In order for SharePoint user accounts to obtain permissions for individual websites, assign SharePoint roles to the groups. SharePoint roles and groups must belong to the same site collection.
NOTE: SharePoint roles with the Hidden option that reference permission levels, cannot be assigned to groups.
To assign SharePoint roles to a group
- Select the SharePoint > Groups category.
- Select the group in the result list.
- Select the Assign SharePoint roles task.
- In the Add assignments pane, assign roles.
- OR -
In the Remove assignments pane, remove the roles.
- Save the changes.
Related topics
NOTE: This function is only available if the System Roles Module is installed.
Use this task to add a group to system roles.
If you assign a system role to identities, all user authenticated accounts owned by these identities inherit the group.
NOTE: Groups with Only use in IT Shop set can only be assigned to system roles that also have this option set. For more information, see the One Identity Manager System Roles Administration Guide.
To assign a group to system roles
-
In the Manager, select the SharePoint > Groups category.
-
Select the group in the result list.
-
Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
Related topics
When you assign a group to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed:
-
The group must be labeled with the IT Shop option.
-
The group must be assigned a service item.
TIP: In the Web Portal, all products that can be requested are grouped together by service category. To make the group easier to find in the Web Portal, assign a service category to the service item.
-
If you only want the group to be assigned to identities through IT Shop requests, the group must also be labeled with the Use only in IT Shop option. Direct assignment to hierarchical roles or user accounts is no longer permitted.
NOTE: With role-based login, the IT Shop administrators can assign groups to IT Shop shelves. Target system administrators are not authorized to add groups to IT Shop.
To add a group to the IT Shop.
-
In the Manager, select the SharePoint > Groups (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SharePoint groups (role-based login) category.
-
In the result list, select the group.
-
Select the Add to IT Shop task.
-
Select the IT Shop structures tab.
-
In the Add assignments pane, assign the group to the IT Shop shelves.
- Save the changes.
To remove a group from individual shelves of the IT Shop
-
In the Manager, select the SharePoint > Groups (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SharePoint groups (role-based login) category.
-
In the result list, select the group.
-
Select the Add to IT Shop task.
-
Select the IT Shop structures tab.
-
In the Remove assignments pane, remove the group from the IT Shop shelves.
- Save the changes.
To remove a group from all shelves of the IT Shop
-
In the Manager, select the SharePoint > Groups (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SharePoint groups (role-based login) category.
-
In the result list, select the group.
-
Select the Remove from all shelves (IT Shop) task.
- Confirm the security prompt with Yes.
-
Click OK.
The group is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this group are canceled.
For more information about requesting company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Related topics
The following steps can be used to automatically add SharePoint groups to the IT Shop. Synchronization ensures that the SharePoint groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor. New SharePoint groups created in One Identity Manager also are added automatically to the IT Shop.
To add SharePoint groups automatically to the IT Shop
-
In the Designer, set the QER | ITShop | AutoPublish | SPSGroup configuration parameter.
-
In order not to add SharePoint groups to the IT Shop automatically, in the Designer, set the QER | ITShop | AutoPublish | SPSGroup | ExcludeList configuration parameter.
This configuration parameter contains a listing of all SharePoint groups that should not be allocated to the IT Shop automatically. You can extend this list if required. To do this, enter the name of the groups in the configuration parameter. Names are listed in a pipe (|) delimited list. Regular expressions are supported.
-
Compile the database.
The SharePoint groups are added automatically to the IT Shop from now on.
The following steps are run to add a SharePoint group to the IT Shop.
-
A service item is determined for the SharePoint group.
The service item is tested for each SharePoint group and modified if necessary. The name of the service item corresponds to the name of the SharePoint group.
-
The service item is assigned to the SharePoint groups default service category.
-
An application role for product owners is determined and assigned to the service item.
Product owners can approve requests for membership in these SharePoint groups. The default product owner is the SharePoint group's owner.
NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
-
If the owner of the SharePoint group is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the SharePoint group.
-
If the owner of the SharePoint group is not yet a member of an application role for product owners, a new application role is created. The name of the application corresponds to the name of the owner.
-
If the owner is a user account, the user account's identity is added to the application role.
-
If it is a group of owners, the identities of all this group's user accounts are added to the application role.
-
If the SharePoint group does not have an owner, the Request & Fulfillment | IT Shop | Product owner | Without owner in SharePoint default application role is used.
-
The SharePoint group is labeled with the IT Shop option and assigned to the SharePoint groups IT Shop shelf in the Identity & Access Lifecycle shop.
Then the shop customers can use the Web Portal to request memberships in SharePoint groups.
NOTE: If a SharePoint group is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.
For more information about configuring the IT Shop, see the One Identity Manager IT Shop Administration Guide. For more information about requesting access requests in the Web Portal, see the One Identity Manager Web Portal User Guide.
Related topics