Chat now with support
Chat mit Support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Main data of application roles

Table 17: Application role properties



Application role

Application role name.

Internal name

Empty text field for a internal company identifier

Full name

Full name of application role. Is made up automatically from the application role name and the parent application role.

Parent application role

Application role to which the application role being edited is subordinate.

Department, location, cost center

Additional information for the application role definition. These input fields are only used for information. They do not indicate for which department, cost center or location the application roles are responsible.


Manager responsible for the application role.

Deputy manager

Deputy manager for the application role.

Additional manager

Application role for a group of managers and deputies who manage this application role.

To create a new application role, click . Enter the application role name and assign a parent application role.

Permissions group

Permissions group for determining permissions for role-based login. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role.

Administrators can assign the rest of the application roles to custom defined permissions groups.

NOTE: Permissions groups for default administrator application roles for cannot be edited.


Text field for additional explanation.


Text field for additional explanation.

Certification status

Status of the application role's certification. The following values can be selected.

  • New: The application role was newly created in the One Identity Manager database.

  • Certified: The main data of the application role is approved by a manager.

  • Denied: The application role main data was not approved by a manager.

Block inheritance

Specifies whether inheritance for this application role can be discontinued. Set this option to prevent company resources being inherited by child application roles.

NOTE: Inheritance of application roles can only be discontinued if they are custom application roles.

Dynamic roles not allowed

Specifies whether a dynamic role can be created for the application role.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Related topics

Assigning employees to application roles

Assigned employees obtain all the permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role.

If there are no employees directly assigned to an application role, the employees of the parent application role inherit the permissions.

NOTE: The application roles for Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers, and Base roles | Birthright Assignments are automatically assigned to employees. Do not make any manually assignments to these application roles.

To assign employees to an application role

  1. In the Manager, select an application role in the One Identity Manager Administration category.

  2. Select the Assign employees task.

  3. In the Add assignments pane, add employees.

    TIP: In the Remove assignments pane, you can remove assigned employees.

    To remove an assignment

    • Select the employee and double-click .

  4. Save the changes.
Related topics

Custom extension of application role permissions

For role-based login, application roles must link to a permissions group in which permissions for One Identity Manager are defined. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role.

Some of the default application roles are already assigned permissions groups. These permissions groups have the permissions for the tables and columns and are equipped with menu items, forms, tasks, and program functions, which allow the application data to be edited in the Manager and in the Web Portal.

You can assign customized permissions groups to application roles so that the permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.

NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.

Proceed as follows:

  1. In the Designer, create a new permissions group .

    NOTE: Set the Only use for role-based authentication option for the permissions group.

  2. In the Designer, make the new permissions group dependent on the default permissions group of the application role. Assign the default permissions group as a parent permissions group. This means the newly defined permissions group inherits the properties of the default permissions group.

  3. In the Designer, grant additional edit permissions for menu items, forms, tables, or columns.

  4. In the Manager, assign the new permissions group to the application role.

A user who logs in to the Manager or to the Web Portal with an application role changed in this way receives – in addition to the default privileges of this application role – the custom permissions.

Related topics

Creating and editing dynamic roles for application roles

Use this task to assign employees to an application role through dynamic roles. For more information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.

NOTE: The task Create dynamic role is only available for application roles that do not have the option Dynamic roles not allowed set.

To create a dynamic role for the application role

  1. In the Manager in the One Identity Manager Administration category, select the application role.

  2. Select the Create dynamic role task.

  3. Enter the required main data. The following applies to dynamic roles for application roles:

    • Object class: Select Employee.

    • Application role: This data is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.

    • Dynamic role: The dynamic role name is made up of the object class and the full name of the application role by default.

  4. Save the changes.

To edit a dynamic role

  1. In the Manager in the One Identity Manager Administration category, select the application role.

  2. Select the Application role overview task.

  3. In the overview form, click the dynamic role name in the Dynamic roles form element.

  4. Select the Change main data task.

  5. Edit the dynamic role.

  6. Save the changes.
Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen