Chat now with support
Chat mit Support

Identity Manager 9.1 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Limited access to One Identity Manager

NOTE: This function is only available if the Attestation Module is installed.

Users who only have temporary or limited access to the One Identity Manager can log in through the Web Portal. This functionality can be used, for example, if external employees, such as contract workers, should be provided with temporary access to the One Identity Manager. These employee can log in to the Web Portal as new workers. New employee objects are added for them in the One Identity Manager database.

If you make use of this functionality, take note of the following:

  • In One Identity Manager, an employee with the following properties is created:

    • Certification status: New

    • Permanently deactivated: Set

    • No inheritance: Set

  • If the QER | Attestation | UserApproval configuration parameter is set, the new employee is attested automatically.

  • To assign company resources to the employee or to ensure permissions in One Identity Manager, implement custom processes.

For more information about attestation, see the One Identity Manager Attestation Administration Guide.

Related topics

Changing the certification status of employees

NOTE: This function is only available if the Attestation Module is installed.

Employee's certification status is set by default through certification and recertification procedures. For more information, see the One Identity Manager Attestation Administration Guide.

You can manually change an employee's certification status if it is necessary to do so outside the regular recertification schedule.

Prerequisite
  • The QER | Attestation | UserApproval configuration parameter is set.

To change an employee's certification status manually

  1. To change the certification status of an active employee, in the Manager, select the Employees > Employees. category.

    - OR -

    To change the certification status of a permanently deactivated employee, in the Manager, select the Employees > Inactive employees category.

  2. Select the employee in the result list.

  3. Select the Change certification status task.

  4. Select the certification status you want from the Certification status menu.

  5. Click OK to accept the changes.

    The new certification status for the employee is displayed on the form.

    NOTE: The Permanently deactivated option is updated depending on the certification status. If an employee's certification status is set to Denied manually or as a result of attestation, the employee is immediately deactivated permanently. If the employee's certification status is changed to Certified, the employee is activated again.

Related topics

Assigning company resources to employees

One Identity Manager uses different assignment types to assign company resources.

  • Indirect assignment

    In the case of indirect assignment of company resources, employees, devices, and workdesks are arranged in departments, cost centers, locations, business roles, or application roles. The total of assigned company resources for an employee, device, or workdesk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods a difference between primary and secondary assignment is taken into account.

  • Direct assignment

    Direct assignment of company resources results from the assignment of a company resource to an employee, device, or workdesk, for example. Direct assignment of company resources makes it easier to react to special requirements.

  • Assignment by dynamic roles

    Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Employees, devices, and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices, or workdesks fulfill these conditions. This means the role memberships change dynamically. For example, company resources can be assigned dynamically to all employees in a department in this way; if an employee leaves the department they immediately lose the resources assigned to them.

  • Assigning through IT Shop requests

    Assignment through the IT Shop is a special case of indirect assignment. Add employees to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the employees after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.

The following table shows the possible company resources assignments to employees.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.

Table 39: Possible assignments of company resources to employees
Company Resource Direct assignment permitted Indirect assignment permitted Comment

Resources

+ +

 

System roles

+ +

 

Subscribable reports

+ +

 

Software

+ +

 

Account definitions + +  

Groups of custom target systems

- +

All the employee's user accounts of the custom target systems, which permit group inheritance, are assigned to the groups.

System entitlements of custom target systems

- +

All the employee's custom target system user accounts, which permit system entitlement inheritance, are assigned to the custom target system system entitlements.

Active Directory groups

- +

All the employee's Active Directory user accounts and Active Directory contacts of the employee, which permit group inheritance, are assigned to the Active Directory groups.

SharePoint groups

- +

All the employee's SharePoint user accounts, which permit group inheritance, are assigned to the SharePoint groups.

SharePoint roles

- +

All the employee's SharePoint user accounts, which permit group inheritance, are assigned to the SharePoint roles.

LDAP groups

- +

All the employee's LDAP user accounts, which permit group inheritance, are assigned to the LDAP groups.

Notes groups

- +

All the employee's Notes user accounts, which permit group inheritance, are assigned to the Notes groups.

SAP groups

+ +

All the employee's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the SAP groups.

SAP profiles

+ +

All the employee's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the SAP profiles.

SAP roles

+ +

All the employee's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the SAP roles.

Structural profiles

- +

All the employee's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the structural profiles.

BI analysis authorizations

- +

All the employee's BI user accounts, which permit group inheritance, are assigned to the BI analysis authorizations.

E-Business Suite permissions

- +

All the employee's E-Business Suite user accounts, which are in the same E-Business Suite system and for which group inheritance is permitted, are assigned to the E-Business Suite groups.

Azure Active Directory groups

- +

All the employee's Azure Active Directory user accounts, which permit group inheritance, are assigned to the Azure Active Directory groups.

Azure Active Directory administrator roles

- +

All the employee's Azure Active Directory user accounts, which permit group inheritance, are assigned to the Azure Active Directory administrator roles.

Azure Active Directory subscriptions

-

+

All the employee's Azure Active Directory user accounts, which permit group inheritance, are assigned to the Azure Active Directory subscriptions.

Disabled Azure Active Directory service plans

-

+

All the employee's Azure Active Directory user accounts, which permit group inheritance, are assigned to the disabled Azure Active Directory service plans.

Unix groups

-

+

All the employee's Unix user accounts, which permit group inheritance, are assigned to the Unix groups.

PAM user groups

-

+

All the employee's PAM user accounts, which permit group inheritance, are assigned to the PAM user groups.

SharePoint Online groups

-

+

All the employee's SharePoint Online user accounts, which permit group inheritance, are assigned to the SharePoint Online groups.

SharePoint Online roles

-

+

All the employee's SharePoint Online user accounts, which permit group inheritance, are assigned to the SharePoint Online roles.

Google Workspace products and SKUs

-

+

All the employee's Google Workspace user accounts, which permit group inheritance, are assigned to the Google Workspace products and SKUs.

Google Workspace groups

-

+

All the employee's Google Workspace user accounts, which permit group inheritance, are assigned to the Google Workspace groups.

Cloud groups

- +

All the employee's cloud user accounts, which permit group inheritance, are assigned to the cloud groups.

Cloud system entitlements

- +

All the employee's cloud user accounts, which permit system entitlement inheritance, are assigned to the cloud system entitlements.

Detailed information about this topic
Related topics

Assigning employees to departments, cost centers, and locations

Assign the employee to departments, cost centers, and locations so employees obtain their company resources through these organizations. To assign company resources to departments, cost centers, and locations, use the appropriate organization tasks.

To assign an employee to departments, cost centers, and locations (secondary assignment; default method)

  1. In the Manager, select the Employees > Employees category.

  2. Select the employee in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign an employee to departments, cost centers, and locations (primary assignment)

  1. In the Manager, select the Employees > Employees category.

  2. Select the employee in the result list.

  3. Select the Change main data task.

  4. Adjust the following main data on the Organizational tab.

    • Primary department

    • Primary cost center

    • Primary location

  5. Save the changes.
Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen