Mapping multiple employee identities
Table 30: Configuration parameter for representing multiple identities
Person | MasterIdentity | UseMasterForAuthentication |
Specifies whether the main identity should be used to log in to One Identity Manager tools using an employee-linked authentication module.
If this parameter is set, the main identity is used for employee-linked authentication. If this parameter is set, the subidentity is used for employee-linked authentication.
For more information about One Identity Manager authentication modules and about editing system users, see the One Identity Manager Authorization and Authentication Guide. |
Under certain circumstances, it may be necessary for employees to have different identities for their work – for example, identities that result from different contracts at different branches. These identities can differ in their affiliation to departments, or cost centers, or in their access permissions for example. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in One Identity Manager to represent each of the identities and to group them at a central location.
In target systems, different types of user accounts are available to provide the employees with different permissions. An employee can have different identities to use multiple user accounts with different types. In order to improve the assignment of authorizations to the target systems, the sub-identities of the employees are split into different identity types. This classification corresponds to the user account types.
Main identity
-
A main identity represents a real person.
-
A main identity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
-
The employee main data of a main identity is shown in One Identity Manager.
-
A main identity can have several subidentities.
Subidentity
-
A subidentity is a virtual employee.
-
A subidentity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
-
A subidentity is always assigned to a main identity.
-
Employee main data of a subidentity is displayed in One Identity Manager. This can be copied from the main identity data using the appropriate templates.
-
Enter a main identity for the subidentity using Main identity on the employee’s main data form.
TIP: If an employee works with several identities, but only one of these is currently known in the One Identity Manager, then you should:
-
Create a main identity for this employee
-
Assign the identity known until now as a subidentity
-
Create new subidentities for the additional identities
In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.
Related topics
Employee identity types
To differentiate the different identities of an employee, use the following identity types.
Table 31: Identity types
Primary identity |
Employee's default identity. The employee has a default user account. |
Organizational identity |
Virtual employee (subidentity) for mapping different roles to an employee in the organization. The sub-identity has a user account of the Organizational identity type.
Also enter a main identity. |
Personalized admin identity |
Virtual employee (subidentity) that belongs to a user account of the Personalized administrator identity type.
Also enter a main identity. |
Sponsored identity |
Pseudo employee associated with a user account of the Sponsored identity type.
Assign a manager to the employee. |
Shared identity |
Pseudo employee associated with an administrative user account of the Shared identity type.
Assign a manager to the employee. |
Service identity |
Pseudo employee associated with a user account of the Service identity type.
Assign a manager to the employee. |
Machine identity |
Pseudo employee for mapping machine identities. |
The primary identity, the organizational identity, and the personal admin identity are different identities under which the same actual employee can run their different tasks within the company.
Employees with a personal admin identity or an organizational identity are set up as sub-identities. These subidentities are then linked to user accounts, enabling you to assign the required permissions to the different user accounts.
The sponsored identity, the shared identity, and the service identity represent pseudo employees that are used to provide the linked user accounts with permissions in the respective target systems. The classification of pseudo employees to hierarchical roles or as customers in the IT Shop enables the assignment of permissions to the user accounts. Requests in the IT Shop can be triggered only by the manager of these pseudo employees. When evaluating reports, attestations, or compliance checks, check whether pseudo employees need to be considered separately.
Related topics
Password policies for employees
provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.
Detailed information about this topic
Predefined password policies
You can customize predefined password policies to meet your own requirements if necessary.
Password for logging in to
The password policy is applied for logging in to . This password policy defines the settings for the system user passwords (DialogUser.Password and Person.DialogUserPassword) as well as the passcode for a one time log in on the Web Portal (Person.Passcode).
NOTE: The password policy is marked as the default policy. This password policy is applied if no other password policy can be found for employees, user accounts, or system users.
Password policy for forming employees' central passwords
An employee's central password is formed from the target system specific user accounts by respective configuration. The Employee central password policy defines the settings for the (Person.CentralPassword) central password. Members of the Identity Management | Employees | Administrators application role can adjust this password policy.
IMPORTANT: Ensure that the Employee central password policy does not violate the target system-specific requirements for passwords.
Password policies for user accounts
Predefined password policies are provided, which you can apply to the user account password columns of the user accounts. You can define password policies for user accounts for various base objects, for example, for account definitions, manage levels, or target systems.
For detailed information about password policies for user accounts, see the administration guides of the target systems.
Related topics