Chat now with support
Chat mit Support

Identity Manager 8.1.3 - Administration Guide for Connecting to LDAP

Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Customizing the synchronization configuration Executing synchronization Tasks after a synchronization Troubleshooting
Basic configuration data LDAP domains LDAP user accounts LDAP groups LDAP container structures LDAP computers Reports about LDAP objects Configuration parameters for managing an LDAP environment Default project template for LDAP Generic LDAP connector settings

Adding LDAP groups to the IT Shop

When you assign a group to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed:

  • The group is not a dynamic group.

  • The group must be labeled with the IT Shop option.

  • The group must be assigned a service item.

    TIP: In the Web Portal, all products that can be requested are grouped together by service category. To make the group easier to find in the Web Portal, assign a service category to the service item.

  • If you only want the group to be assigned to employees through IT Shop requests, the group must also be labeled with the Use only in IT Shop option. Direct assignment to hierarchical roles or user accounts is no longer permitted.

NOTE: With role-based login, the IT Shop administrators can assign groups to IT Shop shelves. Target system administrators are not authorized to add groups to IT Shop.

To add a group to the IT Shop.

  1. In the Manager select the LDAP | Groups category (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements | LDAP groups (role-based login) category.

  2. In the result list, select the group.
  3. Select the Add to IT Shop task.
  4. In the Add assignments pane, assign the group to the IT Shop shelves.
  5. Save the changes.

To remove a group from individual shelves of the IT Shop

  1. In the Manager select the LDAP | Groups category (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements | LDAP groups (role-based login) category.

  2. In the result list, select the group.
  3. Select the Add to IT Shop task.
  4. In the Remove assignments pane, remove the group from the IT Shop shelves.
  5. Save the changes.

To remove a group from all shelves of the IT Shop

  1. In the Manager, select the LDAP | Groups category (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements | LDAP groups (role-based login) category.

  2. In the result list, select the group.
  3. Select the Remove from all shelves (IT Shop) task.
  4. Confirm the security prompt with Yes.
  5. Click OK.

    The group is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this group, are canceled.

For more detailed information about requesting company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Related topics

Additional tasks for managing LDAP groups

After you have entered the master data, you can run the following tasks.

Overview of LDAP groups

Use this task to obtain an overview of the most important information about a group.

To obtain an overview of a group

  1. In the Manager, select the LDAP | Groups category.

  2. Select the group in the result list.

  3. Select the LDAP group overview task.

Effectiveness of group memberships

Table 34: Configuration parameters for conditional inheritance
Configuration parameter Effect when set

QER | Structures | Inherite | GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to this parameter require the database to be recompiled.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
  • One Identity Manager does not check if membership of an excluded group is permitted in another group ( table).

The effectiveness of the assignments is mapped in the LDAPAccountInLDAPGroup and BaseTreeHasLDAPGroup tables by the XIsInEffect column.

Example of the effect of group memberships
  • Group A is defined with permissions for triggering requests in a domain A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.

Clara Harris has a user account in this domain. She primarily belongs to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B, and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 35: Specifying excluded groups (LDAPGroupExclusion table)

Effective group

Excluded group

Group A

Group B

Group A

Group C

Group B

Table 36: Effective assignments

Employee

Member in role

Effective group

Ben King

Marketing

Group A

Jan Bloggs

Marketing, finance

Group B

Clara Harris

Marketing, finance, control group

Group C

Jenny Basset

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the "control group" business role at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. That means that the employee is authorized to trigger requests and to check invoices. If this should not be allowed, define further exclusion for group C.

Table 37: Excluded groups and effective assignments

Employee

Member in role

Assigned group

Excluded group

Effective group

Jenny Basset

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

  • Mutually exclusive groups belong to the same domain

To exclude a group

  1. In the Manager, select the LDAP | Groups category.

  2. Select a group in the result list.
  3. Select the Exclude groups task.

  4. In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.

    - OR -

    In the Remove assignments pane, remove the groups that are not longer mutually exclusive.

  5. Save the changes.
Verwandte Dokumente