Chat now with support
Chat mit Support

Identity Manager 8.1 - Administration Guide for Connecting to SharePoint

Managing SharePoint Environments Setting Up SharePoint Farm Synchronization Basic data for managing a SharePoint environment SharePoint Farms SharePoint Web Applications SharePointSite Collections and Sites SharePoint User accounts SharePoint Roles and Groups
SharePoint Groups SharePoint Roles and Permission Levels
Permissions for SharePoint Web Applications Reports about SharePoint Site Collections Appendix: Configuration parameters for managing a SharePoint environment Appendix: Default Project Template for SharePoint

Managing SharePoint Environments

Components and access rights from SharePoint 2010, SharePoint 2013 and SharePoint 2016 can be mapped in One Identity Manager. The aim of this is to guarantee company employees access to the SharePoint site. To achieve this, information about the following SharePoint components is loaded into the One Identity Manager database.

  • The farm, as the top level of the logical architecture in the SharePoint environment

    The SharePoint farm is set up as the base object for synchronization in the One Identity Manager database.

  • All web applications set up inside the farm with their user policies and permitted permissions
  • All site collections for these web applications with their user accounts and groups
  • All sites added in site collections in a hierarchical structure (but not their content)
  • All permission levels and SharePoint roles that define permissions for individual sites

SharePoint roles, groups and user accounts are mapped in the context of the SharePoint components for which they are set up. In the One Identity Manager, these objects provide SharePoint users with access permissions to the different websites. For that, you can use the different One Identity Manager mechanisms for linking employees with their SharePoint user accounts. The following objects are provisioned:

  • SharePoint user accounts and their relations to SharePoint roles and groups
  • SharePoint groups and their assignments to user accounts and roles
  • SharePoint roles and their site permissions

To log into the SharePoint server, One Identity Manager supports classic Windows authentication as well as claims-based authentication. Every SharePoint user account that can log in with classic Windows authentication, is assigned either an Active Directory or an LDAP user account or an Active Directory or LDAP group in One Identity Manager. Login requires that the associated Active Directory or LDAP systems are also mapped in the One Identity Manager database. You can maintain information in One Identity Manager about authentication systems used by the SharePoint environment.

For every SharePoint user account connected to an Active Directory or LDAP user account, an additional employee defined in the One Identity Manager database can also can be assigned. This makes it possible to maintain employee memberships in SharePoint roles and groups. Employees can inherit SharePoint permissions by assigning SharePoint roles and groups to the organizational units. It is also possible to request permissions through the IT Shop. Permissions assigned to an employee can be monitored over compliance rules.

The SharePoint Module is based on the SharePoint Foundation 2010, 2013 and 2016 Class Libraries respectively.

Architecture overview

The SharePoint connector is used for synchronization and provisioning SharePoint. The connector communicates directly with a SharePoint farm's SharePoint servers.

Figure 1: Connector Paths for Communicating with SharePoint

The One Identity Manager Service, SharePoint connector, and the Synchronization Editor must be installed on one of the SharePoint farm's servers. This server is known as the synchronization server in the following. All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

Detailed information about this topic

One Identity Manager users for managing a SharePoint environment

The following users are used in SharePoint system administration with One Identity Manager.

Table 1: Users
Users Task
Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administrate application roles for individual target systems types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles are conflicting for target system managers

  • Authorize other employee to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to Target systems | SharePoint or a sub-application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change or delete target system objects, like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare system entitlements for adding to the IT Shop.

  • Can create employees with an identity that differs from the Primary identity.

  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in Designer as required.

  • Create system users and permissions groups for non-role-based login to administration tools in Designer as required.

  • Enable or disable additional configuration parameters in Designer as required.

  • Create custom processes in Designer as required.

  • Create and configures schedules as required.

  • Create and configure password policies as required.

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Assign system entitlements to IT Shop structures.

Product owner for the IT Shop

Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owner application role or a child application role.

Users with this application role:

  • Approve through requests.
  • Edit service items and service categories under their management.
Administrators for organizations

Administrators must be assigned to the application role Identity Management | Organizations | Administrators.

Users with this application role:

  • Assign system entitlements to departments, cost centers and locations.
Business roles administrators

Administrators must be assigned to the application role Identity Management | Business roles | Administrators.

Users with this application role:

  • Assign system entitlements to business roles.

Claims-Based Authentication

One Identity Manager supports claims-based authentication as well as classical Windows authentication for logging on to the SharePoint server. Information about the SharePoint provider and authentication modes are stored in the database for this purpose. Existing SharePoint providers for claims-based authentication are loaded into the database during synchronization. Registered providers are stored for each web application.

Every user account stores which authentication mode the user with this user account uses to log in. The default authentication mode depends on whether claims-based authentication is permitted with the associated web applications.

The authentication mode is required to add user accounts to One Identity Manager. The user account login name for claims-based authentication contains a prefix that depends on which authentication mode is used. These prefixes are maintained with the authentication modes.

Related Topics
Knowledge Base
Benachrichtigungen und Warnmeldungen
Technische Dokumentationen
RSS Feed
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente