Chat now with support
Chat mit Support

Identity Manager 8.1 - Authorization and Authentication Guide

About this guide One Identity Manager Application roles Granting One Identity Manager schema permissions Managing permissions to program features One Identity Manager Authentication modules OAuth 2.0/OpenID Connect configuration Multi-factor authentication in One Identity Manager

About this guide

You can use the One Identity Manager roles and permissions model to control the edit permissions for users of the One Identity Manager. Permissions for accessing tables and columns of the One Identity Manager schema are defined by permissions groups. Permissions groups can be linked to application roles. The users are assigned to application roles and therefore receive the permissions they require. The valid permissions for a user are determined when the user logs into One Identity Manager. One Identity Manager provides different authentication modules for the login.

The One Identity Manager Authorization and Authentication Guide describes the basics and features of the internal One Identity Manager roles and permission model.

You will find an overview of the default application roles, default permissions groups and system users of the One Identity Manager. You will learn how to get the application roles up and running. The guide also explains how you grant permissions for the tables and columns of the One Identity Manager schema. In addition, you will find an overview of the various One Identity Manager authentication modules.

This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.

NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.

Available documentation

You can access the One Identity Manager documentation in Manager and in Designer by selecting Help | Search. The online version of the One Identity Manager documentation is available in the Support-Portal under Online-Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.

One Identity Manager Application roles

You can use the One Identity Manager role model to control edit permissions for One Identity Manager users. This role model takes into account technical aspects, for example, One Identity Manager tool administrative rights, as well as functional aspects, which result from One Identity Manager user tasks within the company structure (for example, permissions for approving requests). The One Identity Manager makes so-called application roles available.

Application roles have the following aims:

  • Program functions, employees, company resources, approval workflows and approval policies are assigned to fixed application roles. Write permissions for these application roles do not need to be defined specifically for the company. This simplifies administration of access permissions.
  • Enables audit secure internal administration of One Identity Manager users and their write permissions. Permissions can be granted through assignment, request and approval or by calculation on account of specific properties. Furthermore, issuing permissions with the attestation function is integrated into the attestation process.
  • Users are provided with initial permissions, which they required for carrying out their tasks. This is a way, for example, to create initially required user accounts.

Application roles can be limited to permissions groups whose write permissions are predefined by One Identity Manager. Controlling write permissions:

  • Navigation configuration in administration tools
  • Access to objects and their properties
  • Which interface forms and tasks are displayed
  • Availability of special program functionality

Users must be role-based to use application roles for logging in to One Identity Manager. Role-based authentications module finds the valid write permissions from all the user's application roles. This provides the One Identity Manager user with permissions corresponding to their application roles for the One Identity Manager functions when they log onto One Identity Manager tools.

Detailed information about this topic
Related Topics

Application roles overview

One Identity Manager supplies default application roles whose permissions are matched to the different task and functions. Assign employees to default applications who take on individual tasks and functions. You can also create your won application roles for custom defined tasks.

NOTE: Default application roles are defined in One Identity Manager modules and are not available until the modules are installed. You cannot delete default application roles.

The following default application roles are defined:

Application roles for basic functions

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available to you for the basic functionality in One Identity Manager.

Table 1: Application Roles for Basic Functions
Application role Description

Administrators

 

Administrators must be assigned to Base roles | Administrators.

Users with this application role:

  • Administer application roles for administrators.
  • Assign employees to administrator application roles.
  • Can other employees Base roles | Administrators and edit conflicting application roles.
  • See the master data for the other application roles.
  • Can use Password Reset Portal to set passwords for selected system users.

Everyone (change)

 

Base roles | Everyone (change) is automatically assigned to every user.

Users with this application role:

  • Can edit certain employee master data in the Web Portal.

Should every user be automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.

Members of this application role are determined through a dynamic role.

Everyone (lookup)

 

Base roles | Everyone (Lookup) is automatically assigned to every user.

Users with this application role:

  • Obtain read access to objects in the Web Portal.

Should every user be automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.

Members of this application role are determined through a dynamic role.

Employee managers

 

Base roles | Employee managers is automatically assigned to a user if the user is a manager or supervisor of employees, departments, locations, cost centers, business roles, or IT Shops.

Users with this application role:

  • Can edit master data for the objects they are responsible for and assign company resources to them.
  • Can edit master data for their employees in the Web Portal.
  • Can add their staff members to the IT Shop.
  • Employee and department managers can add new employees in the Web Portal.
  • Can view their staff's compliance rule violations in the Web Portal.

Members of this application role are determined through a dynamic role.

Birthright Assignments

Base roles | Birthright assignments is used to provide birthrights to employees which are provided to establish their working environment. The application roles are allocated all the resources marked for automatic assignment to all employees. All internal employees are assigned to this application role and obtain the resources. Internal employees are found through a dynamic role.

Operations support.

Employees that use the Operations Support Web Portal, must be assigned the application role Base roles | Operations support.

Users with this application role:

  • Monitor handling of Job queue processes

  • Monitor handling of the DBQueue

  • Create access codes to enable employees to log on to Password Reset Portal

Related Topics
Self-Service-Tools
Knowledge Base
Benachrichtigungen und Warnmeldungen
Produkt-Support
Software-Downloads
Technische Dokumentationen
Benutzerforen
Videoanleitungen
RSS Feed
Kontakt
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente