19.3 Managing Provisioning Team Request Rights

Before configuring a provisioning team requests object, you need to select the Identity Manager User Application driver that contains the definition. After selecting the driver, you can create a new team requests definition, edit an existing definition, or delete an existing definition.

19.3.1 Selecting the Driver

To select an Identity Manager User Application driver:

  1. Select the Identity Manager category in iManager.

  2. Open the Provisioning Configuration role.

  3. Click the Provisioning Team Requests task.

    iManager displays the User Application Driver panel.

  4. Specify the driver name in the User Application Driver field, then click OK.

    iManager displays the Provisioning Team Requests panel. The Provisioning Team Requests panel displays a list of existing team requests objects.

Changing the driver. When you have selected a driver, the driver selection remains in effect for the duration of your iManager session, unless you select a new driver. To select a new driver, click the Actions command, then choose Select User Application Driver from the Actions menu.

19.3.2 Creating or Editing a Provisioning Team Requests Object

To create a new provisioning team requests object:

  1. Click the New command in the Provisioning Team Requests panel.

    The first page of the Create New Provisioning Team Request wizard displays.

  2. Type a common name for the new object in the Name (CN) field.

  3. For each description you want to add for the team requests object, type the description text in the Description fields under Provisioning Team Request Descriptions. This text is used to identify the provisioning team requests object in iManager.

  4. To add a new description for the team requests object, click Add, type the description text, then click OK.

    The text is then added to the Description field under Provisioning Team Request Descriptions. This text is used to describe the team requests object on the Provisioning Team Requests panel.

  5. Click Next.

  6. Select the team definition to which this team requests object applies, as described in Selecting the Team Definition for the Team Requests Object.

  7. Specify the task scope and permission options for the team requests object, as described in Specifying the Team Requests Options.

  8. Review your settings, then click Finish.

Selecting the Team Definition for the Team Requests Object

To select the team definition:

  1. Use the Object Selector to pick a team.

    After you have made your selection, the team is displayed in the Provisioning Team field, and the team options settings for the team are displayed under Provisioning Team Options.

  2. Click Next.

Specifying the Team Requests Options

To specify the team requests options:

  1. Define the scope for the team requests object:

    • If the scope for the team is Provisioned Resource Categories, select one or more categories for this team requests object by moving them from the Available Categories list into the Selected Categories list.

    • If the scope for the team is Individual Provisioning Request, use the Object Selector to choose the provisioning request for this team requests object.

    • If the scope for the team is All Provisioning Requests, you do not need to take any additional action in the team requests object.

  2. Define the task scope options, as follows:

    Setting

    Description

    Allow managers to act on tasks where the team member is an addressee

    When this setting is enabled, the team managers can use the Team Tasks action within the User Application to take actions on tasks for which the team members are addressees. These actions include approving and denying requests.

    If you do not permit team managers to act on tasks for which the team member is an addressee, you can view these tasks, but you cannot see details about them, or take actions on them.

    Allow managers to act on tasks where the team member is a recipient

    When this setting is enabled, the team managers can use the Team Tasks action within the User Application to take actions on tasks for which the team members are recipients. These actions include approving and denying requests.

    If you do not permit team managers to act on tasks for which the team member is a recipient, you can view these tasks, but you cannot see details about them, or take actions on them.

    NOTE:For security reasons, the recipient task scope option is disabled by default. Giving a team manager the ability to act on tasks where the recipient of the request is a team member can raise several security issues. First, the manager is then able to view data included on any of the forms that are displayed during the course of workflow execution, regardless of his or her trustee rights. Second, depending on the permission options (see below), a team manager could circumvent the approval process by claiming or approving the task or reassigning it to someone else.

  3. Define the permission options, as follows:

    Setting

    Description

    Allow managers to initiate a Provisioning Request on behalf of a team member

    When this setting is enabled, the list of resources on the Request Team Resources page of the User Application includes resources that are within the scope of this team. When this setting is disabled, these resources are not included.

    Allow managers to retract a Provisioning Request on behalf of a team member

    When this setting is enabled, the Retract button is displayed on the Team Requests page for requests that are within the scope of this team. When this setting is disabled, the Retract button is not displayed.

    Allow managers to make a team member a delegatee for other team member’s Provisioning Requests

    When this option is enabled, the manager can use the Team Delegate Assignments action to designate a team member as a delegate for another team member’s provisioning requests.

    If this option is disabled, the manager can still view delegate settings defined for the team members by the administrator or by a manager of another team to which these users belong. However, the team manager cannot edit or delete these settings, view details for these settings, or create new delegate assignments.

    Allow managers to claim a task for team members who are a recipient and/or addressee based on the task scope

    When this setting is enabled, the Claim button is enabled on the Team Tasks page for requests that are within the scope of this team. When this setting is disabled, the Claim button is greyed out.

    Allow managers to reassign a task for team members who are a recipient and/or addressee based on the task scope

    When this setting is enabled, the Reassign button is enabled on the Team Tasks page for requests that are within the scope of this team. When this setting is disabled, the Reassign button is greyed out.

  4. Click Next.

NOTE:The Provisioning Team Requests plug-in allows you to configure two different team requests objects that use the same provisioning request or category with different sets of permissions for the same team. This might lead to conflicts that make the permissions associated with a team unclear. To avoid these sorts of conflicts, make sure you do not define two different team requests objects that specify different sets of permissions for the same provisioning request or category.

19.3.3 Deleting a Provisioning Team Requests Object

To delete a provisioning team requests object:

  1. Select the provisioning team requests object you want to delete by clicking the check box next to the name.

  2. Click the Delete command in the Provisioning Team Requests panel.