Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 8.2 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Effective configuration parameters for setting up employees Configuration parameters for managing devices and workdesks

Testing dynamic role conditions

You should test which objects fulfill the given condition before you save a dynamic role.

NOTE: This task is only visible when the dynamic role condition is displayed as an SQL query.

To test the SQL condition for a dynamic role

  1. In the Manager, select the role for which the dynamic role was created.

  2. Open the role's overview form.

  3. Select Dynamic roles and click on the dynamic role.

  4. Select Change main data.

  5. Click (Edit SQL) on the form.

    This displays the condition as SQL query.

  6. Select the Test condition task.

    On the main data form, in the Test result field, all objects determined by the condition are displayed.

Calculating role memberships for dynamic roles

Table 5: Configuration parameters for calculating dynamic roles
Configuration parameter Meaning

QER | Structures | DynamicGroupCheck

Controls generation of calculation tasks for dynamic roles. If the configuration parameter is not set, the subparameters do not apply.

QER | Structures | DynamicGroupCheck |
CalculateImmediatelyPerson

If the parameter is set, a calculation task for modifications to employees or employee level objects is queued immediately in the DBQueue Processor. If the configuration parameter is not set, the calculation tasks are queued the next time the schedule is planned to run.

QER | Structures | DynamicGroupCheck |
CalculateImmediatelyHardware

If the parameter is set, a calculation task for modifications to employees or employee level objects is queued immediately in the DBQueue Processor. If the configuration parameter is not set, the calculation tasks are queued the next time the schedule is run.

QER | Structures | DynamicGroupCheck |
CalculateImmediatelyWorkdesk

If the parameter is set, a calculation task for modifications to workdesks or workdesk level objects is queued immediately in the DBQueue Processor. If the configuration parameter is not set, the calculation tasks are queued the next time the schedule is run.

In order to calculate role memberships, One Identity Manager tests every dynamic role to ensure that:

  • There is at least one object that satisfies the condition but is not assigned to the role

  • There is at least one object that does not satisfy the condition but is assigned to the role

  • The exclusion list was changed

If one of the conditions is fulfilled, a request to add or delete memberships is sent to the DBQueue Processor. When the dynamic roles are tested, employee objects that are marked for deletion are:

  • Not added to roles through dynamic roles even if the miscellaneous condition is fulfilled.

  • Removed from the role even if the miscellaneous condition should be fulfilled

Tasks for recalculating memberships are set up depending on the configuration parameter settings by:

  • Cyclical checking using a schedule

    In the default installation of One Identity Manager, the Dynamic roles check schedule is already defined. All dynamic role memberships are checked using this schedule and recalculation requests are sent to the DBQueue Processor if necessary. Checks are made at predefined intervals.

    Use the Designer to customize schedules or set up new ones to meet your requirements. For more information, see the One Identity Manager Operational Guide.

  • Immediately an object has changed

    Memberships are immediately checked by the DBQueue Processor and changed as necessary when object properties are changed. To use this function, in the Designer, set the QER | Structures | DynamicGroupCheck | CalculateImmediatelyPerson, QER | Structures | DynamicGroupCheck | CalculateImmediatelyHardware, and QER | Structures | DynamicGroupCheck | CalculateImmediatelyWorkdesk configuration parameters.

Related topics

Calculating role memberships for dynamic roles instantly

By default, calculation of role membership is controlled by schedules. You can also run the calculation for a single dynamic role immediately and independently of the scheduled calculation.

To calculate role membership immediately

  1. In the Manager, select the role for which the dynamic role was created.

  2. Open the role's overview form.

  3. Select Dynamic roles and click on the dynamic role.

  4. Select the Change main data task.

  5. Select the Start recalculation immediately task and close the prompt with OK.

    A processing task for the DBQueue Processor is set in the DBQueue.

Detailed information about this topic

Displaying the dynamic role overview

You can see the most important information about a dynamic role on the overview form.

To obtain an overview of a dynamic role

  1. In the Manager, select the role for which the dynamic role was created. The department, for example.

  2. Open the role's overview form.

  3. Select Dynamic roles and click on the dynamic role.

  4. Select the Dynamic role overview task.

  5. Select the report Show overview.

    The report provides a summary of key information about a dynamic role, including the schedule, excluded employees, and recalculation properties.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation