Identity Audit. Compliance Rule. Set Exception Approval by User’s Manager

Product Version: One Identity Manager v9.2.1. Classic web portal.

Dear Team,

I am currently working on configuring an Identity Audit compliance rule and would like to request your guidance on a specific use case.

Objective:
I would like to designate the user’s manager as the Exception Approver whenever a rule violation is detected for that user.

Use Case:
Within our ITShop, products are organized by Service Categories, which correspond to various Job Categories. Additionally, each identity (record in the Person table) is associated with a specific Job Category.
We intend to utilize the Identity Audit module to notify both the user and their manager when a user requests a product from a Service Category that does not correspond to their assigned Job Category.

For example, if a user from the Purchasing department requests a product outside of the Purchasing Service category, an alert (e.g. message in the webportal) should be displayed for the user previous to request submission (when 'checking shopping cart'), and then a similar notification should be displayed to the user's manager when it comes to his/her approval.

Could you please advise on how this can be implemented within One Identity Manager? I would also appreciate any alternative approaches you might recommend to address this scenario effectively.

Thank you in advance for your support.

Top Replies

Markus Weiss-Ehlers 6 days ago in reply to rodrigo.penades +1

You need to calculate the recommendations in the approval workflow first. Explained here https://docs.oneidentity.com/bundle/one-identity-manager_it-shop-administration_9.2.1/page/sources/itshop/itsapprovalbyrecommendationconfigure…

Parents

0 Markus Weiss-Ehlers 10 days ago

For a cross-functional test, you do not need a compliance rule. The check in the shopping cart also detects cross-functional assignments. You can assign those functional areas to service items and roles. Described here https://docs.oneidentity.com/bundle/one-identity-manager_business-roles_9.2.2/page/sources/roles/rmb/orgfunctionalarea.html

The functional areas are also checked by the recommendation engine (https://docs.oneidentity.com/bundle/one-identity-manager_it-shop-administration_9.2.2/page/sources/itshop/itsapprovalbyrecommendationcriteria.htm)

You might want to give it a try.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 rodrigo.penades 8 days ago in reply to Markus Weiss-Ehlers

Thank you very much, Markus. I tested your suggestion, and it works well. The requester is now notified by a warning banner during the Shopping Cart check. The banner states: 'The product "XXXX" does not belong to the same functional area as the identity "YYYY".'
But would there be a way to display the same warning banner to approvers—such as the user's manager—when they are making the approval decision?

Thanks.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 rodrigo.penades 8 days ago in reply to Markus Weiss-Ehlers

Thank you very much, Markus. I tested your suggestion, and it works well. The requester is now notified by a warning banner during the Shopping Cart check. The banner states: 'The product "XXXX" does not belong to the same functional area as the identity "YYYY".'
But would there be a way to display the same warning banner to approvers—such as the user's manager—when they are making the approval decision?

Thanks.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 Markus Weiss-Ehlers 8 days ago in reply to rodrigo.penades

There is no banner just for the cross-functional check, as far as I remember. You can either add an approval step PeerGroupAnalysis or "Recommendation to your workflow at the beginning. The approver can then either check the recommendation or the result of the Peer Group Analysis, including the Cross-Functional Flag.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 rodrigo.penades 7 days ago in reply to Markus Weiss-Ehlers

Hello again,
I've successfully added the approval step, and now the result of the recommendation is visible under the 'Workflow' tab.

(For example:

Deny - Approval recommendation -

45 minutes ago

Reason for decision

No reason entered

Approval procedure

EX - Approvals to be made externally)

However, I'm still unable to display the 'Recommendation' column in the 'Pending Requests' screen, where the manager makes their decision.

Do you have any suggestions on how to enable this? I noticed that such a column appears in the following video at timestamp 20:32:

www.oneidentity.com/.../

Thanks in advance!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Markus Weiss-Ehlers 6 days ago in reply to rodrigo.penades

You need to calculate the recommendations in the approval workflow first. Explained here https://docs.oneidentity.com/bundle/one-identity-manager_it-shop-administration_9.2.1/page/sources/itshop/itsapprovalbyrecommendationconfigure.htm
Cancel
Up +1 Down

Reply

Verify Answer

Cancel
0 juancarlos camargo 6 days ago in reply to Markus Weiss-Ehlers

Markus Weiss-Ehlers , the Recommendation value is updated in the PWO record but the Recommendation column is not shown on the pending requests page (web designer portal).
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 rodrigo.penades 2 days ago in reply to juancarlos camargo

Exactly. Thank you juancarlos.

Markus Weiss-Ehlers I would appreciate any further recommendations you might have. Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel