Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Initial data for authentication modules

Authentication data is formatted from the authentication module and its parameters and values. You can specify initial data for the parameters and their values. By default, the initial data is preset for each authentication process.

Syntax for authentication data:

Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

Example:

Module=DialogUser;User=<user name>;Password=<password>

Table 34: Authentication data for authentication modules
Authentication module Display name Parameters and meaning

DialogUser

System users

User: User name

Password: The user's password

ADSAccount

Active Directory user account

No parameters required

DynamicADSAccount

Active Directory user account (dynamic)

Product: Usage. The system user is determined through the use case configuration data.

DynamicManualADS

Active Directory user account (manual input)

Product: Usage. The system user is determined through the use case configuration data.

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password.

RoleBasedADSAccount

Active Directory user account (role-based)

No parameters required

RoleBasedManualADS

Active Directory user account (manual input/role-based)

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password

Employee

Employee

User: Employee's central user account.

Password: The user's password

DynamicPerson

Employee (dynamic)

Product: Usage. The system user is determined through the use case configuration data.

User: User name.

Password: The user's password

RoleBasedPerson

Employee (role-based)

User: User name.

Password: The user's password.

HTTPHeader

HTTP header

Header: The HTTP header to use.

KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

RoleBasedHTTPHeader

HTTP header (role-based)

Header: The HTTP header to use.

KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

DynamicLdap

LDAP user account (dynamic)

User: User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password: The user's password

RoleBasedLdap

 

LDAP user account (role-based)

 

User: User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password: The user's password

RoleBasedGeneric

Generic single sign-on (role-based)

SearchTable: Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table.

SearchColumn: Column from the SearchTable in which to search for the user name of the logged-in user.

DisabledBy: Pipe (|) delimited list of Boolean columns which block a user account from logging in.

EnabledBy: Pipe (|) delimited list of Boolean columns which release a user account for logging in.

OAuth

OAuth 2.0/OpenID Connect

Dependent on the authentication method of the secure token service.

OAuthRoleBased

OAuth 2.0/OpenID Connect (role-based)

Dependent on the authentication method of the secure token service.

DialogUserAccountBased

Account based system user

No parameters required

QERAccount

User account

No parameters required

RoleBasedQERAccount

User account (role-based)

No parameters required

RoleBasedManualQERAccount

User account (manual input/role-based)

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password

PasswordReset

Password reset

No parameters required

RoleBasedPasswordReset

Password reset (role-based)

No parameters required

DecentralizedId

 

Decentralized identity

 

Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail)

Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier).

RoleBasedDecentralizedId

 

Decentralized Identity (role-based)

 

Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail)

Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier).

Token

 

 

 

Internal authentication module in the application server for authentication using OAuth 2.0/OpenID Connect access tokens. For more information, see Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API.

URL: URL of the application server.

ClientId: ID of the application on the identity provider.

ClientSecret: Secret value for authentication at the token endpoint.

TokenEndpoint: Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.

Related topics

Configuration data for system user dynamic authentication

In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.

TIP: For system users used for dynamic authentication modules, enable the Disabled for direct login option. This prevents direct login to One Identity Manager tools with these system users.

To specify configuration data

  1. In the Designer, select the Base data > Security settings > Programs category.

  2. Select the application and adjust the Configuration data.

Use XML syntax for entering the configuration data:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

<Usermapping

DialogUser = "System user name"

/>

...

</Usermappings>

</DialogUserDetect>

Enter the system user (DialogUser) in the Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.

You can assign function groups to permissions groups on order to deal with complex permissions and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.

If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.

<DialogUserDetect>

<FunctionGroupMapping

PersonToFunction = "View mapping employee to function group"

FunctionToGroup = "View mapping function group to permissions group"

/>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

...

</Usermappings>

</DialogUserDetect>

Related topics

Example of a simple system user assignment

All employees should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.

To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "dlg_all"

/>

</Usermappings>

</DialogUserDetect>

Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:

  • Employee contact data

  • Requesting a product

  • Unsubscribing a product

Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.

Related topics

Example of a system user assignment using a selection criterion

The scenario described in the previous example is extended such that only the cost center manager can see an employee’s leaving date. You need to add the input field LeavingDate to the contact data form to do this.

Permissions are used for controlling viewing and editing. Set up a new dlg_kst system user and include the system user in the vi_DE-CentralPwd, vi_DE-ITShopOrder and WebShop_Customer_Grp permissions groups. You should also give the system user read and write permissions to the Person.Exitdate column.

Extend the application configuration data in such a way that the cost center managers use the dlg_kst system user to log in. All other employees use the dlg_all system user to log in.

Change the configuration data as follows:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "dlg_kst"

Selection = "select 1 where %uid% in (select uid_personhead from profitcenter)"

/>

<Usermapping

DialogUser = "dlg_all"

/>

</Usermappings>

</DialogUserDetect>

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation