System connector for connecting to an Active Directory system.
Program for analyzing data correlations in the database.
The API Server provides an API. It also provides the Web Portal, the Password Reset Portal, the Operations Support Web Portal, and your HTML web applications.
Functional roles that issue permissions to One Identity Manager functions that are the result of One Identity Manager user tasks within the company. Application roles take into account administrative tasks and approval processes. Application roles are predefined by One Identity Manager, but can be changed and extended.
The application server provides a connection pool for accessing the One Identity Manager database and ensures a secure connection to the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved.
Determines which approval workflow is applied to an attestation case or an request, renewal, or unsubscription in the IT Shop.
Determines the attestors for the current attestation case as well as the approvers for the current request, renewal, or unsubscription in the IT Shop.
Process of granting or denying approval for IT Shop requests. An approval process starts with a product request and ends with the request being finally granted or denied approval. Details of approval processes are specified in approval policies and approval workflows.
Determines which approval procedures are applied in which order in attestation cases or request, renewals or unsubscriptions in the IT Shop. An approval workflow contains at least one approval level with at least one approval step. A different approval procedure can be used in every approval step that determines the approver or attestator.
Requests with the status Approved (Granted), Pending (Waiting), Assigned (Assigned), Renewal (OrderProlongate), or Unsubscription (OrderUnsubscribe).
Identity that can grant or deny a request, renewal, or unsubscription within an approval process.
Requests memberships in hierarchical roles or assignment of company resources to hierarchical roles. For example, this allows a business role manager to request in the IT Shop which identities become members of the business role and which company resources are assigned. These requests undergo a defined approval process.
Table in which relationships between two tables are established. Both tables' objects are assigned to each other as a many-to-many relationship. For example, assignment tables are PersonInDepartment or ADSAccountInADSGroup.
Identity who performs an attestation. Attestors grant or deny approval to data submitted in an attestation case.
Specify how users log in to the One Identity Manager tools. For example, users can log in with their Active Directory user account or directly as an identity. The authentication module determines the system user assigned to the logged-in user. This assigns the user edit permissions to the user interface of the launched tool and to the database objects.
Base objects contain data about the target system to be synchronized, its system connection, and the synchronization server.
Managing and administration of access to IT system based on usage behavior. Unused entitlements are identified and can be deactivated or deleted after further checks.
Object for mapping custom functions in One Identity Manager. Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example.
Approval workflow used to cancel IT Shop requests.
Product assigned to a shopping cart. A cart item shows which product is requested by whom, for whom.
Requests with the status Unsubscribed (Unsubscribed), Denied (Dismissed), Canceled (Aborted).
Umbrella term for all objects that can be assigned to identities or hierarchical roles or requested through the IT Shop and that are not roles themselves. For example, company resources are software, target system permissions, resources, system roles, devices.
Parameters for configuring the basic settings of One Identity Manager's system behavior. Preprocessor relevant configuration parameters are parameters that are linked to preprocessor conditions. If a preprocessor relevant configuration is changed, the database must be compiled.
Program for installing and updating a One Identity Manager database.
The system connector extends the target system schema with additional information which is required for mapping in the Synchronization Editor.
Program for encrypting database contents of a One Identity Manager database.
System connector which allow data to be imported from CSV files.
Identity that is entitled to request products in the IT Shop. An identity becomes a customer by being assigned to a shop.
Runs processing logic which would normally be implemented in the object code, such as mutual exclusion of properties. The Customizer contains special methods and has side effects on the table columns. Several customizers can be defined for one table.
Program for importing data into a One Identity Manager database.
Controls processing of DBQueue Processor tasks. The Database Agent Service is deployed through the One Identity Manager Service plug-in. Alternatively, the Database Agent Service can be started from the command line.
Program for compiling the One Identity Manager database after relevant changes. All VB.NET and C# program parts that are in the One Identity Manager database are compiled. The resulting assemblies are then available to One Identity Manager services and application programs.
Program for exporting objects and custom changes from a One Identity Manager database and importing them into a One Identity Manager database.
List of tasks processed by the DBQueue Processor. The tasks queued in the DBQueue are the result of triggering, modifications to configuration parameters (for example, changes to a configuration parameter concerning inheritance) or running scheduled tasks.
Component for asynchronous calculation of processing tasks in the DBQueue. The DBQueue Processor also controls cyclically recurring tasks, such as the daily maintenance tasks for calculating statistics or indexing the database.
Tool for configuring the One Identity Manager.
Dynamic roles are used to dynamically assign memberships to departments, cost centers, location, business roles, application roles, and IT Shop nodes.
Permissions are bound to objects. Permissions are used to grant users and groups access to the objects and object properties. Examples are permissions to display and edit objects, permissions to display UI elements in One Identity Manager tools, or permissions to approve requests. see system authorization; see user permissions
Identity that can approve rule violations. Exception approvers belong to the Exception approver role and are assigned to at least one compliance rule through this role.
A schema can be customized in the Synchronization Editor, for example, to allow or simplify mapping of complex schema properties. Label the modified schema as "extended schema".
see revision filter; see object filter; see system filter; see object selection
A module GUID (module Globally Unique Identifier) identifies objects as system configuration components. For example, to transport predefined reports, processes, workflows, or mail definitions with a complete system configuration transport, the objects require a primary key with a module GUID.
System connector for connecting to an HCL Domino system.
A collection of departments, cost centers, locations, and business roles. Through membership in hierarchical roles, company resources can be inherited by identities.
Used to limit the number of objects to be loaded directly into the target system. It is built on the basis of the real structural objects of the target system. This filter can be used for defining the scope.
System for archiving data changes.
An identity usually represents a real person. In addition, identities that do not represent real people, such as machine identities or service identities, can be mapped in One Identity Manager. (see also virtual identity; see also main identity/subidentity)
Objects which occur in both of the connected systems
One Identity Manager components for supplying identities with company resources through defined approval processes. IT Shop solutions are set up in the Manager and can then be used in the Web Portal.
Role class that groups together the components (shopping center, shop, shelf, product, customer) of an IT Shop solution.
Central store for generating and running process component actions.
Server with the One Identity Manager Service installed.
Tool for controlling services running in the One Identity Manager network. It enables a detailed and comprehensive overview of the requests in the Job queue and the process history The tool provides on-the-fly status information and makes fast error detection possible.
Program for configuring the One Identity Manager Service.
Program for updating the One Identity Manager Service on Job servers.
One Identity Manager Service components. The Job destination component handles the process steps and returns a result to the Job provider.
One Identity Manager Service components. A Job provider provides a Job destination process step and evaluates the result.
System connector for connecting to an LDAP system.
Program for maintaining and tracking One Identity Manager database licenses.
Describes the role that a computer or server plays in One Identity Manager. You can give each computer or server several roles. This means, one, or more machine roles can be assigned. You select machine roles when One Identity Manager components are installed. The installation packages and files to be installed on the computer or server are specified in a machine role.
Describes how an identity is associated to another identity. Here, the main identity is the parent identity and the subidentity is the child identity. A main identity is a primary identity and always represents a real person. A subidentity is a virtual identity that is set up for a specific purpose.
The user account’s manage level specifies the extent of the identity’s properties that are inherited by the user account. One Identity Manager provides a default configuration for the "Unmanaged" and "Full managed" manage levels. You can defined further manage levels.
Administration tool for setting up all the information about identities. It displays and maintains all the data required for the administration of identities, their user accounts, permissions, and company-specific roles in a One Identity Manager network. Company resources identities require can be entered and assigned to them. Manager functionality can be provided by web applications.
Identity that supervises or is responsible for identities or hierarchical roles.
List of object matching rules and property mapping rules which map the schema properties of two connected systems to one another.
System connector for connecting to a Microsoft Exchange system.
Measures to be taken to prevent a compliance rule from being violated (for example). Mitigating control Mitigating controls reduce risk by a fixed value (significance reduction). Mitigating controls are independent on One Identity Manager’s functionality. For example, by frequent manual checking for irregular permissions, mitigating controls can reduce the risk posed by a rule violation.
A module is a closed unit with a defined functionality. A module includes descriptive information, the binaries (exe, DLL), the documentation, and information about the database (see also One Identity Manager schema).
View of database objects that allows them to be distinguished by specific properties and thus provide additional control.
Filter for limiting the number of objects to synchronize. For example, the system objects of an Active Directory domain are limited to one container. You can also filter single objects.
The One Identity Manager data model. The data model is grouped logically in modules. The modules are linked through predecessor relationships. A module can have one or more predecessors. Each module extends the schema by its own tables and columns and installs its own default objects, such as, templates, scripts, or processes. The functions of a module are not available until the module is installed in the database.
System service on servers that handle One Identity Manager processes.
System connector that connects to a One Identity Safeguard appliance.
System connector for connecting to a OneLogin system.
Web application for help desk staff. The Operations Support Web Portal can be used to control handling of processes and DBQueue processing. In addition, passcodes can be generated for employees.
System connector for connecting to an Oracle E-Business Suite.
Groups hierarchical roles department, cost center, and location together.
Web application that allows users to reset passwords for the user accounts they manage.
Requests with the status Request (OrderProduct), Renewal (OrderProlongate), Unsubscribe (OrderUnsubscribe).
Different permissions of One Identity Manager functions are grouped together in permissions groups. Permissions groups are allocated to system users and application roles. Thus, users of One Identity Manager tools obtain their permissions to One Identity Manager functions. Some permissions groups are part of the One Identity Manager installation. Other permissions groups can be custom defined in the Designer.
Condition that limits compilation of program code. Conditional compilation allows parts of the program code to be parsed whereas other parts remain untouched. Possible preprocessor conditions are defined by configuration parameters and their options.
Sequence of process steps for mapping an operational workflow. The process steps are connected to one another by predecessor/successor relationships. This functionality allows flexibility when linking up actions and sequences on object events.
Component available for use in process steps.
Parameter that is permitted for a single task of a process component.
Contains the basic configuration for automatically running a process.
Represents one processing task in a process.
Task to be run by a process.
Method used to process objects within a synchronization step. Example: Add object (insert), update object (update), delete object (delete). Processing methods and their mandatory parameters are define with the schema type.
Company resource that is assigned to an IT Shop shelf and can therefore be requested. Only company resource assigned to service items can be added to the IT Shop as products.
Template for a shopping cart which groups together cart items that are frequently requested together. Public product bundles are available to all users as soon as they are released. Non-public product bundles can be used only by the owners of the product bundle.
Wizard which aids configuration of synchronization projects.
Used to resolve reference between objects of different systems. The reference scope specifies the system in which objects for resolving references may be found.
Objects that only occur in one of the two system systems involved in synchronizing.
Job server installed with the RemoteConnectPlugin and the target system connector is installed. If direct access to the target system is not possible, a remote connection can be set up. Communication between the Synchronization Editor and Target System is done through a remote connection server.
Approval workflow that can be used to extend a temporary request. If approved, the new expiration date will be applied to the existing request.
Request for products in the IT Shop. Products can be company resources, such as system roles or system entitlements, or membership in hierarchical roles. Requests follow a defined approval process that determines whether a product may be assigned or not.
Parameters describing additional features such as color, size, or equipment of the product to be requested. Requesters specify the required parameter value when they make the request.
Collection of request parameters that can be additionally specified for a product. Request properties are assigned to service items or service categories.
Equipment that is necessary for an identity's work efficiency, for example, mobile phones, desks, company cars, or keys. Resources can be any equipment that is not system entitlements, devices, or software.
Customer-specific criteria for grouping resources.
Security risk for the company if a company resource is assigned to an identity or a compliance rule, company policy, or attestation policy is violated. A risk index can be entered for any company resource, SAP function, attestation policy, company policy, or compliance rule. An identity's risk index is determined by the risk indexes of their directly and indirectly assigned company resources. It is given as a value between 0 (no risk) and 1 (problem).
Method used to calculate risk indexes. The risk index function defines the data sources, the objects to be included, the calculation type, and the table column of the function's target object.
Criteria for grouping similar hierarchical role together, such as departments or cost centers. To differentiate between different business roles, define company specific role classes. Role classes are used to specify which company resource assignments are possible through roles in a role class.
Customer-specific criteria for classifying hierarchical roles. Role types are mainly used to regulate approval policy inheritance within an IT Shop structure. Furthermore, role types can be used to structure hierarchical roles or shops in the IT Shop by customer-specific criteria.
System connector for connecting to an SAP R/3 system.
Task to run on a cyclical basis. Schedules control regular running of processes, calculation tasks, and other scheduled tasks. You define the start and interval times for the scheduled tasks. The activation time can be given in local time or Universal Time Code. A schedule can be in control of several tasks.
Data model of a connected system. The schema describes all the main data from the connected system. see target system schema; see One Identity Manager schema; see connector schema; see extended schema
Subset of a schema type. The result list of a schema type is filtered by defined criteria. Example: Active Directory contacts are Active Directory user accounts with the property objectclass = "CONTACT".
Property of a schema type. Refers to exactly one column of a table or view of the database based schema or exactly one object type property of the non-database based schema.
Defines an object type within a schema. Refers to exactly one table or view of the database based schema or exactly one object type of the non-database based schema.
Program for extending One Identity Manager schema by custom tables, columns, database view and indexes.
Section of a connected system which should be synchronized. The scope is defined with a filter.
Defines the function of a server in One Identity Manager. Depending on the server function, processes are handled. When installing a server, the possible server functions are predefined based on the selected machine role.
Criteria for grouping service items. For a product from the service catalog to be select, its service item must be assigned to a service category.
Objects that are required for requesting company resources as products in the IT Shop and for internal invoicing.
System connector for connecting to a SharePoint farm.
IT Shop structure that is part of a shop and can have products assigned to it. Shelves make up a hierarchically structured IT Shop solution together with shops, shopping centers, and products.
Templates for automatically setting up shelves in the IT Shop and adding company resources to them. Shelf templates can be used if shelves with the same products are set up in more than one shop. One Identity Manager distinguishes between global shelf templates, special shelf templates and shopping center templates.
IT Shop structure to which shelves and customers are assigned. Together with shelves, products, and shopping centers, shops form a hierarchically structured IT Shop solution.
IT Shop structure under which you can group shops together. Together with shelves, shops, and products, shopping centers form a hierarchically structured IT Shop solution.
Value by which the risk index of a compliance rule, SAP function, attestation policy, or company policy is reduced when a mitigating control is assigned. The risk index (reduced) is calculated from the risk index and the significance reduction.
Snapshot of an object at a certain point in time, optionally with dependent objects.
Program for loading new or modified files into the One Identity Manager database in order to distribute them in the One Identity Manager network using automatic software update.
Job server that handles SQL processes.
Specifies which synchronization configuration components are used for a specific synchronization. Specifies the synchronization schedule.
A subidentity is a virtual identity that is set up for a specific purpose, such as for an administrative user account or to map different roles in the company. A subidentity is always connected to a main identity.
One Identity Manager table with information about referenced objects which could not be assigned by synchronization.
Direction in which synchronization is run. The primary system is defined by the direction of synchronization.
Job server installed with the target system connector. All One Identity Manager actions are run against the target system environment on the synchronization server.
One Identity Manager tool for configuring target system synchronization.
Used to limit the number of objects to synchronize in the connected system. The connector only loads the object found through this filter.
Object from the target system. A system object always belongs to a schema class.
User ID with which a user logs in to the One Identity Manager tools. The system user ID depends on the selected authentication module. For example, it can be a central user account, a login name for an Active Directory domain, or a system user.
Grouping similar target systems. Examples: Active Directory, LDAP, SharePoint.
Rule for mapping object properties. Templates can be applied to an object and also have a cross-object effect.
One Identity Manager function you can use to track changes to an object that were made up to any point in the past. In its analysis, the TimeTrace function includes the data changes saved to the One Identity Manager database as well as the records stored in a History Database. You can use this to find out who had which permissions at which point in time. You can apply historical data to the current object and restore the object to the status prior to the change.
Artificial primary key generated by One Identity Manager as soon as the object is inserted into the One Identity Manager database. The UID is a unique value, which does not change even if the properties of an object change. An object is identified by a UID and can be uniquely referenced by it.
System connector that connects to a Unix host.
Job server that provides automatic software update of the other servers.
A user account represents access to a target system. A user account has permissions to perform actions in a target system. A user account is usually linked to an identity.
Permit users to perform an operation that affects an entire computer rather than a specific object on the computer. Examples are logging in as a service or changing the system time. see permissions
Used to configure synchronization configuration for different systems. Each variable set contains at least the variables for the system connection parameter. The value of the variables are redefined for different uses.
Schema class property added by the system connector or the user.
Program for simplifying installation and configuration of web-based applications.
Web-based application that provides various workflows. In the Web Portal, users can change their own main data, edit employee data, request company resources in the IT Shop, delegate their own responsibilities, edit approvals, attestations, or rule violations.
see decision workflow, see provisioning workflow, see synchronization workflow,
Wizard which aids configuration of synchronization workflows.