Generating assignment resources for application roles
It is possible to create assignment resources for individual application roles. This means you can limit assignment resources to individual application roles in the Web Portal. When the assignment resource is requested, it is no longer necessary to select the application role as well. The application role is automatically a part of the assignment request. For detailed information about assignment requests, see the One Identity Manager IT Shop Administration Guide.
To limit an assignment resource to one application role
- In the Manager in the One Identity Manager Administration category, select the Application role.
-
Select the Create assignment resource task.
This starts a wizard, which takes you through adding an assignment resource.
Reports about application roles
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for application roles.
Table 14: Reports about application roles
| Overview of all assignments |
This report identifies all departments, cost centers, locations, business roles or IT Shop structures in which employees from the selected application role are also members. For detailed information about analyzing role memberships, see the One Identity Manager Identity Management Base Module Administration Guide. |
| Show historical memberships |
This report lists all members of the selected application role and the length of their membership. |
Granting One Identity Manager schema permissions through permissions groups
Permissions for accessing tables and columns of the One Identity Manager schema are themselves mapped in the schema through permissions groups. You can assign permissions groups to system users and to application roles.
Permissions groups are also used to control access to parts of the user interface, such as, menu items, forms, tasks, and program functions. When a user logs in to One Identity Manager tools, all available menus, forms, and methods are loaded depending on the system user's permissions groups, displaying a user interface customized for this system user. For more detailed information about editing the user interface, see the One Identity Manager Configuration Guide.
One Identity Manager provides permissions groups and system users with a predefined user interface and edit permissions to the One Identity Manager schema's tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties.
Detailed information about this topic
Related topics
Predefined permissions groups and system users
One Identity Manager provides permissions groups and system users with a predefined user interface and special edit permissions for One Identity Manager schema's tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties.
Table 15: Predefined permissions groups
|
Permissions group QBM_BaseRights |
The QBM_BaseRights permissions group defines the base rights that are required for a system user to log in to the One Identity Manager tools. This permissions group is always assigned implicitly. |
|
Permission group VID_Features |
The VID_Features permissions group covers all program functions required for starting the One Identity Manager tools. The permissions group covers additional program functions for executing special functions in One Identity Manager. |
|
Permissions group VI_View |
The VI_View permissions group has viewing permissions for all tables and columns of the One Identity Manager application data model.
NOTE: Assign viewing permissions of custom schema extensions to the permissions group. |
| Permissions group VI_Everyone |
The VI_Everyone permissions group is assigned to form elements of the overview forms that use links to the corresponding menu items. These permissions groups also provide functions for Web Portal users.
NOTE: Assign the permissions group to your custom system users such that the overview form is fully displayed to the users. |
|
Permissions groups for the One Identity Manager application data model |
Permissions groups have edit permissions for One Identity Manager application data model tables and columns. These permissions groups are equipped with menu items, forms, tasks, and program functions which allows the application data to be edited with the Manager. |
|
Permissions groups for the One Identity Manager system data model |
These permissions groups have permissions for the One Identity Manager system data model tables and columns. These permissions groups are equipped with menu items, forms, tasks, and program functionality which allows the application data to be edited, for example, with Designer editors.
The vid permissions group has all edit permissions for the system configuration with the Designer. |
| Role-based permissions group VI_4_ALLUSER |
The VI_4_ALLUSER permissions group provides the base rights as well as menu items, forms, task, and program functions to enable the application data to be edited with the Manager and the Web Portal. This permissions group is always assigned implicitly. |
| Role-based permissions group vi_4_ADMIN_LOOKUP |
The vi_4_ADMIN_LOOKUP permissions group has the viewing permissions for all tables and columns of the One Identity Manager application data model.
NOTE: Assign viewing permissions of custom schema extensions to the permissions group. Assign viewing permissions of the module's own tables and columns to the permissions group. |
|
Role-based permissions group QER_OperationsSupport |
The QER_OperationsSupport permissions group has special permissions for working with the Operations Support Web Portal. The permissions group is assigned to the OperationsSupportWebPortal application. The permissions of the permissions group apply only in the Operations Support Web Portal. |
|
Role-based permissions groups |
Role-based permissions groups have edit permissions for One Identity Manager application data model tables and columns. These permissions groups are equipped with menu items, forms, tasks, and program functionality which allow the application data to be edited with the Manager and Web Portal. These permissions groups are linked to the One Identity Manager application roles and simplify administration of access permissions in the One Identity Manager role model. |
Table 16: Predefined system users
| Dynamic system user |
Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions group to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login. |
| System user sa |
The sa system user is used exclusively by the One Identity Manager Service. This system user is not allocated a permissions groups but has all access permissions, tasks, and program functionality. |
|
System user viadmin |
The viadmin system user is the default system user in One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools.
IMPORTANT: Do not use the viadmin system user in a live environment. Create your own system user with the appropriate permissions.
The system user has all of the specified permissions and the complete user interface. The system user implicitly receives the authorizations and user interface parts of the custom permissions groups. The system user has the permission to set up an employee as a One Identity Manager administrator for the role-based login. The system user is not a member of the application role themselves. |
| System user Synchronization |
The Synchronization system user has the necessary permissions to set up and run target system synchronizations using an application server. |
| System user viHelpdesk |
The viHelpdesk system user has the necessary permissions and the user interface to use the Manager to access One Identity Manager helpdesk resources. |
Related topics
