Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

Identity Manager 9.0 LTS - Authorization and Authentication Guide

Inhaltsnavigation

About this guide One Identity Manager application roles

Application roles overview

Application roles for basic functions Application role for the Operations Support Web Portal Application role for Compliance & Security Officers Application role for auditors Application roles for identity audit Application roles for company policies Application roles for attestation Application roles for subscribable reports Application roles for management levels Application roles for business roles Application roles for organizations Application role for application roles Application for employee administrators Application roles for the IT Shop Application roles for target systems Application roles for Universal Cloud Interface Application role for Privileged Account Governance Application roles for Application Governance Application roles for custom tasks

Implementing the application roles Creating and editing application roles

Main data of application roles Assigning employees to application roles Custom extension of application role permissions Creating and editing dynamic roles for application roles Specifying mutually exclusive application roles Assigning subscribable reports to application roles Assigning extended properties to application roles Generating assignment resources for application roles Reports about application roles

Granting One Identity Manager schema permissions through permissions groups

Predefined permissions groups and system users Rules for determining the valid permissions for tables and columns Editing permissions groups

Dependencies between permissions groups Permissions group dependencies Copying permissions groups Creating permissions groups Permissions group properties

Editing system users

Creating system users System users’ passwords System user properties Adding system users to permission groups Which employees use the system user? Dynamic system user

Permissions for tables and columns

Displaying permissions of a permissions group Displaying permissions for tables Editing table permissions Editing column permissions Copying table permissions and column permissions Simulating permissions for system users

Displaying permissions for objects Displaying permissions for the current user Assigning role-based permissions groups to an applications

Managing permissions to program functions

Displaying the current user's program functions Assigning program functions to permissions groups Permissions for running scripts Permissions for running methods Permissions for triggering processes Modifying permissions for running actions in the Launchpad

One Identity Manager authentication modules

System users Generic single sign-on (role-based) Employee Employee (role-based) Employee (dynamic) User account User account (role-based) User account (manual input/role-based) Account based system user Active Directory user account Active Directory user account (role-based) Active Directory user account (manual input) Active Directory user account (manual input/role-based) Active Directory user account (dynamic) LDAP user account (role-based) LDAP user account (dynamic) HTTP header HTTP header (role-based) OAuth 2.0/OpenID Connect OAuth 2.0/OpenID Connect (role-based) Synchronization authentication module Web agent authentication module Component authentication module Crawler Password reset Password reset (role-based) Decentralized identity Decentralized Identity (role-based) Editing authentication modules

Enabling authentication modules Assigning authentication modules to applications Disabling or enabling authentication modules for applications Authentication module properties Initial data for authentication modules Configuration data for system user dynamic authentication

Example of a simple system user assignment Example of a system user assignment using a selection criterion Example of a function group assignment

Checking authentication

OAuth 2.0/OpenID Connect authentication

Expiry of the OAuth 2.0/OpenID Connect authentication Creating the OAuth 2.0/OpenID Connect configuration Assigning OAuth 2.0/OpenID Connect configuration to web applications Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications Specifying enabled and disabled columns for logging in Logging information about OAuth 2.0/OpenID Connect authentication Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API

Setting up OAuth 2.0/OpenID Connect authentication for accessing the REST API Authentication module for using OAuth 2.0/OpenID Connect for authentication access to the REST API Authenticating external applications using OAuth 2.0/OpenID Connect

Multi-factor authentication in One Identity Manager

Multi-factor authentication with One Identity Defender

Configuring RSTS for multi-factor authentication Configuring authentication with OAuth 2.0/OpenID Connect in the Web Portal Configuring authentication with OAuth 2.0/OpenID Connect

Granular permissions for the SQL Server and database

Displaying database server logins Displaying users' access levels Displaying server roles and database roles permissions

Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Example of a function group assignment

To assign function groups to permissions groups you have to define two database views. The first database view shows the assignment of employees to function groups. The database view contains two columns, UID_Person and FunctionGroup.

Example:

create view custom_Person2Fu as

select uid_personHead as UID_Person, 'Cost center manager' as FunctionGroup

from Profitcenter

where isnull(uid_personHead, '') > ' '

union all

select uid_personHead, 'Department manager' as FunctionGroup

from Department

where isnull(uid_personHead, '') > ' '

The second database view assigns function groups to permissions groups. This database view contains two columns, FunctionGroup and DialogGroup.

Example:

create view custom_Fu2D as

select 'Cost center manager' as FunctionGroup, '<UID_Custom_Dialoggroup_ChefP>' as DialogGroup

union all select 'Department manager', '<UID_Custom_Dialoggroup_ChefD>'as DialogGroup

Set up role-based permissions groups with the required permissions.

TIP: A role-based permissions group can inherit from a non role-based permissions group. This allows you to build up an inheritance hierarchy to making it easier to grant permissions.

Change the configuration data for assigning function groups to permissions groups as follows:

<DialogUserDetect>

<FunctionGroupMapping

PersonToFunction = "custom_Person2Fu"

FunctionToGroup = "custom_Fu2D"

/>

</DialogUserDetect>

Related topics

Checking authentication

When a user logs in, a validity check is run. Use the settings to configure additional options.

The system runs additional validity checks to prevent users from working with established connections, if they were deactivated after they logged in. The check takes place with next action on the connection after a fixed interval of 20 minutes.

You can adjust the interval in the Common | Authentication | CheckInterval configuration parameter. In the Designer, edit the configuration parameter.
The number of session that a user can open within a short time is limited to 10 session a minute.

If this number is exceeded, the user is sent an error message.

You have logged in too often in the last minute. Please wait a moment before you log in again.

This check is done for each front-end if the login is local. If the login is on the application server, it is checked for each application server.

You can modify the number of sessions in the Common | Authentication | SessionsPerUserAndMinute configuration parameter. In the Designer, edit the configuration parameter.
Use the QBM | AppServer | SessionTimeout configuration parameter to add the timeout in hours, after which inactive application server sessions are closed. The default value is 24 hours. In the Designer, edit the configuration parameter.

OAuth 2.0/OpenID Connect authentication

The OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules support the authorization code flow for OAuth 2.0 and OpenID Connect. For more information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

To use OAuth2.0/OpenID Connect authentication

In the Designer, create the identity provider and the OAuth2.0/OpenID Connect applications for the identity provider. A wizard is available in the Designer to assist in this process.
Assign the OAuth2.0/OpenID Connect application to the web applications.

Related topics

Expiry of the OAuth 2.0/OpenID Connect authentication

The web application (or client application) requests the authorization code at the authorization endpoint. The login endpoint is used to call an advanced login window, which serves to determine the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token.

In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, the settings of the identity provider are used. To find the certificate for testing the token, the certificate stores are queries in the following order:

Configuration of the OAuth 2.0/OpenID Connect application (QBMIdentityClient table)
1. Certificate text (QBMIdentityClient.CertificateText).
2. Subject or thumbprint from the local memory (QBMIdentityClient.CertificateSubject and QBMIdentityClient.CertificateThumbPrint).
3. Certificate endpoint (QBMIdentityClient.CertificateEndpoint).
  
  In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.
Configuration of the identity provider (QBMIdentityProvider table)
1. Certificate text ((QBMIdentityProvider.CertificateText).
2. Subject or thumbprint from the local memory (QBMIdentityProvider.CertificateSubject and QBMIdentityProvider.CertificateThumbPrint).
3. Certificate endpoint (QBMIdentityProvider.CertificateEndpoint)).
  
  In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.
4. JSON-Web-Key endpoint (QBMIdentityProvider.JsonWebKeyEndpoint).

To identify the user account, the system determines which claim type is used to find the user information and which information from the One Identity Manager schema is used to find the user account.

Authentication through OpenID is built on OAuth 2.0. The OpenID Connect authentication uses the same mechanisms, but makes the claims available either in an ID token or with a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the Scope contains the openid value, the authentication module uses OpenID Connect for authentication.

Related topics

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

© ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center