Groups and system entitlements represent the objects used in the cloud application to control access to the cloud resources. A user account obtains the necessary permissions to access cloud resources by assigning it to groups and system entitlements.
Detailed information about this topic
Many cloud applications use different entitlement types to manage user entitlements. In addition to groups, these can also be roles or permissions sets, for example. Using synchronization projects created with the Synchronization of a One Identity Starling Connect environment project template, the different types are mapped in the One Identity Manager as follows.
Table 22: Mapping system entitlements in the One Identity Manager
Group |
UCIGroup |
Groups |
Role |
UCIGroup1 |
System entitlements 1 |
Profiles |
UCIGroup2 |
System entitlements 2 |
Entitlement |
UCIGroup3 |
System entitlements 3 |
Permissionset |
UCIItem |
Permissions controls |
NOTE: In synchronization projects created with a One Identity Manager version older than 8.2, objects of type Profile are also mapped in the UCIItem table.
A user account obtains the required entitlements for accessing target system resources through its assignments to groups or system entitlements. Depending on the target system, assignments are maintained either on user accounts (user-based assignment) or on system entitlements (entitlement-based assignment). When setting up synchronization using the One Identity Starling Connect synchronization project template, the SCIM connector determines the object type that stores the assignments. Memberships are mapped in the following tables:
Table 23: User-based assignment
UCIUserHasGroup |
Groups: Assignments to user accounts |
UCIUserHasGroup1 |
System entitlement 1: Assignments to user accounts |
UCIUserHasGroup2 |
System entitlement 2: Assignments to user accounts |
UCIUserHasGroup3 |
System entitlement 3: Assignments to user accounts |
UCIUserHasItem |
User accounts: Permission control assignments |
Table 24: Entitlement-based assignment
UCIUserInGroup |
User accounts: Assignment to groups |
UCIUserInGroup1 |
User accounts: Assignment to system entitlements 1 |
UCIUserInGroup2 |
User accounts: Assignment to system entitlements 2 |
UCIUserInGroup3 |
User accounts: Assignment to system entitlements |
Assignments for the Permissionset type are allows user-based.
By default, only groups are mapped by synchronization projects created with the SCIM Synchronization project template. The SCIM connector determines which object type stores the assignments and maps them accordingly either in the UCIUserHasGroup table or in the UCIUserInGroup table.
The types of system entitlements used and whether the assignments are saved with the user accounts or the system entitlements is stored with the cloud applications.
To display the types of system entitlements used
-
In the Manager, select the Universal Cloud Interface > Basic configuration data > Cloud applications category.
-
In the result list, select a cloud application and select the Change main data task.
-
System entitlement types used: List of types of system entitlements used in the cloud application.
-
User account has memberships: List of system entitlement types with user-based assignments. For types not listed here, the assignments are stored with the system entitlements.
TIP: If the cloud application schema cannot be adequately represented by any default project template, customize the synchronization configuration. At the same time, define how the system entitlements are mapped in the One Identity Manager schema. When you are setting up synchronization, ensure that the base object for the cloud application(CSMRoot) is created in the database and the System entitlements types used (GroupUsageMask) and User account has memberships (UserContainsGroupList) properties are set correctly.
Related topics
Groups and system entitlements represent the objects used in the cloud application to control access to the cloud resources. A user account obtains the necessary permissions to access cloud resources by assigning it to groups and system entitlements.
To display a group's main data
-
In the Manager, select the Universal Cloud Interface > <cloud application> > Groups category.
-
Select the group in the result list.
-
Select the Show main data task.
To display a system entitlement's main data
-
In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 1 category.
- OR -
In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 2 category.
- OR -
In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 3 category.
-
Select the system entitlement in the result list.
-
Select the Show main data task.
Detailed information about this topic
Related topics
You are provided with the following general main data of a group.
Table 25: Entering main data of a group
Name |
Name of the group. |
Container |
The group's container. |
Cloud application |
The group's cloud application. |
Distinguished name |
Distinguished name of the group. |
Display name |
Name for displaying the group in the user interface of One Identity Manager tools. |
Group name |
Additional name for the group. |
Email address |
Group's email address |
Account manager |
Manager responsible for the group. |
Description |
Text field for additional explanation. |
Group type |
Unique group type ID. For example if groups of different types are supplied through one and the same SCIM endpoint. |
Resource type |
Resource type identifier. The resource type corresponds to a SCIM endpoint, /Groups for example. |
Related topics