The following steps can be used to automatically add Azure Active Directory groups to the IT Shop. Synchronization ensures that the Azure Active Directory groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor. New Azure Active Directory groups created in One Identity Manager also are added automatically to the IT Shop.
To add Azure Active Directory groups automatically to the IT Shop
-
In the Designer, set the QER | ITShop | AutoPublish | AADGroup configuration parameter.
-
In order not to add Azure Active Directory groups to the IT Shop automatically, in the Designer, set the QER | ITShop | AutoPublish | AADGroup | ExcludeList configuration parameter.
This configuration parameter contains a listing of all Azure Active Directory groups that should not be allocated to the IT Shop automatically. You can extend this list if required. To do this, enter the names of the groups in the configuration parameter. Names are listed in a pipe (|) delimited list. Regular expressions are supported.
-
Compile the database.
The Azure Active Directory groups are added automatically to the IT Shop from now on.
The following steps are run to add an Azure Active Directory group to the IT Shop.
-
A service item is determined for the Azure Active Directory group.
The service item is tested for each Azure Active Directory group and modified if necessary. The name of the service item corresponds to the name of the Azure Active Directory group.
-
The service item is assigned to either the Azure Active Directory groups | Security groups default service category or the Azure Active Directory groups | Distribution groups default service category.
-
An application role for product owners is determined and assigned to the service item.
Product owners can approve requests for membership in these Azure Active Directory groups. The default product owner is the Azure Active Directory group's owner.
NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
-
If the owner of the Azure Active Directory group is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the Azure Active Directory group.
-
If the owner of the Azure Active Directory group is not yet a member of an application role for product owners, a new application role is created. The name of the application corresponds to the name of the owner.
-
If the owner is a user account, the user account's identity is added to the application role.
-
If it is a group of owners, the identities of all this group's user accounts are added to the application role.
-
The Azure Active Directory group is labeled with the IT Shop option and assigned to the Azure Active Directory groups IT Shop shelf in the Identity & Access Lifecycle shop.
Then the shop customers can use the Azure Active Directory to request memberships in Web Portal groups.
NOTE: If an Azure Active Directory group is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.
For more information about configuring the One Identity Manager IT Shop Administration Guide, see the IT Shop. For more information about requesting access requests in the Web Portal, see the One Identity Manager Web Portal User Guide.
Related topics
To react quickly to special requests, you can assign groups directly to user accounts. You cannot directly assign groups that have the Only use in IT Shop option.
NOTE: User accounts cannot be manually added to dynamic groups.
To assign user accounts directly to a group
-
In the Manager, select the Azure Active Directory > Groups category.
-
Select the group in the result list.
-
Select the Assign user accounts task.
-
In the Add assignments pane, assign the user accounts.
TIP: In the Remove assignments pane, you can remove assigned user accounts.
To remove an assignment
- Save the changes.
Related topics
To react quickly to special requests, you can assign groups directly to user accounts. You cannot directly assign groups that have the Only use in IT Shop option.
NOTE: User accounts cannot be manually added to dynamic groups.
To assign groups directly to user accounts
-
In the Manager, select the Azure Active Directory > User accounts category.
-
Select the user account in the result list.
-
Select the Assign groups task.
-
In the Add assignments pane, assign the groups.
TIP: In the Remove assignments pane, you can remove the assignment of groups.
To remove an assignment
- Save the changes.
Related topics
When groups are assigned to user accounts an identity may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.
It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.
NOTE:
- You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
- You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
- One Identity Manager does not check if membership of an excluded group is permitted in another group ( table).
The effectiveness of the assignments is mapped in the AADUserInGroup and AADBaseTreeHasGroup tables by the XIsInEffect column.
Example: The effect of group memberships
- Group A is defined with permissions for triggering requests in a tenant. A group B is authorized to make payments. A group C is authorized to check invoices.
- Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.
Jo User1 has a user account in this tenant. They primarily belong to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to them secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.
By using suitable controls, you want to prevent an identity from being able to trigger a request and to pay invoices. That means, groups A, B, and C are mutually exclusive. An identity that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.
Table 14: Specifying excluded groups (AADGroupExclusion table)
Group A |
|
Group B |
Group A |
Group C |
Group B |
Table 15: Effective assignments
Pat Identity1 |
Marketing |
Group A |
Jan User3 |
Marketing, finance |
Group B |
Jo User1 |
Marketing, finance, control group |
Group C |
Chris User2 |
Marketing, control group |
Group A, Group C |
Only the group C assignment is in effect for Jo User1. It is published in the target system. If Jo User1 leaves the "control group" business role at a later date, group B also takes effect.
The groups A and C are in effect for Chris User2 because the groups are not defined as mutually exclusive. That means that the identity is authorized to trigger requests and to check invoices. If this should not be allowed, define further exclusion for group C.
Table 16: Excluded groups and effective assignments
Chris User2
|
Marketing |
Group A |
|
Group C
|
Control group |
Group C |
Group B
Group A |
Prerequisites
-
The QER | Structures | Inherite | GroupExclusion configuration parameter is set.
In the Designer, set the configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
-
Mutually exclusive groups belong to the same tenant.
To exclude a group
-
In the Manager, select the Azure Active Directory > Groups category.
-
Select a group in the result list.
-
Select the Exclude groups task.
-
In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.
- OR -
In the Remove assignments pane, remove the groups that are no longer mutually exclusive.
- Save the changes.