Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 8.2.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Displaying Azure Active Directory user accounts for Active Directory user accounts

NOTE: This function is only available if the Azure Active Directory Module is installed.

You can see the Azure Active Directory user account for an Active Directory user account on the overview form.

To display the Azure Active Directory user account for an Active Directory user account

  1. In the Manager, select the Active Directory > User accounts category.

  2. Select the user account in the result list.

  3. Select the Active Directory user account overview task.

    The Azure Active Directory user account form element shows which user account is linked to it.

For more information about Azure Active Directory, see the One Identity Manager Administration Guide for Connecting to Azure Active Directory.

Active Directory contacts

A contact is a non-security principal. That means a contact cannot log into a domain. A contact, for example, represents a user outside the company and is mainly used for distribution and email purposes.

Related topics

Creating and editing Active Directory contacts

A contact can be connected to an employee in One Identity Manager. You can also manage contacts separately from employees.

NOTE:

  • It is recommended to use account definitions to set up contacts for company employees. If an account definition is used to set up a contact, some of the main data described in the following is composed of the employee’s main data using templates. The amount of data, in this case, is based on the default manage level of the account definitions. The templates supplied should be customized as required.

  • If employees receive their contacts through account definitions, the employees must have a central user account and obtain their IT operating data through assignment to a primary department, primary location or a primary cost center.

To create and edit a contact

  1. In the Manager, select the Active Directory > Contacts category.

  2. Select the contact in the result list and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the contact's main data.

  4. Save the changes.

To manually assign or create a contact for an employee

  1. In the Manager, select the Employees > Employees category.

  2. Select the employee from the result list and run the Assign Active Directory contacts task.

  3. Assign a contact.

  4. Save the changes.
Detailed information about this topic

General main data for Active Directory contacts

Enter the following data on the General tab.

Table 43: General main data
Property Description

Employee

Employee who uses the contact. An employee is already entered if the contact was generated by an account definition. If you are using automatic employee assignment, an associated employee is created when you save the contact and added to the contact. If you create the contact manually, you can select an employee in the menu.

No link to an employee required

Specifies whether the contact is intentionally not assigned an employee. The option is automatically set if a contact is included in the exclusion list for automatic employee assignment or a corresponding attestation is carried out. You can set the option manually. Enable the option if the contact does not need to be linked with an employee (for example, if several employees use the contact).

If attestation approves these contacts, these contacts will not be submitted for attestation in the future. In the Web Portal, contact that are not linked to an employee can be filtered according to various criteria.

Not linked to an employee

Indicates why the No link to an employee required option is enabled for this contact. Possible values:

  • By administrator: The option was set manually by the administrator.

  • By attestation: The contact was attested.

  • By exclusion criterion: The contact is not associated with an employee due to an exclusion criterion. For example, the contact is included in the exclude list for automatic employee assignment (configuration parameter PersonExcludeList).

Account definition

Account definition through which the contact was created.

Use the account definition to automatically populate contact main data and to specify a manage level for the contact. One Identity Manager finds the IT operating data of the assigned employee and uses it to populate the corresponding fields in the contact.

NOTE: The account definition cannot be changed once the contact has been saved.

To create the contact manually through an account definition, enter an employee in the Employee field. You can select all the account definitions assigned to this employee and through which no contact has been created for this employee.

Manage level

Contact's manage level. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.

First name

The contact’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The contact's last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Initials

The contact’s initials. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Title

Contact’s academic title. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Display name

The contact’s display name. The display name is made up of the contact’s first and last names.

Structural object class

Structural object class representing the object type. Normally you set up contacts in One Identity Manager using the CONTACT object class.

Name

The contact’s identifier. The identifier is made up of the contact’s first and last names.

Distinguished name

Contact's distinguished name. The distinguished name is formatted from the contact's identifier and the container and cannot be changed.

Domain

Domain in which to create the contact.

Container

Container in which to create the contact. If you have assigned an account definition, the container is determined from the company IT data for the assigned employee depending on the manage level of the user account. The distinguished name for the contact is determined by a template when the container is selected.

Email address

Contact's email address. If you assigned an account definition, the email address is made up of the employee’s default email address depending on the manage level of the user account.

Risk index (calculated)

Maximum risk index value of all assigned groups. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Category for the contact to inherit groups. Groups and be selectively inherited by contacts. To do this, the groups and contacts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Identity

Contact's type of identity.

Groups can be inherited

Specifies whether the employee's groups are inherited. If this option is set, contacts inherit groups through hierarchical roles.

If you add an employee with a contact to an apartment, for example, and you have assigned groups to this department, the contact inherits the groups.

Protected from accidental deletion

Specifies whether to protect the contact against accidental deletion. If the option is set, the permissions for deleting the contact are removed in Active Directory. The contact cannot be deleted or moved.

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation