manager database. This includes shop and customer structures, requestable products, request instances and approval policies. You use approval policies to define different workflows for making requests or canceling them via authorized personnel. This manual is intended for system administrators, consultants, analysts, and any other IT professionals using the product. This manual describes the default user functionality of the Identity Manager. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions. Documentation Manuals Identity Manager documentation includes the following manuals as well as the IT Shop Manual. They can be found on the distribution CD in the directory...\quest One Identity Manager\Documentation. Getting Started The main components of the Getting Started Manual are: Installation prerequisites Installation and updates of Identity Manager administration tools Identity Manager database setup Configuration of administration workdesks Configuration of server for accessing the database Overview of Identity Manager administration and configuration tools User interface for the main Identity Manager tools Identity Management The main components of the Identity Management Manual are: Identity Management and User Provisioning with Identity Manager 10

11 About this Guide Complying to and monitoring regulatory requirements using Identity Audit Process Orchestration The main components of the Process Orchestration Manual are: Monitoring process handling Controlling process handling Troubleshooting Configuration The main components of the Configuration manual are: Identity Manager software architecture Configuration of Identity Manager data models System permissions configuration User interface configuration Script processing Creating reports Data transport System configuration parameters Identity Manager inheritance mechanism Service provisioning using Service Provisioning Markup Language (SPML) Provider mode IT Shop The main components of the IT Shop manual are: IT Shop for authorized employees to supply themselves with company resources. Development of approval policies and workflows Web Designer Reference The main sections in the Web Designer References are: Web Portals Development and Configuration with the Web Designer 11

12 Quest One Identity Manager Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT CONVENTION <> Identifies the user interface buttons and menu entries or keystrokes on the keyboard. Blue Text Indicates a cross-reference. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. About Quest Software, Inc. Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to Contacting Quest Software, Inc. Mail Web site info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Please refer to our Web site for regional and international office information. 12

13 About this Guide Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at Support Guide.pdf. 13

14 Quest One Identity Manager 14

15 2 Setting Up an IT Shop Solution Introduction Setting Up the IT Shop Requestable Products Preparing Products for Requesting Assigning and Removing Products Request Templates Approval Procedures for IT Shop Requests Notifications in the Request Process Request Sequence Managing an IT Shop Templates for Automatically Filling the IT Shop Creating IT Shop Requests from Existing User Accounts, Group Assignments and Role Memberships Creating Custom Mail Templates for Notifications IT Shop Info System

16 Quest One Identity Manager Introduction The IT Shop allows users to request company resources such as applications, system roles or group membership as well as non-it resources such as mobile telephones or keys. Furthermore, member in a role (department, location, cost center, business role) can be requested via the IT Shop. The requests are processed by a flexible policy based approval process. Introducing IT Shop avoids time consuming demands within the company and reduces the administration effort. The request history makes it possible to follow who requested which company resource or role and when it was requested, renewed or canceled. Shops, shelves, customers and products all belong to an IT Shop solution. Several shops can be grouped together into shopping centers. The shelves are assigned company resources in the form of products. Products can be grouped into service categories. All the service category are summarized in a service catalog. Customers can select products from a service catalog in IT Shop, add them to a cart and send a purchase request. The following visual shows an example of a service catalog with service categories. Example of a Service Catalog Requests follow a defined approval process which decides whether a product may be assigned or not. Products can be renewed or canceled. Approval processes can also be specified for renewals and cancellations. Approval policies are defined for an approval procedure. The approval policies are assigned to approval workflows for product requests, renewals or cancellations. Example for a Simple Approval Workflow The products are request, renewed and canceled through the Web Portal. Refer to the Web Portal User Guide for more information. 16

17 Setting Up an IT Shop Solution Setting Up the IT Shop The shop Identity Lifecycle is already included in the default installation of the Identity Manager. The shop contains an Identity Lifecycle shelf to which you can assign requestable products. There are already products on the shelf that you can use to request a role membership and to delegate responsibilities. All active employees automatically become members of this shop and can therefore make requests. Structure of the Default Shop Identity Lifecycle Use the Identity Lifecycle shop to complete the following steps: STEP Check and, if necessary, enable the configuration parameter QER\ITSHOP Prepare requestable products Assign requestable products Set up an approval process Install and configure the Web Portal INSTRUCTION In the default installation, the configuration parameter is enabled and the IT Shop is available. If the configuration parameter is not enabled then enable it in the Designer and compile the database. For information about this see section Preparing Products for Requesting on page 19. For information about this see section Assigning and Removing Products on page 37. The approval policy Default Selfservice is assigned to the shop Identity Lifecycle in the default installation. This allows requests from this shop to be automatically approved through the Identity Manager. Read section Approval Procedures for IT Shop Requests on page 41 on how to set up customized approval procedures. The products are requested, renewed and canceled with the Web Portal. Authorized employees have the option to approve requests and cancellations. For more information see the Web Portal Installation Guide and the Web Portal User Guide. You can set up more shops, shopping centers and shelves. For more information see section Managing an IT Shop on page

18 Quest One Identity Manager Requestable Products Requestable products in the IT Shop are company resources such as target system groups, applications as well as non-it resources after they have been assigned to a shelf. The following company resources can be assigned to shelves as requestable products. Currently available products are: Unified Namespace system entitlements Read section System Entitlements in the Unified Namespace on page 166 in the Identity Management Manual about setting up groups. Active Directory groups Read the section Entering Master Data for Active Directory Groups on page 271 in the Identity Management Manual about setting up Windows 2000 ADS groups. Lotus Notes groups Read the section Notes Groups on page 430 in the Identity Management Manual to set up Lotus Notes groups. LDAP groups Read the section LDAP Groups on page 526 in the Identity Management Manual about setting up LDAP groups SAP groups, SAP Roles and SAP profiles Read the section Groups, Profiles and Roles Administration on page 491 in the Identity Management Manual about setting up SAP groups, SAP roles and SAP profiles. Structural profiles Read section Managing Structural Profiles on page 499 in the Identity Management Manual about setting up structural profiles. Applications Read the section Setting Up Applications on page 136 in the Identity Management Manual about setting up applications. Resources Read the section Editing Resources on page 120 in the Identity Management Manual about setting up resources and resource packages. User account resources Read section Creating User Accounts with User Account Resources on page 39 in the Identity Management Manual about creating user accounts through user account resources. System roles Read the section Editing System roles on page 127 about setting up system roles in the Identity Management manual. Assignment resources Roles like departments or business roles can be requested through the IT Shop with the Identity Manager. This allows any role assignments or delegations from managers to be made by IT Shop requests. You need special assignment resources to achieve this. For more information see section Assignment Requests and Delegating on page

19 Setting Up an IT Shop Solution Preparing Products for Requesting Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager Company resources have to fulfill at least the following prerequisites before they can be so assigned as requestable products to shelves: The company resource has to be labeled with the option <IT Shop>. Label the company resource must be assigned to a service item. This means that the company resource request can be booked internally. Label the company resource with the option <Only use in IT Shop> if it can only be assigned to employees via IT Shop requests. This means that the company resource cannot be directly assigned to roles outside the IT Shop. You can prepare all system entitlements, applications and resources for making requests in the category <Entitlements> in Identity Manager or in the Manager in the category <Resources & Groups>. Set up target system entitlements for requesting in the Manager in the category <Resources & Groups>. Preparing a Product to Request Based on the Example of a Resource You can add new service items using the button next to the input field <Service item>. Enter the other data on the service item master data form. For more information see section Entering Service Items on page 20. When a product is requested, the name of the service item name is always displayed. If you request service items from one and the same shelf, the is assigned several products, only one of these products is assigned. The requester can not choose between products. Add a separate service item for each product! 19

20 Quest One Identity Manager IT Shop products can only be requested once as a rule. Other preparations are necessary in order to request products more than once. For more information refer to section Multiple Request Products on page 31. Customers retain their requested products until they cancel them themselves. Sometimes, however, products are required for a specific time period and can be automatically canceled once this period expires. There are other settings required to provide limited period products. Refer to section Products with a Limited Request Period on page 33. If a product should not be available in the IT Shop at a later date, set the option <Not requestable> on the service item. Existing request remain unaffected, however, no new request can be made for this product. Entering Service Items Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager A product must have a service item assigned to it so that it can added to the IT Shop as a requestable product. This means that requests for this product can put through accounting. You can edit service items in the category <IT Shop>/<Service catalog>. 20

21 Setting Up an IT Shop Solution General Master Data for a Service Item General Master Data for an Service Item Enter general data for a service item on the <General> tab. Service item Enter the service item s name. Special service item If a product is used for a specific purpose, for example, for product collection, then mark it as a special service item. Service category Group individual products into a collection of products. This process is described in the section Entering Service Categories on page 28.To add a new service category, use the button next to the input field. Product owner Assign a <IT Shop>\<Product owner> application role. Product owners can be used as approvers in a defined approval procedure within the IT Shop. They can decide on approval of the service item request. For more information read the section Selecting an Approver on page 50. If you do not enter an owner, the Identity Manager takes it from the assigned service category. 21

22 Quest One Identity Manager Attestor Assign an application role <IT Shop>\<Attestor>. The members of this application role can chosen as attestor in an attestation procedure. Read the section Attestation Approval Procedures on page 585 in the Identity Management Manual for more information. Cost center Cost center for booking the service item in the accounts. Cost center setup is in the Identity Management Manual in section Cost Centers on page 103. Manufacturer Manufacturer data. Read section Business Partners on page 79 about how to enter manufacturer data. Request number, product code, product code (foreign) Company specific service item properties. Functional area Company specific service item property. Find out how to setup functional areas in the section Functional Areas on page 95. Approval policy Approval policy used to determine the approver when the service item is requested from the IT Shop. Read section Determining Effective Approval Policies on page 50 for more information. Calculation info Enter the calculation mode as accounting information. Request properties Select the group for defining extended properties for a request. These request properties are displayed in the Web Portal depending on the configuration, requester or approver. Section Entering Product Specific Request Properties on page 30 describes how to set up extended request properties. Availability Company specific information about the service item s availability. Web page Web page with more information about the service item This field allows you to link product descriptions in the internet or intranet to the service item. The web page is opened in the default browser when you select the task <View documentation>. Validity period Time period for limited assignments via the IT Shop. For more information read section Products with a Limited Request Period on page 33. Description Detailed description of the service item Retain service item assignment on relocation Specifies whether the service item assignment remains intact when a customer changes to another shop or shopping center. For more information, read section Requesting Products when the Customer Changes Shop on page 34. Multi-request possible Specifies whether a service item can be requested on a multiple basis. See section Multiple Request Products on page

23 Setting Up an IT Shop Solution Multi-order can be canceled Specifies whether a multi-request service item can be canceled by a customer. If a product labeled like this is ordered and approved in the IT Shop, then it is not immediately canceled internally. It has to be canceled by the customer through the IT Shop. See section Multiple Request Products on page 31 for more information. Not available Specifies whether the service item can still be request in the IT Shop. If this option is enabled, no new requests can be placed for this item. Existing request remain intact. Extended Master Data for an service item On the tab, <Calculation>, you enter the required pricing information for booking the product to the accounts. This data includes the purchase price, sales price, internal booking price, currency and sales tax to be used. You can also enter the prices that apply if the product is rented. On the <Picture> tab import a picture of the product into the data base. To do this, select the path where the picture is stored. On the tab <User defined> you can enter additional customer specific information about an service item. You can customize the display names, formats and templates for the input fields (by default <spare fields 01-10>) to meet your requirements. Additional Tasks for Managing Service Items After you have set up the master data for the service item you can run different tasks on the product. You get the most important information by looking at the product overview. Different forms in the task view are available with which you can run the following tasks. Edit Product Dependencies for Requests Tools: Identity Manager with the application role <IT Shop>\<Administrators> or <IT Shop>\<Product owner> Manager Dependencies between products are taken into account by IT Shop requests. For more information read section Defining Dependencies between Products on page 24. Assign to Functional Areas, Business Roles and Organizations Tools: Identity Manager with the application role <IT Shop>\<Administrators> (only for functional areas) or <IT Shop>\<Product owner> Manager With the Identity Manager you can set up rules to analyze the risk of assignments. The analyses can be evaluated separately by roles and functional area. Prerequisite is that service items are assigned to a role or functional area. To do this, use the task <Assign to business roles and organizations> and <Assign functional area>. 23

24 Quest One Identity Manager Assign Extended Attributes Tools: Identity Manager with the application role <IT Shop>\<Administrators> or <IT Shop>\<Product owner> Manager Extended properties are meta objects for which there is no direct mapping, such as accounting codes, controlling areas or cost center areas, in the Identity Manager data model. These extended properties are used to check rule conformity. For more information see section Setting Up Extended Properties on page 532 in the Identity Management Manual. View Documentation Tools: Identity Manager with the application role <IT Shop>\<Administrators> or <IT Shop>\<Product owner> Manager You can link product descriptions in internet or intranet with the service item. Use the task <View documentation> to open the web page entered in the field <Web page> on the master data form. Change Product Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager Use this task to replace one product with another product on a particular date. For more information read section Changing a Product on page 39. Defining Dependencies between Products Tools: Identity Manager with the application role <IT Shop>\<Administrators> or <IT Shop>\<Product owner> Manager You can define dependencies for products. For example, when a printer is requested, a flat-rate installation charge has to be requested at the same time and toner might be requested optionally. 24

25 Setting Up an IT Shop Solution Dependencies between requestable products are created using service items. Select the service item for the product you want and use the form <Edit product dependencies for request> to specify the dependencies. Swap to Detailed Assignment Form Specify the dependent products for the selected service item on the <Child service items> tab. Specify the service item that the selected service item depends on, on the <Parent service item> tab. Dependent Products PRODUCT DEPENDENCY REQUESTED PRODUCT DEPENDENT PRODUCT Child service item Select service item All assigned child service items Parent service item A assigned parent service item Selected service item After saving the dependency swap to the detailed form using the context menu item <Extended properties> and specify the condition for dependency. The following options are available: Product may not be requested at the same time Product must be requested at the same time Product can be optionally requested at the same time When a product is requested it is tested for existing dependencies. If this is the case, the appropriate products are automatically added to the request. The option <Cannot request service items together> prevents dependent products from being obtained through the same request. The product can be assign at any time with a separate, direct request. 25

26 Quest One Identity Manager Reports about Service Items Tools: Identity Manager with the application role <IT Shop>\<Administrators> (only for functional areas) or <IT Shop>\<Product owner> Manager Identity Manager makes various reports available containing information about the selected base object and its relations to other Identity Manager database objects. The following reports are available for resources. Overview of all Assignments This report shows all employees that the service item is assigned to. This includes service items that employees have requested as products in the IT Shop. The report shows which roles of a role class the employee belongs to. Employees that are not members of any role are not taken into account. What you get is an organigram of the different role classes for the selected service item. Report Overview of all Assignments for Service items Use the <Used by> button in the report toolbar to select the role class for displaying the employee assignment you want to see. A simple mouse click on the control element in the report displays all the employees that violate the role and are members of the selected role. The meaning of the various control elements is described in section Overview of All Assignments on page 176 of the Getting Started Manual. 26

27 Setting Up an IT Shop Solution Use the small arrow on the right margin of the control element to start a wizard that allows you to bookmark this list of employee for tracking. Bookmark Employee for Tracking To do this a new business role is added and the employee are assigned to it. The business role can only be added if you are logged onto the Manager. Wizard for Tracking Employee Assignment Enter the following data for the business role: Business role The name of the business role is made up automatically from the selected system entitlement and role. You can change the name as you wish. Role class Select a role class that is assigned to the business role. The drop-down menu shows all the custom defined role classes that can be used for the employee assignment. Role classes cannot be changed once they have been saved. Parent business role The new business role can be assigned to a existing business role as a child role. Internal name Additional internal name for the business role. Description Detailed description of the business role. Use the <OK> button to save the business role and close the wizard. You are prompted by Identity Manager to decide whether you want to display the business role straight away or not. If you confirm 27

28 Quest One Identity Manager the prompt with the <Yes> button you can add more master data to the new business role. Close the prompt with the <No> button if you want to edit the business role at a later date. Entering Service Categories Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager You can group individual products into service categories and thereby create a service catalog. Price information required or service category cost types and services types can be mapped to individual products using customized templates. Example of a Service Catalog Edit service categories in the category <IT Shop>\<Basic configuration data>\<service catalog> or <IT Shop>\<Service category>. General Master Data for a Service Category Enter the following master data for a service category: 28

29 Setting Up an IT Shop Solution Service category Enter the service category s name. Special service category Specifies whether the service category has a special purpose. Parent service category If you want to have service categories in a hierarchical structure, select a parent service category from the list. Product owner Assign a IT Shop product owner application role. Owners can be used as approvers in an appropriately defined approval procedure within the IT Shop. They can decide on approval of the service item request. For more information read the section Selecting an Approver on page 50. Attestor Assign an application role <IT Shop>\<Product owner>. The members of this application role can chosen as attestor in an attestation procedure. Read the section Attestation Approval Procedures on page 585 in the Identity Management Manual for more information. Approval policy Approval policy used to determine the approver when the service item is requested from the IT Shop. Read section Determining Effective Approval Policies on page 50 for more information. Request properties Select the group for defining extended properties for a request. These request properties are displayed in the Web Portal depending on the configuration, requester or approver. Section Entering Product Specific Request Properties on page 30 describes how to set up extended request properties. Purchase price, sales price, internal price, currency Enter the required price information for the service category accounting. Sort order Customer specific criteria for sorting assigned service items. Description Detailed description of the service item Import a picture of the service item into the database on the <Picture> tab. To do this, select the directory path where the picture can be found. Use the input field for user defined properties on the <User defined> tab to enter additional customer specific information about a service category. Use the Designer to customize the display names, formats and templates for the input fields (by default <spare fields 01-10>) to meet your requirements. Additional Tasks for Managing Service Categories After you have entered the service category master data you can apply various tasks to it. You can find the most important information in the overview form. Use the task <Assign service items> to assign any number of service items to the service category. 29

30 Quest One Identity Manager Entering Product Specific Request Properties Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager When products are requested in the Web Portal, product specific request properties can be dynamically queried. Specify which properties are valid for which product in order to use these product specific request properties. You can assign request properties to service items and service categories. When a product is requested the request properties are displayed for the service item. If there are no extended request properties stored for the service item, the request properties from the service category are used. Read about how you assign a request property to a service item or a service category in the sections General Master Data for a Service Item on page 21 and Entering Service Items on page 20. Edit extended request properties in the category <IT Shop>/<Basic configuration data>\<request properties>. Editing Request Properties Certain request properties are grouped together. Enter the following data for groups of this type: Identifier for the request property Request properties for service items and service categories can be selected using this identifier. Detailed description Use the <Insert> button to add single request properties. Enter the following master data for each request property: 30

31 Setting Up an IT Shop Solution Column Select a column that needs to be given as an extended property to a request. Display value The request property is shown with this name in the Web Portal. If you want language dependent usage, translate the name using the button next to the input field. Sort order Specify the order in which the request properties are shown in the Web Portal. Mandatory parameter Set this option if it is mandatory to enter the request property when a product is requested. Read only If you set this option the request property is only displayed and cannot be edited. Editable for approver Set this option if both requester and approver can edit the request property. If this option is not set, only the requester can edit this request property. Condition The value selection in the Web Portal can be further restricted by a condition in the case of columns department and cost center. Multiple Request Products Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager IT Shop products can only be requested once as a rule. If a product is assigned to a customer, then it cannot be requested a second time. In certain circumstances, however, it is sometimes necessary to request a product more than once. Services such as requesting a memory extension may need to be multiply requested. To illustrate this, label the product s service item as multiple request. Edit the master 31

32 Quest One Identity Manager data for the service item in the category <IT Shop>\<Service catalog>\<requestable service items> at the same time. Labeling the Service Item to Allow Multiple Requests For this there are two options available for the service item: Multiple requests possible If a multiple product in the IT Shop is requested and approved, the request is immediately canceled internally so that it can requested again. Can cancel multiple requests If a product so labeled is requested in the IT Shop and approved the request is not immediately canceled. The customer initiates the cancelation in the IT Shop. 32

33 Setting Up an IT Shop Solution Products with a Limited Request Period Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager The customer keeps a requested product on the shelf up until a time when he cancels it himself. Sometimes products are only required for a specific period and after this time they can be canceled. In this way, a membership in a target system group, for example, may only be valid for the period of the project. Products that are intended have a limited shelf life, need to be marked with a validity period. Edit the service item master data for this in the category <IT Shop>\<Service catalog>\<requestable service items>. Enter the time period during which the product can be requested in the input field <Validity period>. If the product concerned is a multiple product, you should only enter a validity period when the product can also be canceled. The Identity Manager calculates the date that the product is automatically canceled from the current data and validity period at the time of request and approval. Labeling the Service Item to have a Limited Shelf Life. 33

34 Quest One Identity Manager Requesting Products when the Customer Changes Shop Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager If a customer requests a product from one shop or shopping center and then changes to another at a later data then the request is closed and product is canceled. To obtain a product when the customer moves you can label the service item with the flag <Retain service item assignment on relocation>. Edit the service item master data in the category <IT Shop>\<Service category>\<requestable service items> Labeling a Service Item for Request Relocation Assignment Requests and Delegating Role such as departments or business roles can be requested and assigned to employees with the Identity Manager. This allows any number of assignments to be made via IT Shop requests. The advantage of this method is that any assignments can be authorized using an approval process. Assignment renewals and assignment recall are also subject to an approval process in the same way. The request his- 34

35 Setting Up an IT Shop Solution tory makes it possible to follow who, where and why requested, renewed or canceled which assignments. Delegation is a particular type of assignment request. This allows an employee to pass on any role assignment to another person for a limited period of time. Delegations are also subject to approval processes. The Identity Manager provides a shop Identity Lifecycle with special products in the default installation for these assignment requests. Preparing Assignment Requests Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager You require separate resources, so called assignment resources, for assignment requests. The assignment resources Business role membership and Business role entitlement assignments already exist as products in the shop Identity Lifecycle, on the shelf Identity Lifecycle in the standard installation. You can use these assignment resources to request business roles assignments and assignments to system entitlements or target system groups to business roles You can also create your own assignment resources and allocate them to the Identity Lifecycle shop or any other shop. Edit assignment resources in the Identity Manager in the category <Entitlements>\<Resources> or in the Manager in the category <Resources & Groups>\<Resources>. See section Editing Resources on page 120 in the Identity Management Manual on how to creating assignment resources. In order to use resources to request assignments in IT Shop, prepare the resources as follows: Enable the option <Assignment resource>. Enable the options <IT Shop> and <Only use in IT Shop>. Assign separate service items. Enable the option <Multi-request possible>. You can enable the option <Multi-request cancelable> as you need it. Refer to section Multiple Request Products on page 31 for more information. If the assignment resource is assigned as a product to a shop, the shop customers can request this assignment using the assignment resource. Use the Web Portal to make requests. For more information see section Roles on page 40 in the Web Portal User Guide. This table provides you with an overview of the assignment resources that can be requested. Assignment Request Objects REQUEST Company resources Department, cost center, location, business role FOR Department, cost center, location, business role Employee 35

36 Quest One Identity Manager Assignment Request Objects REQUEST Identity Manager application roles FOR Employee Example: Ms. Sharp is the project X project leader. A business role Project X is added in the Identity Manager to ensure that all the project staff obtain the necessary entitlements. Ms. Sharp requests the product Membership in business roles from Web Portal so that she also becomes a member of the business role Project X. To do this, she selects the business role Project X as the object to be requested. Furthermore, Ms. Sharp wants all project staff to be members of the Active Directory group Project X AD entitlements. She needs to request the product Business role entitlement assignment for the business role Project X in IT Shop for this. She selects the Active Directory group Project X AD entitlements as the object to be requested. This makes Ms. Sharp a member of the Active Directory group Project X AD entitlements through internal inheritance mechanisms. Ms. Sharp requests the product Membership in business roles from Web Portal for all the project staff to ensure that they all receive this membership. She selects the business role Project X as the object to be requested. This makes all the project staff members in the Active Directory groups Project X A entitlements through internal inheritance mechanisms. Preparing for Delegation Configuration Parameter for Delegation CONFIGURATION PARAME- TER QER\ITShop\Delegation MEANING Preprocessor relevant configuration parameter for con troll the model components for delegation and role membership. If the parameter is enabled, the delegation components are available. Changes to the parameter required recompiling the database. Delegation is a special type of assignment request. It allows an employee to temporarily pass on responsibilities or any role assignment to another person. Set the configuration parameter QER\IT- Shop\Delegation and compile the database if you want to run delegation in the Identity Manager. Delegations are also subject to a fixed approval process. For delegations, you need a separate delegation assignment resource. This already exists in the standard installation as product in the shop Identity Lifecycle on the shelf Identity Lifecycle. The following objects in the standard installation can be delegated. Delegable Objects MEMBERSHIP IN Departments Cost centers Locations Business roles Identity Manager application roles RESPONSIBLE FOR Departments Cost centers Locations Business roles Employees 36

37 Setting Up an IT Shop Solution Delegable Objects MEMBERSHIP IN IT Shop customer nodes RESPONSIBLE FOR IT Shop structures (owner) Set the <Delegable> option on the associated role classes to specify which memberships can be delegated to meet company requirements. For more information read the section Role Classes on page 93 in the Identity Management Manual. Use Web Portal to delegate roles or responsibilities. You can find more information about delegation processes in section Delegation on page 42 of the Web Portal User Guide. Assigning and Removing Products Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager Once you have prepared the product to be requested, assign it to a shelf or a shelf template. A shelf has several tasks available for assigning and removing products. Tasks for Assigning and Removing Requestable Products PRODUCT Applications Resources System roles Unified Namespace system entitlements Active Directory group SharePoint permissions TASK Assign applications Assign resources Assign system roles Assign system entitlements Assign Active Directory groups Assign SharePoint groups Assign SharePoint roles LDAP groups Lotus Notes group SAP R/3 authorization Assign LDAP groups Assign Notes groups Assign BI analysis authorizations Assign SAP groups Assign SAP profiles Assign SAP roles Assign structural profiles 37

38 Quest One Identity Manager Assigning a Product Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager Take the following steps to assign a product, for example a resource, to the Identity Lifecycle shelf: 1. Select the Identity Lifecycle shelf in the Identity Lifecycle shop. 2. Open the assignment form with the task <Assign resources>. 3. Select the resource in the Add assignments view and add it by double-clicking on the mouse on the icon or using the context menu <Assign>. 4. Save the assignment. The inheritance mechanism of the DBScheduler and subsequent post-processing creates a separate product node for each product belonging to a shelf. The product node is named with the service item identifier. Removing a Product Take the following steps to remove a product, for example a resource, from the Identity Lifecycle shelf: 1. Select the Identity Lifecycle shelf in the Identity Lifecycle shop. 2. Open the assignment form with the task <Assign resources>. 3. Select the resource in the Remove assignments view and add it by double-clicking on the mouse on the icon or using the context menu <Assign>. 4. Save the changes. If you delete a product from a shelf, the product node is deleted by the DBScheduler. When the product is deleted any open requests are closed and approved requests are canceled. In order to remove a product from the shelf, you select the article, for example, from the resources and run the task <Remove from all shelves>. Assignments to manually set up shelves and to shelf templates are immediately removed by this action. Subsequently, product assignments to shelves are removed that came about using template definitions. Take into account the effects on performance of running this task. Moving a Product to another Shelf Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager Take the following steps to move a product to another shelf: 1. Select the product in the IT Shop shelf. 38

39 Setting Up an IT Shop Solution 2. Run the task <Move to another shelf...>. 3. Select the new shelf and confirm with <OK>. Changing a Product Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager If it is necessary to replace one product for another at any time, take the following steps: 1. Select the service item of the product to be replaced in the category <IT Shop>/<Service catalog>. 2. Run the task <Change product...>. 3. Enter the following data and confirm with <OK>: Expiry date Date on which the product will be replaced by another one. Alternative product Service item that can be requested instead. All employees that have requested this product are notified by . The notification configuration is described in section Limited Period Request Sequence on page 69. Request Templates When you want to order products in IT Shop, you select the products you want and place them in the cart. The products remain in the cart until you send the request. You can save the all the products in your cart or just individual ones in a request template so that you can reuse the products in cart for future requests. You can add or delete products to request templates at anytime. Use the Web Portal (see section Cart on page 58 in the Web Portal User Guide or the Identity Manager to setup request templates. In the following you will find out how to set up request templates with the Identity Manager. 39

40 Quest One Identity Manager Editing Request Templates Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager Configuration Parameters for Using Request Templates CONFIGURATION PARAMETERS QER\ITShop\ShoppingCartPattern QER\ITShop\ShoppingCartPattern\AutoQualified MEANING This configuration parameter specifies whether request templates can be used in IT Shop. This configuration parameter specifies whether public request templates are automatically labeled as shared or whether they have to be manually shared by a manager. Enable the configuration parameter QER\ITShop\ShoppingCartPattern in order to use request templates. Create request templates in the Identity Manager in the category <IT Shop>\<Request templates>. Enter general master data for the request templates on the <General> tab. Request Template General Master Data Enter the following data on the <General> tab: Voucher number A combination of any characters to uniquely identify the request template. If you leave this field empty, the Identity Manager automatically allocates a number. Request template Name for the request template Short name, Name Any additional names for the request template. Owner The employee that creates the template is entered automatically. This value can be changed as required. 40

41 Setting Up an IT Shop Solution Description Detailed description of the request template Public template If this option is enabled, the owner makes the request template available to all Identity Manager users. Shared If this option is enabled, the request template can be used by all Identity Manager users. This option can only be changed in the Identity Manager by users in the application role <IT Shop>\<Administrators>. If a public template is shared and the option <Public template> is disabled then the option <Shared> is disabled as well. If the configuration parameter QER\ITShop\ShoppingCartPattern\AutoQualified is enabled, request templates are shared automatically the moment the option <Public template> is enabled. Use the <Requested items> tab to assign the product. If there is no product click on the <Add> button. This displays a menu containing all the service items whose products are assigned to at least one shelf in the IT Shop. Select the service item you want and enter the number of products to request in the <Quantity> field. You need to customize your IT Shop in order to use these values (see Web Designer Reference). Add more products with the <Add> button next to the menu. Deleting Request Templates Use the appropriate icon in the Identity Manager or the Manager user interface to delete request templates. Every owner can delete his own request templates in the IT Shop. Identity Manager users with the application role <IT Shop>\<Administrators> can delete the templates from every owner. Approval Procedures for IT Shop Requests All IT Shop requests are subject to a defined approval process. During this process, authorized personnel decide either positively or negatively for the product assignment. You can configure this approval process in various ways and therefore customize it to meet your company policies. You define approval policies and approval workflows for approval processes. Specify which approval workflows are going to be used for the request in the approval policies. Use approval workflows to specify which employee is authorized to grant or deny approval for the request at the time it was placed. An approval workflow can contain a number of approval levels and this can in turn contain several approval steps, for example, when several management hierarchy layers need to give approval for a request. A special approval procedure is used to determine the approvers in each approval procedure. Approval policies are also used for attestation instances in the Identity Manager. By assigning approval workflows to approval policies you can specify whether these can only be used for IT Shop requests, only for attestation or for both. In the default installation the approval policy Default self service is assigned to the Identity Lifecycle. This means that requests from this shop are automatically granted approval through the Identity 41

42 Quest One Identity Manager Manager. If requests from this shop should run through a customized approval procedure, assign an approval policy to the shop, the shelf or the service item of the Identity Lifecycle shelf. Editing Approval Policies Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager Set up approval policies in the category <IT Shop>\<Basic configuration data>\<approval policies>. Approval Policy Setup Enter the following master data for an approval policy. Approval policy Approval policy name Role type You can use role types in connection with IT Shop to specify approval policy inheritance within an IT Shop. For more information read the section Determining Effective Approval Policies on page 50. Add the necessary role types in the category <IT Shop>\<Basic configuration data>\<role types>. Refer to section Role type on page 78. Priority An integral number with a maximum of one digit. A priority is used to decided which approval policy should be used if several approval policies are found to be valid following the given rules. The highest priority has the largest number. Approval workflow A workflow for determining request approvers in IT Shop. Select any approval workflow from the pop-up menu or add a new one using the button next to the input field. For more information read section Setting Up Approval Workflows on page

43 Setting Up an IT Shop Solution Renewal workflow An approval workflow for determining approvers when a product should be renewed. Select any approval workflow from the pop-up menu or add a new approval workflow using the button next to the input field. For more information read section Setting Up Approval Workflows on page 45. Cancellation workflow An approval workflow for determining approvers when a requested product should be canceled. Select any approval workflow from the pop-up menu or add a new one using the button next to the input field. For more information read section Setting Up Approval Workflows on page 45. Mail templates Once the approval procedure for a request has been concluded, the requester can be notified by . Select a mail template that is used for notifications for granting or denying approval for a request and expired or canceled requests. Setting up notification procedures is described in section Notifications in the Request Process on page 68. Shared by Enter the function that the approval policy can be used for. Values are: IT Shop, Attestation, IT Shop + Attestation. The value is dependent on which approval workflows are assigned. Detailed description of the approval policy. Approval policies are also used for attestation instances in the Identity Manager. By assigning approval workflows to approval policies you can specify whether these can only be used for IT Shop requests, only for attestation or for both. Only approval policies that can be used for IT Shop are displayed in the result list. Additional Tasks for Approval Policies After you have entered the master data for the approval policy you can apply other tasks to it. You will find the most important information on the approval policy overview form. The task view provides you with various form that you can use to run the following task. Add to IT Shop You can assign approval policies to shops, shopping centers or shelves. The approval policy is applied to the request from the respective IT Shop nodes if there are no approval policies assigned to child IT Shop nodes. For more information read the section Determining Effective Approval Policies on page 50. Validity check Once you have edited an approval policy you need to test it. Run the task <Validity check> to do this. This task checks whether the approval steps can be used in the approval policy in this combination. Non-valid approval steps are displayed in the error window. Editing Approval Workflows Use the tasks <1. Edit Approval workflow>, <2. Edit Renewal workflow> and <3. Edit cancellation workflow> to change to the Workflow Editor. You can edit approval workflows that are assigned to approval policies with the Workflow Editor. For more information read section Working with the Workflow Editor on page

44 Quest One Identity Manager Working with the Workflow Editor Use the workflow editor in the category <IT Shop>\<Basic configuration data>\ <Approval workflows> to create and edit approval workflows in the IT Shop. The workflow editor allows approval levels to be linked together. Multi-step approval processes are clearly displayed in a graphical form. Workflow Editor Approval levels and approval steps belonging to the approval workflow are edited in the workflow editor using special control elements. The workflow editor contains a toolbox. The toolbox methods are activated or deactivated depending on how they apply to the control element. You can move the layout position of the control elements in the workflow editor with the mouse. When you add a new approval workflow, the first thing to be created is a new workflow element. Use <Approval levels>\<add> to add additional level elements. When a you add a new level element, a properties window is opened where you can edit the method or approval step. Use the method <Approval step>\<add> to add more approval steps to an approval level. Each of the elements has a properties window for editing the approval workflow, level or step data. Use the method <Edit...> to open the appropriate properties window. Properties Window for an Approval Workflow 44

45 Setting Up an IT Shop Solution Use the <OK> button to space the changes and the <Cancel> button to discard all changes. In both cases the property window is closed. Link individual elements to each other with a connector. The connection points are activated with the mouse. The mouse cursor changes into an arrow icon for this. Hold down the left mouse button and pull a connector from one connection point to the next. By default, a connection between workflow elements and level elements is created immediately when a new element is added. If the hierarchy needs to be changed, you can create a new connector from a workflow element to a level element, therefore raising this level to the next level up. Alternatively, you can disconnect connectors between other level elements by using <Assignments>\<Remove positive>, <Assignments>\<Remove negative> or <Assignments>\<Remove reject> and then create a new connection. Different icons are displayed on the level elements depending on the configuration of the approval steps. Icons on the Level Elements ICON MEANING The approval decision is made by the system. The approval decision is made manually. The approval step contains a reminder function. The approval step contains a timeout. Changes to individual elements in the workflow do not take place until the entire approval workflow is saved. The layout position in the workflow editor is saved in addition to the approval policies. Setting Up Approval Workflows Tools: Identity Manager with the application <IT Shop>\<Administrators> Manager An approval workflow consists of one or more approval levels. An approval level can contain one approval step of several parallel approval steps. All the approval steps in the approval process for one approval level have to be executed before the next approval level can be called upon. 45

46 Quest One Identity Manager Edit Approval workflows in the category <IT Shop>\<Basic configuration data>\<approval workflows>. Approval Workflow When you create a new approval workflow, a new workflow element is the first thing to be created. Enter the following data in the properties window for the approval workflow: Approval workflow identifier System abort (days) Enter the number of days before the approval workflow and therefore the entire approval procedure, is automatically terminated by the system. For more information, read section Abort Request on Timeout on page 67. Description of the approval workflow Setting up an Approval Workflow Editing Approval Levels and Approval Steps Insert approval levels in the approval workflow using the method <Approval levels>\<add>. An approval level provides a method of grouping individual approval steps. All the approval steps in one approval level are executed in parallel. All the approval steps for different approval levels are executed one after the other. You use the connectors to specify the order of execution. 46

47 Setting Up an IT Shop Solution Specify the individual approval steps in the approval levels. At least one approval step is required per level. You can define more than one approval step for each level. In this case, the approval bodies for each step together make up the approvers for the whole level. All the approval steps in the approval process for one level have to be executed before the next approval level can be called upon. Enter the approval steps first before you add an approval level. Setting up an Approval Step Enter the following data for a approval step in the properties window: Approval step Approval step identifier Approval procedure Procedure to be used to determine the approvers. You will find the procedures to determine approvers listed in the pop-up menu <Decision rule> as described in section Selecting an Approver on page 50. Processing status You can store an edit status for each approval step for each of the two cases - success and failure. The edit status for the request is set corresponding to the decision and whether it has been made positively or negatively. Enter processing status in the category <IT Shop>\<Basic configuration data>\<processing status>. For more information read section Processing Status on page

48 Quest One Identity Manager Mail templates Once the approval step for a request has been concluded, the requester or approver can be notified by . Select a mail template that is used for notifications for granting or denying approval for a request, expired or escalated requests and reminders. Setting up notification procedures is described in section Notifications in the Request Process on page 68. Relevance for compliance Specify whether the approver is notified when a rule violation is caused by a request. The following values are permitted: Permitted Relevance Values VALUE Not relevant Information Necessary Action DESCRIPTION Information about rule violations is not relevant for approvers of this approval step. No additional information is displayed for the approver in the approval process. Approvers for this approval step receive information in this approval process when a compliance rule violation occurs. The approvers decided whether to grant or deny the request. The approvers for this approval step receive information in this approval process when a compliance rule violation occurs. The request is automatically denied. Number of approvers If there are several people allocated as approvers, then this number specifies how many people from this group have to approve a request. A request can only be passed up to next level when this has been done. Description of the approval step Reason Enter a reason for approval or rejection of a request to make it easier to track decisions made automatically. This reasons are displayed in the approval flow of a request. Reminder interval (hours) Enter the number of working hours to elapse before an approver is sent a reminder by that there are still pending requests awaiting approval. For more information read section Remind Approver on page 69. Timeout (hours) and timeout behavior Enter the number of working hours to elapse before the approval step is automatically closed. Select which action is executed in the approval step in the case of a timeout from the <Timeout behavior> menu. Possible Timeout Behavior BEHAVIOR Approve Deny DESCRIPTION The request is approved in this approval step. The next approval step is called. The request is denied in this approval step. The next approval step is called. 48

49 Setting Up an IT Shop Solution Possible Timeout Behavior BEHAVIOR Escalate Abort DESCRIPTION The request process is escalated. The escalation approval step is called. The approval step and therefore the entire approval procedure is aborted for this request. You can find more information about timeout behavior in the sections Escalating an Approval Step on page 65, Automatic Approval on Timeout on page 67 and Abort Request on Timeout on page 67. Ensure that a state or county is entered into the employee s master data for determining the correct working hours. For more information read section Determining an Employee s Language on page 56 in the Identity Management Manual. Additional input fields, <Business role>, <Condition> or <Event> are displayed depending on which approval procedure is chosen. These input fields are described in the respective approval procedure in section Selecting an Approver on page 50. You can edit the properties of an approval level as soon as you have added an approval level with at least one approval step. Enter the display name for the approval level in the approval level property window. When you set up an approval workflow with several approval levels, you have to connect each level with another. You may create the following links: Approval level consecutive to the current approval level when the request is positively decided. Approval level consecutive to the current approval level when the request is negatively decided. Previous approval level if approval for the request is denied. If there are insufficient grounds for approval the request is presented to the approvers of the previous approval level again for reappraisal. If there are no consecutive approval levels beyond the current one, then the request is considered fully approved when the last approval is approval is positive. If the decision is negative the request is denied. The approval procedure is completed. Copying an Approval Workflow Use the task <Copy approval workflow...> to create a copy of the selected approval workflow. Enter a name for the copy in the dialog window which opens. Start the copy action with the <Ok> button. Use the <Cancel> button to cancel the action. In both cases the dialog window is closed. You can then take the copy and continue editing. 49

50 Quest One Identity Manager Deleting Approval Workflows First of all you need to remove all the approval workflow assignments to approval policies before you can delete it. Use the button on the toolbar to delete the approval workflow. Determining Effective Approval Policies You can apply approval policies to different IT Shop structures and service items. If you have several approval policies within your IT Shop, which policy is to be used is based on the rules that are specified. Effective approval policies are defined in the following way: The effective approval policy is the one that is assigned to the requested service item. If the is no approval policy assigned to the service item, the approval policy from the service category. If there is no approval policy assigned to the service item, the one that is assigned to the shelf that the product belongs to is use. If there is no approval policy assigned to the shelf, one that is assigned to the shop is used. If there is no approval method assigned to the shop, then one is taken from the shopping center. An approval policy thus found can only be used if it does not contain a role type or contains a role type that is the same as the shelf s. If more than one effective approval policy is found that agrees with the rules described, you use the one that has the highest priority in alphanumeric sequence. If this is not clear, the approval policy that has the least number of steps is chosen. If this is still ambiguous, then use the first approval policy that is found. If a effective approval policy is found for a requesting process, the approval step that corresponds to the approval level of the requesting process is used to select the approver. A request cannot be processed if you have not assigned an approval policy. If an approver cannot be determined for one level of an approval policy, the request cannot be approved or denied. Open requests are rejected and closed. Cancelled products remain assigned. Products for renewal remain assigned until the valid until date is reached. Pending requests are reset if you change the approval policy during working hours. That means that the approval procedures for these requests start from the beginning again. Selecting an Approver An approver is an employee that can grant or deny approval for a request (renewal or cancellation) within an approval process. You may specify a different group of employees as approver in each approval step. The Identity Manager supports different ways of specifying approvers: When you maintain managers and deputies for different roles in the Identity Manager (departments, cost center, IT Shop structure), the employees that are assigned here can be chosen as approvers. The same applies for employee managers and deputies. 50

51 Setting Up an IT Shop Solution At points, where several employees should be able to issue an approval, the Identity Manager supports the specification of approvers using application roles. In these cases, all those employees are named that are members in the given application role. The same applies for employees that are members of business roles. If you want to chose employees to be approvers that are not in any of the named employee groups, you have to define custom conditions. All those employees that meet the condition become approvers. If there are several people allocated as approvers, then the number given in the approval step specifies how many people from this group have to approve a request. A request can only be passed up to next level when this has been done. The following approval procedures are defined to select the responsible approvers. The identifiers are given as abbreviations that consist of two letters. Approval Procedures for IT Shop Requests ABBREVI- ATION APPROVAL PROCEDURE NAME RESPONSIBLE APPROVERS SB Self-service - OA Product owner All members of the assigned application role OR Role member All members of a business role and its deputies CP Calculated employee group - CR Compliance risk analysis - CC Compliance rule check - OC Supervisor authorizes rule violations exceptions All members of the assigned application role OH Supervisor authorizes highest rule violation exceptions All members of the assigned application role PM Customer cost center manager Manager/deputy DM Customer department manager Manager/deputy PP Request cost center manager Manager/deputy DP Request s department manager Manager/deputy CM Customer manager Manager/deputy RP RD Customer primary cost center permissions structure Customer primary department permissions structure All members of the assigned application role All members of the assigned application role PR Request cost center permissions structure All members of the assigned application role DR Request department permissions structure All members of the assigned application role IP Customer primary cost center approver role (IT) All members of the assigned application role 51

52 Quest One Identity Manager Approval Procedures for IT Shop Requests Always define the approval workflows with to the approval procedure SB (Self-Service) as one step workflows. This means that you cannot add any other approval steps to an self-service approval step. An approver is not necessary for this procedure. A self-service request is always granted approval automatically. ABBREVI- ATION APPROVAL PROCEDURE NAME RESPONSIBLE APPROVERS ID Customer primary department approver role (IT) All members of the assigned application role PI Request cost center permissions structure (IT) All members of the assigned application role DI Request department permissions structure (IT) All members of the assigned application role CD Approval calculated with SQL conditions - WC Delayed approvals - EX Approval to made externally - RL Customer primary location permissions structure All members of the assigned application role RO Customer primary structure permissions structure All members of the assigned application role IL Customer primary location approver role (IT) All members of the assigned application role IO Customer primary role approver role (IT) All members of the assigned application role H0 Shelf owner Owner/deputy H1 Shop owner Owner/deputy H2 Shopping center owner Owner/deputy P0 Shelf cost center manager Manager/deputy P1 Shop cost center manager Manager/deputy P2 Shopping center cost center manager Manager/deputy D0 Shelf department manger Manager/deputy D1 Shop department manager Manager/deputy D2 Shopping center department manager Manager/deputy The DBScheduler calculates which person has the authority to grant approval at which level. Take into account the special cases for each workflow when setting up the approval procedure for determining the people who authorized to grant approval. Self-Service The approval workflow and the approval policy Default self-service are both provided by default in the standard installation and assigned to the Identity Lifecycle shop. 52

53 Setting Up an IT Shop Solution Using IT Shop Structures to Find Approvers Enter the owner and deputy in the appropriate IT Shop node to make it possible to determine the owners of a shelf (procedure H0 ), a shop (procedure H1 ) or a shopping center (procedure H2 ) as approvers. The IT Shop structure requires a department to make it possible to determine department managers of a shelf (procedure D0 ), a shop (procedure D1 ) or a shopping center (procedure D2 ) as approvers. These department managers and deputies can then become approvers. The IT Shop structure requires a cost center to make it possible to determine cost center managers of a shelf (procedure P0 ), a shop (procedure P1 ) or a shopping center (procedure P2 ) as approvers. These cost center managers and deputies can then become approvers. Using Customers to Find Approvers Enter a manager in the employee master data to make it possible to determine customer s managers (procedure CM ) as approvers. You need to assign a primary department to the customer to make it possible to determine customer s department managers (procedure DM ) as approvers. These cost center managers and deputies can then become approvers. Enter a primary cost center in the employee master data to make it possible to determine customer s cost center managers (procedure PM ) as approvers. These cost center managers and deputies can then become approvers. Finding a Business Role Owner Enter a business role in the approval step additionally to make it possible to determine the members of a business role (approval procedure OR ) as approvers. In this case, all the employee that are members in this business role via secondary assignment can be approvers. If any employees have an IT Shop deputy entered in the employee master data then this deputy is also authorized to make approvals. Finding the Product Owner Assign an application role to the product s service item in the <Owner> input field to make it possible to determine owners of a product (procedure OA ) as approvers. In this case, all the employees that assigned to the application role via secondary assignment are recognized as approvers. If the service item is not assigned a product owner, the owner from the service category is taken as approver. Using an Application Role to Find Approvers Assign an application role to the customer s primary department (or cost center, location or business role) in the <Approver> field to make it possible to determine the approvers of a role (procedures RD, 53

54 Quest One Identity Manager RL, RO, RP ) as approvers. In this case, all the employees that assigned to the application role via secondary assignment are recognized as approvers. Determining Approvers via an Approver Role Approval flow, using the example of an approver role for the primary department of an employee and the approval procedure RD : 1. Ascertain the requester s primary department ( UID_Department). 2. The application role ( UID_AERole ) is determined through the department s approver ( UID_RulerContainer ). 3. Ascertain the secondary employees assigned to these roles. These can issue approval. 4. If there is no approver role is given for the primary department, the approver role is determined for the parent department. 5. The request cannot be approved if no approver role is found up to the top department. 6. If there are no employees assigned to the application role, the employees are taken from the parent application roles. 7. If there are no employees assigned right up the top level application role then a decision cannot be met for the request. The selection of approvers via IT approver roles (procedures ID, IL, IO, IP ) is made based on the same principle. The customer s primary department (cost center, location and business role) must obtain a reference to an IT approver role. All secondary employees assigned to this permissions structure can issue approval. Using a Purchase Request to Find Approvers the requester has to enter a cost center for booking the request to make it possible to determine approvers via a request s cost center. If the approver should be determined via the request s department, the requester has to enter a department for booking at the time of request. The cost center managers (approval procedure PP ) or the department managers (approval procedure DP ) are approvers. Assign an application role to cost center or department via the <Approver> input field to make it possible to determine approvers of the given cost center or department (approval procedures PR, DR ) as approvers. All members of the application role assigned here are approvers. If it should be possible to determine approvers (IT) of the given cost center or department (approval procedures PI, DI ) as approvers you have to assign an application role to cost center or department via the <Approver (IT)> input field. All the members of the application role assigned here are approvers. Approvers are determined following the same method as described in the section Using an Application Role to Find Approvers on page

55 Setting Up an IT Shop Solution Dynamically Calculated Employee Group If the predefined approval procedures for determining approvers do not meet the requirements, you can create your own database queries for determining approvers (procedure CP ). In the process, you can, for example, determine predefined approvers (example 1). You can also determine the approver dynamically in association with the request being approved. To do this you access the request waiting approval in the database query over the (SQL) or v_uid_personwantsorg (Oracle) (example 2). Enter the database query for calculating the employee group in the <Condition> field when configuring the approval step. The database query must be formulated as a select statement. Note that column selected via the database query must return a UID_Person. The result of the query are one or more employees that are presented t request for approval. If the query does not produce a result, the request is aborted. Example 1: The request should be approved by a specified approver. Example 2: select UID_Person from Person where InternalName='Rippington, Dr. Rudiger von' Approval for requests should be granted or denied through the requester s parent department. All employees that are assigned this department as primary department have permission to approve. The approver should be determined from the requesters department where the requester is the employee that started the request (UID_PersonInserted, for example, when requesting for employees). The approver is the cost center manager that is assigned to the requester s primary department. select pc.uid_personhead from PersonWantsOrg pwo join Person p on pwo.uid_personinserted = p.uid_person join Department d on p.uid_department = d.uid_department join ProfitCenter pc on d.uid_profitcenter = pc.uid_profitcenter where pwo.uid_personwantsorg = '@UID_PersonWantsOrg' Deferred Request Approval You can use deferred approval (approval procedure WC ) to ensure, within an approval policy, that a defined prerequisite is fulfilled before the request is approved. Therefore the approval of a permissions group request should only take place if the corresponding user account exists. Deferred approval is useful when a request should be tested with respect to rule conformity. If the user account does not exist when the requested permissions groups are tested, any rule violations that may occur due to the request will not be logged. You can specify which prerequisites have to be fulfilled so that a request can be presented for approval by defining an appropriate condition. The condition is evaluated as a function call. To check whether the 55

56 Quest One Identity Manager necessary user account exists when the permissions group is requested, you can use the function vi_f_pwogroupdecision which is supplied. Function Call for Deferred Approval The following action are executed depending on the return value from the function. Return value > 0: the user account exists, the condition is fulfilled. The delayed approval is decided positively. The request is then passed onto the next approval step which must determine approvers for the request. Return value = 0: the condition is not fulfilled but there is an open request for a user account or the employee has a user account resource with which a user account could be created. Approval is therefore deferred and will be check the next time the DBScheduler is run. Return value < 0: the condition is not fulfilled. The user account does not exist. There is no request for a user account and the employee does not have a user account resource with which a user account could be created. The delayed approval is decided negatively. The request will be passed onto the next approval step. Functions for other cases can be custom implemented. The function must accept the request UID as parameter (PersonWantsOrg.UID_PersonWantsOrg). The result value must be integer. 56

57 Setting Up an IT Shop Solution Calculated Approval In certain circumstances it may be advisable to determine who should be presented with the request for approval, based on a defined condition. For example, if the price of the request is below a defined limit then the department manager can grant approval. If this limit is exceeded the request has to presented to the cost center manager. In another case, requests from members of department XY can be granted immediate approval as long as the request does not exceed the defined price limit. If the limit is exceeded or if the employee belongs to another department, the approval has to be granted by the department manager. Enter a condition when you set up the approval step if approval should be calculated (approval procedure CD ). The condition is defined as a valid where clause for database queries. You can enter the SQL query directly or with a wizard. The condition is always checked for the current purchase request (table PersonWantsOrg ) and the current requester (@UID_PersonWantsOrg (SQL) or v_uid_personwantsorg (Oracle)). Example condition: Requests with a price of under 1000 euros can be approved by the customer s department manager. Requests over 1000 euros must be presented to the cost center manager. isnull(uid_org, '') in (Select UID_ITShopOrg From ITShopOrg Where isnull(uid_accproduct, '') In (Select UID_AccProduct From AccProduct Where isnull(purchaseprice, 0) < 1000)) Then the query is composed as: select 1 from Personwantsorg where (isnull(uid_org, '') in (Select UID_ITShopOrg From ITShopOrg Where isnull(uid_accproduct, '') In (Select UID_AccProduct From AccProduct Where isnull(purchaseprice, 0) < 1000))) and uid_personwantsorg The following figure shows the possible structure of the decision method: Visual of an Approval Step with Calculated Approval 57

58 Quest One Identity Manager Approval steps such as these are represented with a special element in the workflow editor. The functions described in the section Working with the Workflow Editor on page 44 are available for these level elements. The following diagram shows the possible composition of the approval policy. External Approvals Use external approvals (approval procedure EX ) if a request needs to be approved once a defined event from outside the Identity Manager takes place. You can also use this procedure to allow requests from users with no access to the Identity Manager to be approved. Specify an event in the approval step that triggers an external approval. A process is started by this event that initiates the external approval for the request and evaluates the approval result. The Identity Manager waits for the external decision to be passed to it. Define the subsequent approval steps depending on the result of the external approval. Define your own process in order to use this approval procedure. This type of process has to trigger external approval decision, evaluate the results of it and approval or deny the external approval step in the Identity Manager based on the result. Enter the PersonWantsOrg2 as base object for the process. If the external event occurs, the approval step status in the Identity Manager has to be changed. Use the process task CallMethod for this together with the method MakeDecision. Pass the following parameters to the process function: MethodName: Value = "MakeDecision" ObjectType: Value = "PersonWantsOrg" Param1: Value = "sa" Param2: Value = <Approval> ("true" = approved; "false" = denied) Param3: Value = <Approval decision reason> WhereClause: Value = "UID_PersonWantsOrg ='"& $UID_PersonWantsOrg$ &"'" By using these parameters you specify which request is approved by external approval (whereclause). Parameter param 1 specifies the approver. The approver is always the system user sa. Parameter param 2 is passed to the approval. If the request was granted approval the value must be true. Is the request was denied approval the value must be false. Use parameter param 3 to supply a reason for the decision. To do this, pass the system user sa as parameter to the process task in the process definition. Use the Process Editor to define and edit processes. The section Handling Processes in Identity Manager on page 37 in the Process Orchestration Manual describes how to use the Process Editor. Example: All approved requests should be entered into an external ticketing system and started. If a request is completed in an external ticketing system, it must also be completed in the Identity Manager. Use the approval procedure for external approval and define: A process <P1> that creates a ticket with the information about the requested product in the external system and passes the ticket number to the Identity Manager in the request instance. An event <E1> that starts the process >P1> A process <P2> that checks whether the ticket status is Closed and calls the task Call- Method with the Method MakeDecision in the Identity Manager. A event <E2> that triggers the process <P2> A schedule that start the events <E2> on a regular basis 58

59 Setting Up an IT Shop Solution Enter the event <E1> in the approval step in the input field <Event> as trigger for the external approval process. Pass the product and customer data that the product is being requested for in the process <P1> to the external ticket system. In another parameter, pass the ticket number from the external ticketing system to the Identity Manager. Use the ticket number to check the ticket status in process <P2>. If the ticket is closed, call the task MakeDecision and pass the ticket status from the external system to the Identity Manager in a parameter (Param2). In another parameter, specify the system user that changes the approval step status in the Identity Manager (Param1). Pass sa as value for this parameter. Pass the reason for the approval decision in the parameter Param3. Testing Requests for Rule Compliance You can integrate rule conformity testing for IT Shop requests within an approval workflow. There are several procedures for this. These approval procedures test whether the customer causes a compliance rule violation with his or her request and logs the test result in the request approval sequence. The Identity Manager has two approval procedures available for rule checking: 1. Compliance risk assessment (approval procedure CR ) This quickly checks the request for possible rule violations. It takes into account the requested product and all the company resources current assigned to the customer. Recommended as default procedure for rule checking! For more information read section Request Risk Analysis on page Compliance rule check (approval procedure CC ) This runs a complete check on the current request for possible rule violations. It takes into account all the company resources already assigned to the customer and all company resources that the customer will obtain in addition as a result of the request. This is a time consuming procedure! For more information read section Full Request Testing on page 61. Prerequisite for testing requests is the definition of a regulatory body and to extend the approval workflow with a rule check. Section Setting up a Rule Base on page 531 describes in detail how to set up compliance rules in the context of Identity Audit. In the following, we shall look into extending the approval workflow and the course of a request in the case of rule testing. Request Risk Analysis To retain an overview of potential rule violations, you can create a risk analysis of the requests. To do this, use the procedure CR. With this method you can make a quick pretest of possible rule violations. The requests are not fully tested. Nevertheless, all rule violations are detect in combination with a cyclical compliance rule test implemented through a scheduled task. On grounds of performance, compliance risk analysis (approval procedure CR ) is recommended as default for rule checking. A complete check of assignments is achieved with cyclical testing of compliance rule using schedules. This finds all the rule violations that result from the request. Read section Checking a Rule on page 557 in the Identity Management Manual for more information. All a customer s pending requests are included in the risk analysis. All the company resources that are assigned to the customer are taken into account in this test. Apart from this, all the customer s user ac- 59

60 Quest One Identity Manager counts and all permissions groups that the customer has received through these user accounts are incorporated into the test. Help tables for object assignment are regularly evaluated for risk analysis. The approval procedure, therefore, does not recognise objects that the customer may obtain via the request due to inheritance. Apart from this, the approval procedure only takes into account compliance rule that are created using the simplified definition. Therefore, this method supplies possible rule violations noticeably faster than a full compliance rule test. Another advantage is detailing the logged rule violations. This does not only specify the request that violates the request, but also which product in the request caused the violation. This makes a detailed analysis possible of the rule violation. The following restrictions apply for using an approval procedure within an approval policy: You can add one approval step per approval policy with the CR approval procedure. The subsequent approval levels only get one approval step to determine the exception approver if approval is denied. For more information see the section Finding an Exception Approver on page 63. If the next approval level contains another approval step if approval is granted, approved exceptions of the CR procedure should also run through this approval step. Example for an Approval Workflow with Risk Analysis using Compliance Risk Analysis If an approval step for risk analysis using the CR approval procedure is found in the request s approval procedure, all products in pending requests are assigned to the customer. It is assumed that all pending request will be approved and therefore the customer will obtain all the products. The current request is then analyzed with respect to potential rule violations. If no rule violations are found, the approval step is automatically granted approval and the request is passed onto the approver at the next approval level above. If a rule violation is detected the request is automatically not granted approval. Depending on how much the rule violation definition permits, the request can still be approved by exception approval. You have already defined an exception approver for the rule violation in the rule. Connect an approval step with the procedure OC or OH to a connection point for approval denied so that exception approvers receive the approval request. 60

61 Setting Up an IT Shop Solution The IT Shop properties that are specified for each rule are taken into account in the rule testing. The following restrictions apply for testing rules with the CR approval procedure: The setting of the option <Only take current requests into account> is irrelevant. All the employee s pending requests are taken into account. Identification of a rule violation depends on the setting of the IT Shop property <Rule violation identified>. See section IT Shop Properties for a Rule on page 544 in the Identity Management Manual about configuring rules. Full Request Testing Full testing of a request with the approval procedure CC can take a long time depending on the number of objects assigned and inherited! Use Compliance risk assessment (approval procedure CR ) in preference for testing requests for rule conformity (see section Request Risk Analysis on page 59). Full testing of requests ( CC approval procedure) means that the customer s current request is checked for compliance to the rules. All company resources that are assigned to the customer are taken account of in the test. Apart from this, this approval procedure accounts for all compliance rules, that means even those that have been created using extended mode. All rule violations are found, therefore, that might reoccur in conjunction with the previous assigned company resources when this request is granted approval. Example: A rule is defined that should discover whether an employee has two permissions A and B at the same time. The permissions A were issued to the employee at an earlier request. If this employee now requests the permissions 'B, a rule violation will be detected. The following limitation apply when using this method within an approval policy: You can add one approval step per approval policy with the CC approval policy. The subsequent approval levels only get one approval step to determine the exception approver if approval is denied. For more information see the section Finding an Exception Approver on page

62 Quest One Identity Manager Example for an Approval Workflow with Rule Check and Full Request Testing If the request reaches an approval step that checks compliance with the CC procedure, then a simulation takes place of the current request including inheritance and the resulting permissions. The requested product is assigned to the customer, that means it is assumed that the request will be approved. The current request is then analyzed with respect to potential rule violations. If no rule violations by the request are found during the simulation the request is automatically approved and then passed onto the approver at the next approval level above. If a rule violation is detected during the simulation, it can only be caused by this request. The approval step is automatically denied approval. Depending on how much the rule definition permits, the request can still be approved by exception approval. You have already defined an exception approver for the rule violation in the method. Connect an approval step with the procedure OC or OH to a connection point for approval denied so that exception approvers receive the approval request. If there are still requests for the customer that have already gone through compliance testing but have not been finally approved, the approval procedure for these requests has to closed first. The testing on the actual request cannot start before that. This behavior can lead to delays in processing certain approvals. To speed up rule checking with the approval process use the compliance risk analysis (approval procedure CR )(see section Request Risk Analysis on page 59). The IT Shop properties for each rule are taken into account in the rule testing. The following limitation are valid for testing rules with the CC approval procedure: Only rules that do not have the option <Only take current requests into account> set are dealt with. Identification of a rule violation depends on the setting of the IT Shop property <Rule violation identified>. See section IT Shop Properties for a Rule on page 544 about configuring rules. 62

63 Setting Up an IT Shop Solution Checking the Request with Self-Service Self-service (procedure SB ) is always defined as a one-step process, which means that you cannot add anymore steps to a self-service approval step. To achieve a rule check for self-service it is sufficient to create an approval policy containing one step for checking compliance rules, the procedure CC, for example, with full request testing. If the rule check is successful, the request is granted approval and self-service is accomplished implicitly. Finding an Exception Approver Requests that would cause a rule violation can still be approved by exception approval. Define the exception approver for a rule violation in the rule. To do this, define the exception approver responsible for the rule. Use the property <Explicit exception approver> to configure which rule violation can be presented to an exception approver. Read section IT Shop Properties for a Rule on page 544 in the Identity Management Manual for more information about configuring rules. There are two approval procedures for determining which exception approvers should ultimately make the decision. These you include by adding more approval steps to the approval policy. These approval procedures are: Approval procedure OC (exception approver for rule violation) The approval decision is made by the exception approver for the violated rule. As it may be possible that several rule are broken with one request, the request is presented to all the exception approvers in parallel. If one of the exception approvers rejects the exception will result in the request being rejected. Approval procedure OH (exception approver for the worst rule violation) The approval decision is made by the exception approver for the rule which poses the highest threat. In this way, the exception approval procedure can be shortened for a request that violates several rules. For these approval procedures you have to ensure that: 1. The severity level in the evaluation criteria is specified for all compliance rules 2. The exception approver for the worst rule violation in all the affected rules is included in the application role <Identity Audit>\<Exception approvers>. As opposed to the manager/deputy principle normally in place, a exception approver s deputy is not permitted to grant exception approval alone. 63

64 Quest One Identity Manager Approving a Request from an Approver Configuration Parameter for Approving an Approver s Requests CONFIGURATION PARAMETER Use the configuration parameter QER\ITShop\AutoDecision to permit automatic approval by approvers on sequential approval levels. If the configuration parameter and the value of the parameter All- StepNoJump is set, the approval decision from the first approval level is passed onto the subsequent approval levels that the approver is permitted grant approval for. If the configuration parameter is dis- QER\ITShop\PersonInsertedNoDecide QER\ITShop\PersonOrderedNoDecide MEANING The configuration parameter specifies whether the employee that trigger the request may approve it. This configuration parameter specifies whether the employee that the request was triggered for may approve it. There has to be a rule to determine whether approvers of requests for this shop are allowed to approve their own request as customers. Because approvers can also start requests for other customers within their range of responsibility, it also has to be clarified how these request should be handled within the approval procedure. Once the configuration parameter QER\ITShop\PersonOrderedNoDecide has been set, it prevents approvers granting approval for their own requests. The configuration parameter takes effect on the request the approvers has made for themselves and all the requests that other approvers have made for them. If the configuration parameter is not set approvers can also grant approval for their own requests, Their requests are therefore presented to them for approval. Set the configuration parameter QER\ITShop\PersonInsertedNoDecide to prevent approvers from granting approval for requests that they have made for themselves or for other customers. If the configuration parameter is not set, approvers can also approve these requests. Example: A department manager places a request for his or her deputy. Both employees are found as approvers by the approval procedure. To prevent the department manager from approving the request, set the parameter QER\ITShop\PersonInsertedNoDecide. To prevent the deputy from approving the request, set the parameter QER\ITShop\PersonOrderedNoDecide. Automatic Request Approval Configuration Parameters for Automatic Request Approval CONFIGURATION PARAMETER QER\ITShop\AutoDecision QER\ITShop\DecisionOnInsert QER\ITShop\ReuseDecision MEANING This configuration parameter controls automatic approval of IT Shop request over several approval levels. This configuration parameter controls approval of a request the moment is it added. This configuration parameter specifies whether the approval decision of an approver should be applied to all approval steps in the procedure which are made by him or her. It may be the case that an approver is authorized to approve several levels of an approval policy. You can allow automatic approval so that the approver is not presented with a request more than once. 64

65 Setting Up an IT Shop Solution abled, the approvers can only approve the current approval step. They will be presented with the request again at the next approval level. Use the configuration parameter QER\ITShop\ReuseDecision to enable the approval decisions of approvers to be transferred automatically even if the approval levels are not sequential. If the configuration parameter is set, the current approval decision is taken from the previous approval step. If the configuration parameter is not set, approvers have to grant or deny the approval again. However, use this parameter carefully. If approvers can also grant exceptions for rule violations, requests that violate compliance rules will also be automatically approved without being presented for exception approval. Approvers can also be customers in a shop and therefore place their own requests. Approvers also have the option to place requests for other customers. If an approver is also the first approver in the approval procedure for this request, the first approval should be granted immediately. You can do this by setting the configuration parameter QER\ITShop\DecisionOnInsert. If the configuration parameter is not enabled, the approver has to grant approval manually once the request has been placed. To prevent approvers from making decisions about request they have placed themselves, use the configuration parameters QER\ITShop\PersonInsertedNoDecide. Read more about this in the section Approving a Request from an Approver on page 64. Obtaining other Information about Requests by an Approver An approver has the possibility to gather further information about a request. This ability does not, however, replace granting or denying approval for a request. There is no addition approval step required in the approval workflow to obtain the information. Approvers can request information from anybody. The request is placed on hold for the period of the request. If the person in question supplies the necessary information, they are taken off hold. The approver s request and the person s answer are recorded in the approval flow and are therefore available to the approver. Escalating an Approval Step Approval decisions can be automatically escalated the specified timeout is exceeded. The requests are presented to another group of approvers. The requests can subsequently be processed again in the normal workflow. To escalate a request, make the following modifications to the approval workflow: 1. Configure an additional approval level with one approval step for escalation. 65

66 Quest One Identity Manager 2. Connect the approval step that is going to be escalated when the timeout expires with the new approval step. Use the escalation connector point in the Workflow Editor to do this. Example of an Approval Workflow with Escalation 3. Configure the behavior for the approval step to be escalated when it times out. Use the following properties: Timeout (hours) Enter the number of working hours to elapse before the approval step is automatically escalated. Ensure that a state or county is entered into the employee s master data for determining the correct working hours. For more information read section Determining an Employee s Working Hours on page 57 in the Identity Management Manual. Timeout behavior Select which action is executed in the approval step in the case of a timeout. Possible Methods for Automatic Approval on Timeout METHOD Escalation DESCRIPTION The request process is escalated. The escalation approval step is called. Configure the notification method as described in section Prompting for Approval on page 69 to notify the approver by that new approvals are awaiting a decision. Requesters are notified by when a request is escalated. Configure the requesters notification as described in section Request Escalation on page

67 Setting Up an IT Shop Solution Automatic Approval on Timeout Requests can be automatically approved once the timeout has expired. Enter the following data to configure this behavior: Timeout (hours) Enter the number of working hours to elapse before the approval step is automatically escalated. Ensure that a state or county is entered into the employee s master data for determining the correct working hours. For more information read section Entering Employee Master Data on page 48 in the Identity Management Manual. Furthermore country information such as time zones, working hours, public holidays, day-light saving and UTC offset have to store for the state. For more information read section Displaying Country Information on page 264 in the Configuration Manual. Timeout behavior Select which action is executed in the approval step in the case of a timeout. Possible Methods for Automatic Approval on Timeout METHOD Approve Deny DESCRIPTION The request is approved in this approval step. The next approval step is called. The request is denied in this approval step. The next approval step is called. Requesters are notified by when a request is granted or denied approval. Configure the requesters notification as described in section Request Granting or Denying Approval on page 70. Abort Request on Timeout Requests can be automatically aborted once the specified time period has expired. The abort takes place when either a single approval step or the entire approval procedure has exceeded the timeout. Enter the following data in the approval step to abort a single approval step on timeout: Timeout (hours) Enter the number of working hours to elapse before the approval step is automatically abort. Ensure that a state or county is entered into the employee s master data for determining the correct working hours. For more information read section Entering Employee Master Data on page 48 in the Identity Management Manual. Furthermore country information such as time zones, working hours, public holidays, day-light saving and UTC offset have to store for the state. For more information read section Displaying Country Information on page 264 in the Configuration Manual. 67

68 Quest One Identity Manager Timeout behavior Select which action is executed in the approval step in the case of a timeout. Method for Aborting a Request when Timeout Exceeded METHOD Abort DESCRIPTION The approval step and therefore the entire approval procedure is aborted for this request. Enter the following in the approval workflow to abort the entire approval procedure on timeout: System abort (days) Enter the number of days before the approval workflow and therefore the entire approval procedure, is automatically terminated by the system. Requesters are notified by when a request is aborted. Configure notifications for the requester as described in section Request Abort on page 70. Notifications in the Request Process Configuration Parameter for Notifications CONFIGURATION PARAMETER Common\MailNotification\DefaultCulture MEANING This configuration parameter contains the default language culture for notifications if no language culture can be determined for the recipient. Common\MailNotification\SMTPPort Port for SMTP services on the SMTP server (default: 25). Common\MailNotification\SMTPRelay QER\ITShop\DefaultSenderAddress SMTP server for sending notifications. This configuration parameter contains the sender's address for automatically generated messages within the IT Shop. Requester and approvers are notified by if changes are made to a request during the request process. The notification procedure uses mail templates to create notifications. The mail text in a mail template is defined in several languages. The ensure that the language of the recipient is taken into account when the is generated. Mail templates that you can use to configure notification procedures are already included in the default installation. Read the section Creating Custom Mail Templates for Notifications on page 100 for more information about how to customize mail templates. The following prerequisites must be fulfilled in order to user notifications in a request process: Enable the configuration parameter QER\ITShop\DefaultSenderAddress and enter the address for sending the notification. Ensure that all employees have a default address. The notification will be sent to this address. For more information see also section Miscellaneous Employee Master Data on page 54 in the Identity Management Manual. Ensure that a language culture can be determined for all employees. Only then can they receive notifications in their own language. For more information see section Determining an Employee s Language on page 56 in the Identity Management Manual. 68

69 Setting Up an IT Shop Solution Configure the notification procedure as described in the following. Prompting for Approval When a customer requests a product, the approver is notified that new approvals are pending. Enter the following data in the approval step for the notification procedure. Approval required Select the mail template IT Shop request - approval required. Remind Approver If an approver has not made a decision by the time the timeout expires, notification can be sent by as a reminder. Enter the following data in the approval step for this notification procedure: Reminder interval (hours) Enter the number of working hours to elapse before an approver is sent a reminder by that there are still pending requests awaiting approval. Ensure that a state or county is entered into the employee s master data for determining the correct working hours. For more information read section Determining an Employee s Language on page 56 in the Identity Management Manual. Mail template reminder Select the mail template IT Shop request - remind approver. Limited Period Request Sequence Configuration Parameter for Reminding Approvers CONFIGURATION PARAMETER QER\ITShop\ValidityWarning MEANING Warning period for expiring requests given in days. If the number of days has elapsed, the customer is informed that the request has expired. The requester keeps a product on the shelf up to a specific point in time when the requester cancels the products again. Sometimes, however, products are only required for a certain length of time and can be canceled automatically. for more information read section Limited Period Request Sequence on page 69. The requester is notified by before the expiry date is reached and has the option to renew the request. Proceed as follows to user this notification procedure: Activate the configuration parameter QER\ITShop\ValidityWarning and enter the warning period (in days) for expiring requests. Enable the schedule Reminder for IT Shop requests that expire soon. For more information read section Executing Processes Automatically on page 73 in the Process Orchestration Manual. 69

70 Quest One Identity Manager Select the mail template that is going to used as notification for the approval policy in the input field <Mail template expired>. The mail templates IT Shop request - product expires and IT Shop request - expired are available for this in the default installation. Request Granting or Denying Approval When a request is granted approval or denied it the requester is notified by . Notification may occur after approval or denial of a single approval step or once the entire approval process is complete. Requests can be automatically granted or denied approval once a specified time period has expired. The requester is notified in the same way in this case. Enter the following data in the approval step when notification should follow approval of a single approval step: Mail template on approved Select the mail template IT Shop request - approval granted to approval step. Mail template on denied Select the mail template IT Shop request - approval not granted to approval step. Enter the following data in the approval policy when notification should follow approval of the entire approval procedure: Mail template on approval Select the mail template IT Shop request - granted approval. Mail template on denied Select the mail template IT Shop request - not granted approval. Request Abort Request are automatically aborted when a specified time period has expired. The requester is notified. Enter the following data in the approval policy for this notification procedure: Mail template on abort Select the mail template IT Shop request - aborted. Request Escalation Requests can be escalated if a specified time period has expired. The request is notified. Enter the following data in the approval policy for this notification procedure: Mail template on escalation Select the mail template IT Shop request - escalate. Request Sequence Use the web based application Web Portal to request or cancel products or to approve requests or to get an overview of open and closed requests. Refer to the Web Portal User Guide for information about how to use the Web Portal. You can get an overview of open and closed request in the Identity Manager and the Manager. 70

71 Setting Up an IT Shop Solution If an employee is a customer in a shop then he or she can request products from any of the shelves in the shop. If a customer requests a product it needs to be approved by the approval procedure in order for the product to be assigned to the customer. This causes the customer to become a member in the product s role. The default inheritance mechanism is put into action once the membership exists. If the customer no longer requires the product and revokes the request and the customer s membership in the role is terminated. Requests that have a limited shelf-life are automatically revoked. Requests Overview Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager You can find an overview of all existing requests in the category <IT Shop>\<Requests> in Identity Manager. Detailed information for every request is displayed. In the case of open request you get an overview of the current approval process status. The views only provide information. It is not possible to edit the request or change the approval sequence at this point. Request Details Detailed information about a request is shown on the task <Request details>. You see the general request data and the current status of the request. Details of a Request 71

72 Quest One Identity Manager Sequence of Approval If a request is not closed, you can see the actual approval procedure status on the form <Approval sequence>. Graphical Representation of an Approval Sequence Each level of the approval workflow is represented by a special control element. The approvers responsible for an approval step are shown on a tooltip. Requests pending for an approval step are also shown in a tooltip. Each control element is given a color. The color code reflects the current status of the approval level. Meaning of Colors in the Approval Sequence (in decreasing priority) COLOR Blue Green Red Yellow Gray MEANING The approval level is in being processed The approval level was approved. The approval level was not approved. The approval level was deferred due a query. The approval level was not reached (yet). Approval History Use the task <Approval history> to see all the completed approval steps. Here you can following all the approvals in the approval process in sequence. In the approval workflow, you can see the approval his- 72

73 Setting Up an IT Shop Solution tory, the results of each approval step and the approver. The approval history is displayed for both pending and closed requests. Displaying Approval History The control elements are given colors. The color code reflects the current status of the approval step. Meaning of Colors in the Approval History COLOR Yellow Green Red Gray Purple Orange Blue MEANING Request triggered Approver has granted approval Approver has denied approval or the request has been escalated. The product has been canceled The request is aborted Request renewed Approver has a query. The query has been answered Approver has rejected the request Multiple Product Requests IT Shop products can only be requested once in the shelf. If a product is assigned to a customer, then it cannot be requested a second time. In certain circumstances, however, it is sometimes necessary to request a product more than once. 73

74 Quest One Identity Manager To illustrate this, the product s service item is labeled for multiple requests. Apart from this, once an multi-request product has been approved, it is immediately canceled internally so that it can be requested again or the cancellation is afforded through the customer. To set up multiple products refer to the section Preparing Products for Requesting on page 19. The customer does not become a member in the product s role after a multiple product has been approved. This means that the product is not assigned to the customer via internal inheritance. A customer specific implementation of a process with the root object PersonWantsOrg for the result Order- Granted can be made in order to start a specified action when a multiple product is approved. For more information, read the section Handling Processes in Identity Manager on page 37 in the Process Orchestration Manual. Requests with Limited Validity Period The customer normally retains a Product on the shelf until such time as she revokes the request herself. Sometimes, products are only required for a limited period and are automatically canceled after this time. Products that are intended have a limited shelf-life need to be labeled with the validity period. You can read more about this in the section Products with a Limited Request Period on page 33. When a product with limited shelf-life is requested the Identity Manager calculates the date that the product will be automatically canceled (valid thru) by using the current date and the validity period supplied with the service item. This date can be modified by the requester if necessary when the request is made. A valid from date can also be entered at the time of request. This specifies the point the an assignment starts to apply. If this date is given, the valid thru date is calculated from the 'Valid from date and the validity period. As soon as a request is approved by all approvers, the valid thru date is recalculated from the actual date and the validity period. This ensures that the validity period is valid from the day of assignment. The customer receives a message before reaching the expiry data and has the possibility to extend the period. For more information read section Limited Period Request Sequence on page 69. Once the period is exceeded the request is closed and deactivated. The customer has the possibility to renew a request. If the customer uses this possibility the extension (as in the original request) needs to approved. If the extension is denied, the original request runs out at the given date. Customer changes Shop If a customer requests a product from one shop or shopping center and then changes to another at a later data then the request is closed and product is canceled. That means that the membership on the product s role is removed. You can label product service items with the option <Retain service item assignment on relocation> so that customers retain their requests when they relocate. For more information read section Requesting Products when the Customer Changes Shop on page 34. All open or approved requests in the shop being left are transferred to the first shop that is found in which the employee is a customer and also can obtain the products. In connection with this, open requests are reset, that means the request have to go through the approval procedure from the beginning again. 74

75 Setting Up an IT Shop Solution Requests for Employees Configuration Parameter for Employee Requests CONFIGURATION PARAMETER QER\ITShop\PersonHead QER\ITShop\PersonHead\Cancel- ForEmployee QER\ITShop\PersonHead\EditEmployee QER\ITShop\PersonHead\Order- ForEmployee MEANING If the parameter is set, additional menu items are displayed in the IT Shop user interface. This configuration parameter contains the name of the database view that determines who can cancel requests in the IT Shop and for whom. This configuration parameter contains the name of the database view that determines who can change personal data in the IT Shop and for whom. This configuration parameter contains the name of the database view that determines who can request in the IT Shop and for whom. In the Web Portal default installation approvers can request and cancel products for other users. Approvers can only request products for users from shops that they manage and where the user is an customer. Furthermore, department managers and their deputies may edit the data for employees in their department. The following database views show the evaluation of responsibilities: vi_requestforemployee This view displays the approvers and the employees that can request the product. vi_cancelforemployee This view displays the approvers and employees that can cancel this product. vi_editemployee This view displays the department manager, his or her deputies and employees whose data can be edited. These views are used when the associated configuration parameters are enabled. If another employee group should be responsible as opposed to the default, define customized database views and enter these in the configuration parameters.the views always have to have a UID_PersonHead (manager) and a UID_Person (employee). Example: The department manager and his or her deputy can modify the data of employee in their department. Create view vi_editemployee as select p.uid_person, d.uid_personhead from person p join department d on p.uid_department = d.uid_department where d.uid_personhead > ' ' union select p.uid_person, d.uid_personheadsecond as uid_personhead from person p join department d on p.uid_department = d.uid_department where d.uid_personheadsecond > ' ' 75

76 Quest One Identity Manager Managing an IT Shop Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager Configuration Parameter for Setting Up an IT Shop CONFIGURATION PARAMETER QER\ITShop MEANING Preprocessor relevant configuration parameter to control the component parts for the IT Shop. You need to recompile the database after changes have been made. If the parameter is set, the IT Shop components are available. The following sections describe how you can set up custom shops, shopping centers or shelves. You can expand on the default shop Identity Lifecycle or create your own IT Shop solution. Set up your IT Shop with the help of the IT Shop Wizard. Start the wizard from the category <My Identity Manager>\<IT Shop Wizard>\<Create shop>. The wizard includes the most important configuration stages for setting up an IT Shop. If you use the IT Shop wizard to set up a IT Shop you are lead through the procedure a step at a time. After the wizard has concluded, more configuration stages are required. Shops, shopping centers and shelves are shown in the category <IT Shop>. The technical mapping of the IT Shop solution based on the role management mechanism in the Identity Manager is as described in section Company Structures as Roles in the Identity Manager on page 81. All IT Shop objects are added as roles with the role class IT Shop structure. This allows an IT Shop to be represented hierarchically in the Identity Manager. 76

77 Setting Up an IT Shop Solution The following figure shows an IT Shop with a shopping center, shelves, products and customers. Hierarchical Representation of an IT Shop The following sections describe the procedure for manually setting up an IT Shop. 77

78 Quest One Identity Manager IT Shop Base Data Role type Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager Use role types to allocate roles. You can use role types to specify inheritance of approval policies within an IT Shop. To do this, assign role types to shelves and approval policies. Read section Determining Effective Approval Policies on page 50 for more information. You can also assign role types if you want apply further criteria to distinguish between shops. However, role types that are assigned to shops have no influence over the inheritance of approval policies. You set up role types in Identity Manager in the category <IT Shop>\<Basic configuration data>\<role types>. You also need to enter an identifier and a detailed description for a role type. Approval Policies and Workflows Approval policies and workflows are used to authorize requests. You can find out how to set up approval policies and workflows in the section Determining Effective Approval Policies on page 50. Processing Status Tools: Identity Manager with the application role <IT Shop>\<Administrators> Manager Define your own processing status for requests. You can enter a processing status in the case of success and one in the case of error for each approval step in an approval workflow. The appropriate processing status is set for the request depending on whether the approval decision was negative or positive. You set up processing statuses in Identity Manager in the category <IT Shop>\<Basic configuration data>\<processing status>. Enter the following data: Name for the processing status Enter a translation for the name using the button next to the input field if the data is multilingual. Detailed description of the processing status Additional properties for processing status You can label processes statuses with the option <Success>, <Closed> and <Manual postprocessing> for a more detailed customization. You can also specify the order of processing. 78

79 Setting Up an IT Shop Solution Application Roles Attestors Employees that are attestors for attestation instances can be assigned to IT Shop structures. To do this you assign an application role <Attestor> to an IT Shop structure (shopping center, shop, shelf, product) in the master data. Assign employees that are authorized to attest requests to this application role. Edit attestors in the Manager in the category <IT Shop>\<Basic configuration data>\<attestor> or in the Identity Manager in the category <Identity Manager Administration>\<IT Shop>\<Attestor>. For detailed information about application roles see section The Identity Manager Roles Model on page 69. Read section Extended Master Data for an service item on page 23 on how to assign attestors. Product Owners Employees that are approvers in approval procedures for requesting service items can be assigned to these service items and service categories. To do this you assign an application role <Product owner> to a service item or category in the master data. Assign employees that are authorized to approve requests in the IT Shop to this application role. Edit product owners in the Manager in the category <IT Shop>\<Basic configuration data>\<product owners> or in the Identity Manager in the category <Identity Manager administration>\<it Shop>\<Product owner>. For detailed information about application roles see section The Identity Manager Roles Model on page 69. Read section Entering Service Items on page 20 about how to assign product owners. Mail Templates Mail templates are used to sen messages to requesters and approvers. You can find more information about this in the sections Notifications in the Request Process on page 68 and Creating Custom Mail Templates for Notifications on page 100. Business Partners A manufacturer can be entered for a service item. Maintain the manufacturer s data in the category <IT Shop>\<Basic configuration data>\<business partners>. Here you can enter the data for external businesses that might come into question as manufacturers, suppliers or partners. You can enter general address data and addresses for a business partner. If a business partner has a website, it can be displayed in the default web browser using the <Browser> button. You can label the business partner to be a partner, leasing firm, supplier or manufacturer and store the customer number. Service Categories You can group individual service items into service categories to create a service catalog. Section Entering Service Categories on page 28 describes how to create and edit service categories. Request Properties When products are requested in the Web Portal, product specific request properties can be queried dynamically. These request properties are displayed in the Web Portal depending on the configuration, requester or approver. In order to use product specific request properties define which properties are permitted for which product. For more information read section Entering Product Specific Request Properties on page

80 Quest One Identity Manager Setting Up a Shopping Center Depending on the company structure, you can optionally define shopping centers for your IT Shop solution where several shops can be bought together under one roof. Always add the shopping center to the top level of the IT Shop. Shopping centers may not be represented in a hierarchy amongst themselves. Setting Up a Shopping Center Enter the following data for a shopping center: IT Shop node, internal name IT Shop node identifier for the shopping center and the internal name for the shopping center. IT Shop information This data defines the structure of the IT Shop. Specify the value Shopping center. The menu is only available when a new shopping center is added. Role type The role type has no relevance for shopping centers. Leave this field empty. Parent IT Shop node Shopping centers always take the upper most node in an IT Shop. Therefore, leave this field empty. Location, department, cost center Assign a department, cost center or a location. You can use this input when creating approval policies for making requests from this shopping center. Owner, deputy Specify the person in charge of the shopping center (owner, deputy). You can also use this data in approval workflows. 80

81 Setting Up an IT Shop Solution Attestor Specify an application role for determining those employees that are authorized to grant approvals in an attestation procedure. The members of this application role can attest shopping center assignments. Refer to section Attestation Approval Procedures on page 585 in the Identity Management Manual. Detailed description for the shopping center User Defined Master Data You can enter additional custom data for a shopping center here. Use the Designer to customize display names, formats and templates for the input fields (by default <Spare field no >) to meet your requirements. Assigning Shopping Center Template Shopping center templates are used to fill the shops in a shopping center automatically. Read the section Templates for Automatically Filling the IT Shop on page 87 for a definition and functionality of shopping center templates. You can assign shopping center templates to shopping centers on the master data form in the field <Shelf template>. Assign a Shopping Center Template Additional Tasks for Shopping Centers You can assign approval policies to a shopping center. These can be applied to all requests from this shopping center if a child IT Shop node has not approval policies assign to it. Read the section Determining Effective Approval Policies on page 50 for more information. 81

82 Quest One Identity Manager Setting Up a Shop Each shop contains a number of shelves that the customer can request products from. You can add a shop to the top level of the IT Shop or under a shopping center. Shops may not be hierarchical. Setting Up a Shop Enter the following master data for a Shop: IT Shop node, internal name IT Shop node identifier for the shop and the shop s internal name. IT Shop information This data defines the structure of the IT Shop. Specify the value Shop. The menu is only available when a new shop is added. Role type You can use role types if you want classify shops further. Role types assigned to shops have no influence over the inheritance of approval policies. Parent IT Shop node A parent shop node is necessary for the hierarchical design of the IT Shop. If the shop is at the top level of an IT Shop, this field stays empty. If the shop is below a shopping center, select the respective shopping center from the list. Shops can be added later to shopping centers using this field. Location, department, cost center Assign a department, cost center or a location. You can use this data in approval workflows for determining the approver responsible for requests from this IT Shop. Owner, deputy Specify the person in charge of the shop (owner, deputy). You can also use this data in approval workflows. 82

83 Setting Up an IT Shop Solution Attestor Specify an application role for determining those employees that are authorized to grant approvals in an attestation procedure. The members of this application role can attest shop assignments. Refer to section Attestation Approval Procedures on page 585 in the Identity Management Manual. Detailed description for the shop User Defined Master Data You can enter additional custom data for a shop here. Use the Designer to customize display names, formats and templates for the input fields (by default <Spare field no >) to meet your requirements. Additional Tasks for Shops You can assign approval policies to a shop. These can be applied to all requests from this shop if a child IT Shop node has not approval policies assign to it. Read the section Determining Effective Approval Policies on page 50 for more information. Setting Up a Customer Node Set up just one customer node for each shop to facilitate customer administration. Add the employees to this customer node that are permitted to request products from this shop. Customer Node Setup Enter the following master data for a customer node: IT Shop node, internal name IT Shop identifier for the customer node and the internal name for the customer node. 83

84 Quest One Identity Manager IT Shop information This data defines the structure of the IT Shop. Specify the value Customer. The menu is only available when a new customer is added. Parent IT Shop node A parent shop node is necessary for the hierarchical design of the IT Shop. Select the shop that the customer node will be added to. Only one shop is allowed per customer node. Detailed description for the customer node Shelf template, role type, location, department, cost center, owner, deputy and attestor do not have any relevance for customer nodes. Therefore, leave these fields empty. User Defined Master Data You can enter additional custom data for a customer node here. Use the Designer to customize display names, formats and templates for the input fields (by default <Spare field no >) to meet your requirements. Additional Information about Customer Nodes Add the employee to the customer node who is authorized to make requests for the shop. You have two possible ways of doing this. Assign Employees Assign employees directly to the customer node using this task. Edit Dynamic Roles Use this task to assign employees to customer nodes via dynamic roles. You need to supply the following data for a dynamic role customer node: The object class Employee. The IT Shop node that the dynamic role is linked to This task is preset with the selected customer node. If the objects meet the dynamic role conditions, they are added to this customer node. You can find all the other information about setting up a dynamic role the section Setting Up Dynamic Roles on page 109 in the Identity Management Manual. 84

85 Setting Up an IT Shop Solution Setting Up a Shelf There are various products available for request on shelves. Setup shelves under each shop. Shelf Setup Enter the following master data for a shelf: IT Shop node, internal name IT Shop node identifier for the shelf and the internal name for the shelf. IT Shop information This data defines the structure of the IT Shop. Specify the value Shelf. The menu is only available when a new shelf is added. Role type You can use role types in connection with the IT Shop to specify approval policy inheritance within an IT Shop. For more information read section Determining Effective Approval Policies on page 50. Add the necessary role types in the category <IT Shop>\<Basic configuration data>\<role types>. Refer to section Role type on page 78 for more information. Parent IT Shop node A parent shop node is necessary for the hierarchical design of the IT Shop. Select the shop that the shelf will be added to. Location, department, cost center Assign a department, cost center or a location. You can use this data in approval workflows for determining the approver responsible for requests from this shelf. Owner, deputy Specify the person in charge of the shelf (owner, deputy). You can also use this data in approval workflows. 85

86 Quest One Identity Manager Attestor Specify an application role for determining those employees that are authorized to grant approvals in an attestation procedure. The members of this application role can attest shelf assignments. Refer to section Attestation Approval Procedures on page 585 in the Identity Management Manual. Detailed description for the shelf You can use shelf templates to fill shops automatically. If a shelf was created by automatically filling a shop, there is a link to the shelf template that was used in the field <Shelf template> on the existing shelf s master data form. Read the section Templates for Automatically Filling the IT Shop on page 87 for a definition and functionality of shelf templates. User Defined Master Data You can enter additional custom data for a shelf here. Use the Designer to customize display names, formats and templates for the input fields (by default <Spare field no >) to meet your requirements. Additional Tasks for Shelves You can apply several different tasks to shelves once you have entered its data. The most important information you will find on the shelf s overview form. Use forms available on the task view to carry out any of the tasks. Assign Approval Policies You can assign approval policies to a shelf. These are applied to all requests made from these shelves if the requested service item does not have any approval policies assigned to it. Read the section Determining Effective Approval Policies on page 50 for more information. The approval policy that takes effect on the shelf is shown in the overview. Assign Requestable Products Assign a shelf those company resources that the shop customers are permitted request as products. These company resources are added as product nodes below the shelf. You can only select those company resources that are labeled with the option <IT Shop> and are assigned a service item. Select a task from the task view in order to make company resource assignments. How you prepare company resources for use in the IT Shop, is described in more detail in section Preparing Products for Requesting on page 19. Deleting IT Shop Structures In order to delete IT Shop structures you have to remove all the child IT Shop structures. This applies to manually added IT Shop structures in the same way as it does for shelves and products created from shelf templates. Deleting Customer Nodes In order to delete custom node, you need to delete all the employees assigned to it beforehand. If the customer node was filled using a dynamic role, delete the dynamic role first. 86

87 Setting Up an IT Shop Solution Deleting Shelves If a shelf is going to be completely taken out, you need to remove all the product assignments from the shelf first. The next time the DBScheduler runs, all pending requests for the products are closed and approved requests are canceled. Then you can delete the shelf. If you want to delete shelves that were created from a special shelf template, you have to: Cancel all approved requests from shelves in question, Cancel pending requests, Remove the shelf template assignment to the shop. Shelves that have been created from a global shelf template or a shopping center template cannot be deleted. Deleting Shops If you want to delete a shop, delete the customer node and existing shelves beforehand. Deleting Shopping Centers If you want to delete a shopping center, delete all shops beforehand. Templates for Automatically Filling the IT Shop You can create templates for setting up shelves automatically. Use templates when you want to setup shelves in several shops or shopping centers with the same products. You can define the following template: Global shelf templates A global shelf template is automatically distributed to all shops within the IT Shop solution. The global shelf templates are reproduced in every shop. A corresponding shelf with products is created in each shop. If a new shop is created with the IT Shop solution, the global shelf template is also duplicated in this shop. Special shelf templates A special shelf template is manually assigned to one or more shops. The special shelf template is copied to these shops and a corresponding shelf with products is added. A special template can be distributed additionally to shopping center templates. Shopping center templates A shopping center template is linked to one or more shopping centers that it should be reproduced in. You can only assign shopping center template to shopping center. By assigning a special shelf template to a shopping center template you create a shelf from a template within that shopping center template. This shelf is subsequently set up in all the shops belonging to this shopping center. 87

88 Quest One Identity Manager In order to simplify understanding, these templates are given the umbrella term shelf templates in the following. All shelf templates are represented as roles with the role class IT Shop template in the Identity Manager. The following is valid for all shelf templates: If a template is modified, the changes are passed onto all shelves created from this shelf template. If a shelf template is deleted, all the shelves that originated from it are deleted from the shop. Outstanding requests are completed. Shelf templates can only be deleted when their assigned products and approval policies have been removed. The following diagram illustrates the shelf templates that can be set up, their assignments and the resulting IT Shop solution. 88

89 Setting Up an IT Shop Solution Assigning Shelf Templates 89

90 Quest One Identity Manager Procedure for Creating Shelf Templates The following steps are required to create template: Global Shelf Templates Setup global shelf templates Assign products and approval policies to the global shelf template The global shelf template is automatically reproduced in all shops in the IT Shop. The shelves that created are linked to the global shelf template from which they originate. The products are transferred to the shelf that has been created. Special Shelf Template Setup the special shelf template Assign products and approval policies to the special shelf template Assign the special shelf template to one or more shops The special shelf template is automatically copied to all shops in the IT Shop. The shelves that created are linked to the special shelf template from which they originate. The products are transferred from the template to the shelf that is created from the template. Shopping Center Template Add the shopping center template Add a special shelf template with products Assign the special shelf template to a shopping center template Assign the shopping center template to the desired shopping center The special shelf template is automatically copied to the shopping center template. Subsequently, the shelf created form the shopping center template is distributed to all the shops in the shopping center. The shelves that are created obtain a link to the shelf that they originated from. In the following sections the individual steps are explained for creating shelf templates. 90

91 Setting Up an IT Shop Solution Setting Up Shelf Templates Parameters for using with Shelf Templates CONFIGURATION PARAMETER QER\ITShop\UseITShopTemplates MEANING Preprocessor relevant configuration parameter for controlling the database model components for the IT Shop Shelf Filling Wizard.Changes to the parameter require recompiling the database. If the parameter is set, the Shelf Filling Wizard components are available. Set up shelf templates in the category <IT Shop>\ <Shelf Templates> in Identity Manager. To do this, log in with a role based authentication module in the application role <IT Shop>\<Administrators>. You can also create shelf templates in the Manager. Example of a special shelf template Enter the following master data without taking the type of shelf template into account: IT Shop node, internal name IT Shop node identifier and internal name for the shelf template These names are given to the shelves generated by the template. Role type You can use role types in connection with the IT Shop to specify approval policy inheritance within an IT Shop. For more information read section Determining Effective Approval Policies on page 50. Add the necessary role types in the category <IT Shop>\<Basic configuration data>\<role types>. Refer to section Role type on page 78 for more information. The role type is transferred to the new shelf. IT Shop Information Specifies which type of template is being dealt with, a global shelf template, a special template or a shopping center template based on the IT Shop information. Permitted values are: 91

92 Quest One Identity Manager - Global shelf template - Special shelf template - Shopping center template The IT Shop data can only be specified when a shelf template is created. No changes can be made after saving. Location, department, cost center Assign a department, cost center or a location. You can use this data in approval workflows for determining the approver responsible for requests from this shelf. Owner, deputy Specify the person in charge of the shelf (owner, deputy). You can also use this data in approval workflows. Attestor Specify an application role for determining those employees that are authorized to grant approvals in an attestation procedure. The members of this application role can attest shelf assignments. Refer to section Attestation Approval Procedures on page 585 in the Identity Management Manual. Detailed description of the template The description is transferred to shelves created from this template. User Defined Master Data You can enter additional custom data for a shelf template here. Use the Designer to customize display names, formats and templates for the input fields (by default <Spare field no >) to meet your requirements. This input is not transferred to the created shelves by default. Additional Tasks for Shelf Templates Assign Approval Policies You can assign approval policies to global and special templates. These approval policies are passed on to every new shelf. You can find more information about approval policies in section Determining Effective Approval Policies on page 50. Assign Company Resources Assign global and special shelf templates to company resources. These company resources are added as product nodes to all the shelves that are created. You can only select those company resources that are labeled with the option <IT Shop> and are assigned a service item. Select a task from the task view in order to make company resource assignments. How you prepare company resources for use in the IT Shop, is described in more detail in section Requestable Products on page 18. Shelf Filling Wizard Use this task to assign special shelf templates to shops and shopping centers. Refer to section Assigning Shelf Templates to Shops and Shopping Center Templates on page 93 for more information. 92

93 Setting Up an IT Shop Solution Assigning Shelf Templates to Shops and Shopping Center Templates Global shelf templates are immediately distributed in all shops belonging to an IT Shop. Assign special shelf templates manually to shops and shopping center templates. To do this, run the task <Shelf filling wizard> for special templates. Shelf Filling Wizard All shops and shopping center templates that can be assigned shelves (and have them removed again) are displayed on the tab <Assign/Remove shelves>. All the special shelf templates that are available are shown in the <Shelf templates> list. The template list is preset with the name of shelf template that the form was initiated from. You may limit the number of shops and shopping centers on display with a <Filter>. All the entries are displayed that are entered in the character string given in the filter condition. Upper and lower case is not taken into account. The filter takes effect after the shelf template has been reselected in the <Shelf templates> list. To assign a shelf template, enable the control box next to the desired shop or shopping center. Use the button <Assign all> to assign a template to all shops. In order to remove the assignments from all shops, click the button <Remove all>. You can select several entry at one time (<Ctrl>+<left mouse button> or <Shift>+<left mouse button> ) and change the assignments using the button <Invert selection>. Confirm the action in each case with the button <Apply>! You also need to assign shopping center templates to the desired shopping center. This assignment takes place in the shopping center. Refer to the section Setting Up a Shopping Center on page 80 for more information. The Shelf filling wizard tab <Assignment via shopping center templates> displays the shops which obtained the special template s shelf due to a shopping center template. This representation merely serves as a overview. The assignment cannot be edited. Please note that a filter effects how this tab is displayed. 93

94 Quest One Identity Manager Deleting Shelf Templates Configuration Parameter for deleting Shelf Templates CONFIGURATION PARAMETER Creating IT Shop Requests from Existing User Accounts, Group Assignments and Role Memberships QER\ITShop\UseITShopTemplates\DeleteRecursive MEANING This configuration parameter specifies whether the recursive deletion is allowed from shelf templates. The configuration parameter QER\ITShop\UseIShopTemplates\DeleteRecursive is taken into account when a shelf template is deleted. If the configuration parameter is set, you can delete a shelf template without requiring any further steps. When this shelf template is deleted, the shelves and their products in the shops that are connected with this template are also deleted. If the configuration parameter is not set, proceed as follows: Delete Global Shelf Templates 1. Remove all products from the shelf template. 2. Delete global shelf templates. Delete Special Shelf Templates 1. Remove all products from the shelf template. 2. Remove shop and shopping center assignments. 3. Delete special shelf templates. Delete Shopping Center Templates 1. Remove shopping center assignments. 2. Remove special shelf template assignments from the shopping center template. 3. Delete the shopping center template. When the Identity Manager goes live, you can create IT Shop requests for existing user accounts, group assignments and roles. Several methods are provided by the Customizer to implement this. Using these methods, requests are created that are closed and approved. These request can therefore be canceled at a later date. In addition to the initial request data, you can run a custom script from each method that sets other custom properties for a request. 94

95 Setting Up an IT Shop Solution User Account Requests The following methods are available for creating requests for existing user accounts. Methods for Creating IT Shop Requests from User Accounts BASE OBJECT CUSTOMIZER METHOD MEANING ADSAccount UNSAccount ADSAccount LDAPAccount NotesUser SAPUser public void CreateITShopAccountOrder (string CustomScriptName) public void CreateITShop- MailOrder (string CustomScript- Name) public void CreateITShopOrder (stringcustomscriptname) This method creates a request from an existing Active Directory user account. This method creates a request from an existing Unified Namespace user account. This method creates a request from an existing Microsoft Exchange mailbox. This method creates a request from an existing LDAP user account. This method creates a request from an existing Lotus Notes user account. This method creates a request from an existing SAP R/3 user account. The following prerequisites must be guaranteed so that request can be created for existing user accounts: There is a user account resource available for the target system (Active Directory, Lotus Notes, SAP R/3, LDAP). This user account resource is set up for use in the IT Shop (see Preparing Products for Requesting on page 19). The user account resource is assigned to an IT Shop shelf. Each of the user accounts that a request should be created for, is linked to an employee. The employees are customers of the shop that user account also belongs to. Requests are created with the steps: 1. Determine valid user account resources 2. Determine affected employees 3. Determine the IT Shop that the employees and user account resource are assigned to. 4. Create request with initial data 5. Run custom scripts 6. Save requests (entry in table PersonWantsOrg ) 7. Assign employee to product structure (entry in table PersonInITShopOrg ) 8. Create indirect resource assignment (entry in table PersonHasRessourceTotal ) 9. Delete any existing direct user account resource assignment (table PersonHasRessource ) 95

96 Quest One Identity Manager Requests for Group Assignments The following methods are available for creating requests for existing group assignments. Methods for Creating IT Shop Requests from Group Assignments BASE OBJECT CUSTOMIZER METHOD MEANING ADSAccountInADSGroup This method creates a request from an existing Active Directory group assignment LDAPAccountInLDAP- Group NotesUserInGroup SAPUserInSAPGroup UNSAccountBInUN- SGroupB public void CreateIT- ShopOrder (string Custom- ScriptName) This method creates a request from an existing LDAP group assignment. This method creates a request from an existing Lotus Notes group assignment. This method creates a request from an existing SAP R/3 group assignment. This method creates a request from an existing Unified Namespace group membership. The following prerequisites must be guaranteed so that request can be created for existing group assignments: The groups are prepared for use in IT Shop (see Preparing Products for Requesting on page 19). The groups are assigned to a shelf in IT Shop. Each user account that should have a valid request created for its group assignments, is linked to an employee. The employees are customers of the shop that the groups belong to. Requests are creating with the following steps: 1. Determine user accounts and their group assignments 2. Determine affected employees 3. Determine the IT Shop that the employees and groups are assigned to 4. Create requests with initial data 5. Run custom scripts 6. Save requests (Entry in table PersonWantsOrg ) 7. Assign employee to product structure (entry in table PersonInITShopOrg ) 8. Set up indirect group assignment for the affected user accounts 9. Delete possible direct group assignment for the affected user accounts 96

97 Setting Up an IT Shop Solution Request for Role Assignments The following methods are available to create assignment requests from existing assignments of company resources or employees to roles. Methods for Adding Existing Role Assignments to IT Shop Requests ROOT OBJECT CUSTOMIZER METHOD MEANING <Role>HasADSGroup <Role>HasApp <Role>HasESet <Role>HasLDAPGroup <Role>HasNotesGroup <Role>HasRessource <Role>HasSAPGroup <Role>HasUNSGroupB PersonInDepartment PersonInProfitCenter PersonInLocality PersonInOrg PersonInAERole public void CreateIT- ShopOrder (string struid_orgproduct, string struid_personordered, string CustomScriptName) This method creates a request from an existing company resource assignment to a role Roles can be: department, cost center, location, business role. The Customizer methods are applied to the appropriate base object DepartmentHas..., ProfitCenterHas..., LocalityHas..., OrgHas... This method creates a request from an existing role assignment to an employee. Roles can be: department, cost center, location, application role. The following prerequisites need to be met so that assignment requests can be created for existing roles assignments: An assignment resource exists for the assignment request (see Preparing Assignment Requests on page 35). The assignment resource is prepared for use in IT Shop (see Preparing Products for Requesting on page 19). The assignment resource is assigned to a shelf as a product in the IT Shop. The UID_ITShopOrg for this product is passed to the method as parameter struid_orgproduct. An employee is selected as requester for the assignment request. The UID_Person for this employee is passed to the method as parameter struid_personordered. The selected employee is customer in the shop that the assignment resource is assigned to as a product. The following steps are carried out to create the assignment request: 1. Find roles and the company resources or employees that are assigned to them. 2. Find requester from struid_person. 3. Find product from struid_orgproduct. 4. Create request from the object found with initial data. 5. Run customized script. 6. Save request (entry in table PersonWantsOrg ). 97

98 Quest One Identity Manager 7. Add the UID_PersonWantsOrg from the created request in the column UID_PWOOrigin of the base table affected. Creating Requests for Existing User Accounts: An Example Valid request should be created for existing SAP user accounts so that they can be canceled again at a later date. It should be implemented per SAP client via a task in Identity Manager. The SAP client s SAP system is entered in the column CustomProperty01 in every request, the remark Created automatically is entered in the column CustomProperty02. The user that runs the task is entered as the request initiator in each request (column UID_PersonInserted ). These requirements can be implemented in the following way: Create a custom script to determine other properties for the request. Create a process for creating the request from existing SAP user accounts Create a method definition to trigger the process from the Manager Custom Script Example The SAP client s SAP system should be entered into the column CustomProperty01 for every request (PWO) that is created from an existing SAP user account (base object). Column CustomProperty02 is given the value created automatically. A custom script DOC_CustomScript is created for this which is passed to the process. The custom script could look like this: Public Sub DOC_CustomScript (ByVal dbbaseobject As ISingleDbObject, ByVal dbpwo As ISingleDbObject) Dim f As ISqlFormatter = dbpwo.connection.sqlformatter Dim strwhere As String Dim strcpath As String Dim strdestinationname As String = String.Empty ' Create resource WhereClause and then determine the ConnectionPath strwhere = String.Format("UID_AccProduct in (select UID_AccProduct from IT- ShopOrg where {0})", _ f.comparison("uid_itshoporg", dbpwo.getvalue("uid_org").string,_ ValType.String, CompareOperator.Equal, FormatterOptions.None)) ' The ConnectionPath contains the FK for the target system (in SAP UID_SAPMandant) strcpath = dbpwo.connection.getsingleproperty("ressource", "ConnectionPath", strwhere).string ' Determine the Destination name from the SAP System If Not String.IsNullOrEmpty(strCPath) Then strwhere = String.Format("UID_SAPSystem in (select UID_SAPSystem from SAPMandant where {0})", _ f.comparison("uid_sapmandant", strcpath, ValType.String,_ CompareOperator.Equal, FormatterOptions.None)) strdestinationname = Connection.GetSingleProperty("SAPSystem", "Destinationname", strwhere) End If 98

99 Setting Up an IT Shop Solution ' If no Destinationname could be found, an display an error message If String.IsNullOrEmpty(strDestinationname) Then Throw New Exception("Could not determine the destination name.") End If ' set CustomProperties dbpwo.putvalue("customproperty01", strdestinationname) dbpwo.putvalue("customproperty02", "created automatically") End Sub Process Example A process is created that uses the process function CallMethod from the process component HandleObjectComponent. This process function permits customer scripts. The Customizer method Create- ITShopOrder (parameter MethodName ) is called for all SAP users (parameter ObjectType ) of an SAP client (parameter WhereClause ). The parameter Param1 passes the custom script DOC_CustomScript, which is used to define other properties for the request. To ensure that the request initiator can be found, the authentication data are determined by the parameter Authentication- String. Process: Event: Base object type: Process step: Process function: Parameter: ConnectionProvider ConnectionString MethodName ObjectType Param1 WhereClause Authentication- String DOC_CreateITShopOrders CreateOrder SAPMandant CallMethod CreateITShopOrder CallMethod Value = VID_GetValueOfDialogdatabases("ConnectionProvider") Value = VID_GetValueOfDialogdatabases("ConnectionString") Value = "CreateITShopOrder" Value = "SAPUser" Value = "DOC_CustomScript" Value = "uid_sapmandant ='" & $UID_SAPMandant$ & "'" Value = VID_BuildAuthString() Method Definition Example The process should be implemented per SAP client via a task in Identity Manager. To do this, a method definition is created in the Designer as described in section Task Definitions for the User Interface on page 201 in the Configuration Manual and the permissions group vi_4_namespaceadmin_sapr3 is assigned. The object definition SAPClient is selected for the method Create IT Shop requests. The method script could look like this: Try ' Event generated for creating IT Shop requests VI.DB.JobGeneration.JobGen.Generate(Base, "CreateOrder") MsgBox (#LD("Generating process for creating IT Shop request!")#,_ MsgBoxStyle.OKOnly Or MsgBoxStyle.Information, "Information") Error message is displayed on method error Catch ex As Exception Throw New ViException(#LD("An error occurred in the method 'Create IT Shop requests.")#, ex) End Try 99

100 Quest One Identity Manager Creating Custom Mail Templates for Notifications Tools: Identity Manager with application role <IT Shop>\<Administrators> Manager There is a mail template editor integrated into the Identity Manager, which simplifies making notifications. Mail text can be created and edited with the Mail Template Editor. This means that the recipients language is taken into account when the notification is generated. Edit mail templates in the category <IT Shop>\<Basic configuration data>\<mail templates>. Creating a Mail Template Copying Mail Templates Select the mail template that you want to copy in the navigation and copy it with the task <Copy mail template...>. Enter a name to save the copy with. The new mail template is opened for editing in the Mail Template Editor. General Properties of a Mail Template The following general properties are displayed for a mail template: 100

101 Setting Up an IT Shop Solution Mail template Enter the name of the mail template. This name will be used to display the mail templates in the administration tools and in the Web Portal. Enter a translation for the name using the button next to the input field for language dependent usage. Base object Select the base object for the mail template. Use the base object Request procedures (table PersonWantsOrg ) and Request procedures auxiliary table (table PWOHelperPWO ). Only mail templates for this base object are shown in the category <IT Shop>\<Basic configuration data>\<mail templates>. Edit the mail templates for other objects in the Designer. For more information read section Maintaining Mail Templates on page 217 in the Configuration Manual. Report Select a report that you want to link to the mail template. Description Enter the description of the mail template. Enter a translation for the description using the button next to the input field for language dependent usage. Target format Select the format for generating the notification. Target Formats for Mail Templates TARGET FORMAT HTML TXT MEANING The notification is formatted in HTML. HTML format can contain formatting. The notification is formatted in text format. Text format cannot contain any formatting. Design type Enter the design for generating the notification. Design Types for Mail Templates DESIGN TYPE Mail template Report Mail template, report as attachment MEANING The notification is generated with a mail body corresponding to the mail definition. The notification is generated with the report contained under <Report> as mail body. The notification is generated with a mail body corresponding to the mail definition. The report entered in the <Report> field is attached to the mail as PDF file. Importance Enter the importance for the notification. Permitted values are Low, Normal and high. 101

102 Quest One Identity Manager Sensitivity Enter the sensitivity setting for the notification. Permitted values are Normal, Personal, Private and Confidential. Can unsubscribe With option you can specify whether the recipient can unsubscribe the . If this option is set, the s can be unsubscribed through the Web Portal. Creating and Editing an Definition Mail texts can be defined in different languages in a mail template. This allows notification to take the recipients language into account when it is generated. Create a new mail definition as follows: 1. Click on the add button next to the <Mail definition> menu. Select the language culture you want the mail definition to apply to from the <Language culture> menu. All the language cultures that are enabled are shown in the list. To use other languages enable the corresponding countries in the category <Basic configuration data>\<country information>. Refer to section Displaying Country Information on page 264 for further information. 2. Enter the subject in the <Subject> field. A mail text editor with formatting and editing functions in Microsoft Word style is integrated for editing the mail body. To edit an existing mail definition, select the language culture in the <Mail definition> menu. Using Base Object Properties You can use all the properties of the object entered under <Base object> in the subject line and in the mail body. You can also use the object properties that are referenced by foreign key relation. To access properties use dollar notation. Section Using Dollar ($) Notation on page 358 in the Configuration Manual explains the usage of dollar notation and provides other syntax examples. Example: An IT Shop requester should receive notification about the status of the request. Base object: Subject: Mail body: PersonWantsOrg $DisplayOrg[D]$ status change Dear $FK(UID_PersonOrdered).Salutation[D]$ $FK(UID_PersonOrdered).FirstName$ $FK(UID_PersonOrdered).LastName$, The status was changed on the following request on $DateHead:Date$. Product: $DisplayOrg[D]$ Requested by: $DisplayPersonInserted$ Reason: $OrderReason$ Current status of your request: Approval: granted Aprover: $DisplayPersonHead[D]$ Reason: $ReasonHead[D]$ 102

103 Setting Up an IT Shop Solution The generated notification could look like the following, for example, once it has been formatted appropriately: Use of Hyperlinks in the Web Portal You can insert hyperlinks to the Web Portal in the mail body. If the recipient clicks on the hyperlink in the , the Web Portal is opened on that webpage and further actions can be carried out. This method is implemented for IT Shop requests and attestation in the default version. Prerequisites for using this method: The configuration parameter QER\ITShop\WebShop\BaseURL is set and contains the URL path to the Web Portal. mit: <Server> = server name <App> = installation path for Web Portals Proceed as follows to insert a hyperlink to the Web Portal into the mail body: 1. Click in the mail body at the point where you want to add the hyperlink. 2. Insert a new hyperlink using <Hyperlink> in the context menu. 3. Enter the text for the hypertext in the <Show text> input field. 4. Set the option <File or website>. 5. Enter the address of the page to be opened in the Web Portal in the <Address> field. In this case you can revert to using default functions or parameters from processes. For more information read the section Default Functions for Creating Hyperlinks on page

104 Quest One Identity Manager 6. Accept the data with the <OK> button. Creating a Hyperlink Default Functions for Creating Hyperlinks Several default functions are available to help you create hyperlinks. You can use these functions directly to insert a hyperlink in a mail body or in processes. Default Functions for IT Shop Requests The script VI_BuildITShopLinks contains a collection of default functions for composing hyperlinks to directly grant or deny approval of IT Shop requests from notifications. Function in Script VI_BuildITShopLinks FUNCTION VI_BuildITShopLink_Show_for_Approver VI_BuildITShopLink_Show_for_Requester VI_BuildITShopLink_Approve VI_BuildITShopLink_Deny VI_BuildITShopLink_Unsubscribe USAGE Opens the overview page for request approval in the Web Portal. Opens the overview page for requests in the Web Portal. Approves a request and opens the approvals page in the Web Portal. Denies a request and opens the approvals page in the Web Portal. Open the notification configuration page in the Web Portal. This function is used in processes for unsubscribing notifications. Direct Function Input A function is referenced in the <Address> field when a hyperlink is inserted: $Script(<Function>)$ Example: 104

105 Setting Up an IT Shop Solution $Script(VI_BuildITShopLink_Show_for_Requester)$ Direct Function Input Example of a Hyperlink in the Generated Notification Using in Processes Use this method to pass additional parameters to a function. notifications are generated during the process handling. The process function SendRichMail is provided for this through the process component MailComponent. To compose a hyperlink, for example, to unsubscribe notifications, within a process, use the spare process parameters [ParamName 1-n] and [ParamValue 1-n] from the process component. Example for filling the process parameter: ParamName1 ParamValue1 Value = "NoSubscription" Value = VI_BuildITShopLink_Unsubscribe (values("uid_richmail").tostring()) UID_RichMail is determined by the pre-script for generating within the process and passed to the function. Take implementation examples from base object PersonWantsOrg processes that are triggered by changes to IT Shop requests. How to configure processes is described in the Process Orchestration Manual in section Defining Processes on page 47. The process parameter is referenced when a hyperlink is entered in the <Address> field: $PC(<ParamName>)$ Example: $PC(NoSubscription)$ 105

106 Quest One Identity Manager Usage of Process Parameter in a Hyperlink Example of a Hyperlink in the Generated Notification Custom Processes for Notifications In order to send further notifications within the request process, set up custom processes. How to create processes is described in detail in the section Defining Processes on page 47 in the Process Orchestration Manual. You can use the following events for generating processes. Events on Object PWOHelperPWO EVENT DecisionRequired Remind TRIGGER BY Creating a new request. Sequence of reminder intervals. Events on Object PersonWantsOrg EVENT Granted Dismissed OrderGranted OrderRefused Escalate Canceled Unsubscribe UnsubscribeGranted TRIGGER BY Approval granted to approval step Approval not granted to an approval step. Approval granted to entire approval procedure. Approval not granted to entire approval procedure. Escalation of the approval procedure. Pending request is cancelled. Product is canceled by the requester. Product canceled by another employee. 106