Assigning permissions
You can assign One Identity Manager permission levels in SharePoint. Only valid permissions for web applications can be assigned. User account obtain these site permissions through a SharePoint internal inheritance procedure.
Permissions may depend on other permissions. SharePoint assigns these dependent permissions automatically. For example, the permissions "view pages", "browse user information", and "open" are always passed down with the permission "create groups".
NOTE: Dependent permissions cannot be automatically assigned in the One Identity Manager.
To assign permissions to permission levels
- Select the SharePoint > Permission levels category.
- Select the permission level in the result list.
- Select the Assign permission task.
- In the Add assignments pane, assign permission.
- OR -
In the Remove assignments pane, remove permission.
- Save the changes.
Related topics
Special synchronization cases for valid permissions
If you remove permissions from the list of valid permissions for a web application in SharePoint, the permissions cannot be assigned to permission levels within the web application from this point on. Assignments to permission levels that already exist for these permissions remain intact but are not active. These permissions are deleted from the SPSWebAppHasPermission table during synchronization. Assignments to permission levels that already exist for these permissions are not changed. Inactive permissions are displayed in the permission levels' overview.
Entering main data of SharePoint roles
Table 37: Configuration parameters for setting up SharePoint roles
QER | CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is enabled, values for the risk index can be entered and calculated. |
To edit SharePoint role main data
- Select the SharePoint > Roles category.
- Select the SharePoint role in the result list. Select the Change main data task.
- Enter the required data on the main data form.
- Save the changes.
The following properties are displayed for SharePoint roles.
Table 38: SharePoint role properties
Display name |
SharePoint role display name. |
Permission level |
Unique identifier for the permission level on which the SharePoint role is based. |
Site |
Unique identifier for the site that inherits its permissions from the SharePoint role. |
Risk index |
Value for evaluating the risk of assigning the SharePoint role to user accounts. Enter a value between 0 and 1. The field is only visible if the “QER | CalculateRiskIndex” configuration parameter is set. |
Description |
Text field for additional explanation. |
Service item |
Service item data for requesting the group through the IT Shop. |
IT Shop |
Specifies whether the SharePoint role can be requested through the IT Shop. This SharePoint role can be requested by staff through the Web Portal and granted through a defined approval procedure. The SharePoint role can still be assigned directly to employees and hierarchical roles. |
Only for use in IT Shop |
Specifies whether the SharePoint role can only be requested through the IT Shop. This SharePoint role can be requested by staff through the Web Portal and granted through a defined approval procedure. The SharePoint role may not be assigned directly to hierarchical roles. |
NOTE: If the SharePoint role references a permission level for which the Hidden option is set, the options IT Shop and Only use in IT Shop cannot be set. You cannot assign these SharePoint roles to user accounts or groups.
Detailed information about this topic
Assigning SharePoint roles to SharePoint user accounts
SharePoint roles can be assigned directly or indirectly to user accounts. In the case of indirect assignment, employees and SharePoint roles are arranged in hierarchical roles. The number of SharePoint roles assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If you add an employee to hierarchical roles and the employee owns a user authenticated user account, the user account is added to the SharePoint role. Prerequisites for indirect assignment of employees to user accounts:
- Assignment of employees and groups is permitted for role classes (departments, cost centers, locations, or business roles).
- The Group authenticated option is not set in the user accounts.
- User accounts are labeled with the Roles can be inherited option.
- User accounts and SharePoint groups belong to the same site collection.
Furthermore, SharePoint roles can be assigned to employees through IT Shop requests. Add employees to a shop as customers so that SharePoint roles can be assigned through IT Shop requests. All SharePoint roles, which are assigned to this shop as products, can be requested by the customers. Requested SharePoint roles are assigned to the employees after approval is granted.
NOTE: SharePoint roles that reference permission levels with have Hidden set, cannot be assigned to business roles and organizations. These SharePoint roles can be neither directly nor indirectly assigned to user accounts or groups.
Detailed information about this topic