Identity Manager 9.0 LTS - Authorization and Authentication Guide

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials	The authentication module uses the login data of the user currently logged in on the workstation.
Prerequisites	The employee exists in the One Identity Manager database. The employee is assigned at least one application role. The user account exists in the One Identity Manager database and the employee is entered in the user account's main data.
Set as default	No
Single sign-on	Yes
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	One Identity Manager searches for the user account according to the configuration and finds the employee assigned to the user account. If an employee has more than one identity, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication. If this configuration parameter is set, the employee’s main identity is used for authentication. If this configuration parameter is set, the employee’s subidentity is used for authentication. A dynamic system user is determined from the employee's application roles. The user interface and the permissions are loaded through this system user. Changes to the data are assigned to the logged in employee.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 28: Configuration parameters for the authentication module
Configuration parameter	Meaning
QER \| Person \| GenericAuthenticator	Specifies whether authentication through single sign-on is supported.
QER \| Person \| GenericAuthenticator \| SearchTable	Table in the One Identity Manager schema which stores the user information. The table must contain a foreign key with the name UID_Person (or CCC_UID_Person) that references the Person table. Example: ADSAccount
QER \| Person \| GenericAuthenticator \| SearchColumn	Column from the One Identity Manager table (SearchTable) that is used to search for user name of the current user. Example: CN
QER \| Person \| GenericAuthenticator \| EnabledBy	Pipe (\|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.
QER \| Person \| GenericAuthenticator \| DisabledBy	Pipe (\|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login. Example: AccountDisabled

Employee

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials	Employee's central user account and password.
Prerequisites	The system user with permissions exists in the One Identity Manager database. The employee exists in the One Identity Manager database. The central user account is entered in the employee's main data. The system user is entered in the employee's main data. The system user password is entered in the employee's main data.
Set as default	Yes
Single sign-on	No
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	If an employee has more than one identity, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication. If this configuration parameter is set, the employee’s main identity is used for authentication. If this configuration parameter is set, the employee’s subidentity is used for authentication. The user interface and permissions are loaded through the system user that is directly assigned to the logged in employee. Changes to the data are assigned to the logged in employee.

Employee (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials	Employee's central user account and password.
Prerequisites	The employee exists in the One Identity Manager database. The central user account is entered in the employee's main data. The system user password is entered in the employee's main data. The employee is assigned at least one application role.
Set as default	Yes
Single sign-on	No
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	If an employee has more than one identity, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication. If this configuration parameter is set, the employee’s main identity is used for authentication. If this configuration parameter is set, the employee’s subidentity is used for authentication. A dynamic system user is determined from the employee's application roles. The user interface and the permissions are loaded through this system user. Changes to the data are assigned to the logged in employee.

Employee (dynamic)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials	Employee's central user account and password.
Prerequisites	The employee exists in the One Identity Manager database. The central user account is entered in the employee's main data. The system user password is entered in the employee's main data. The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.
Set as default	Yes
Single sign-on	No
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	If an employee has more than one identity, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication. If this configuration parameter is set, the employee’s main identity is used for authentication. If this configuration parameter is set, the employee’s subidentity is used for authentication. The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and permissions are loaded through the system user that is dynamically assigned to the logged in employee. Changes to the data are assigned to the logged in employee.

Configuration parameter	Meaning
QER \| Person \| GenericAuthenticator	Specifies whether authentication through single sign-on is supported.
QER \| Person \| GenericAuthenticator \| SearchTable	Table in the One Identity Manager schema which stores the user information. The table must contain a foreign key with the name UID_Person (or CCC_UID_Person) that references the Person table. Example: ADSAccount
QER \| Person \| GenericAuthenticator \| SearchColumn	Column from the One Identity Manager table (SearchTable) that is used to search for user name of the current user. Example: CN
QER \| Person \| GenericAuthenticator \| EnabledBy	Pipe (\|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.
QER \| Person \| GenericAuthenticator \| DisabledBy	Pipe (\|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login. Example: AccountDisabled