|
Property |
Meaning |
|---|---|
|
Application role |
Application role name. |
|
Internal name |
Empty text field for a internal company identifier |
|
Full name |
Full name of application role. Is made up automatically from the application role name and the parent application role. |
|
Parent application role |
Application role to which the application role being edited is subordinate. |
|
Department, location, cost center |
Additional information for the application role definition. These input fields are only used for information. They do not indicate for which department, cost center or location the application roles are responsible. |
|
Manager |
Manager responsible for the application role. |
|
Deputy manager |
Deputy manager for the application role. |
|
Additional manager |
Application role for a group of managers and deputies who manage this application role. To create a new application role, click |
|
Permissions group |
Permissions group for determining permissions for role-based login. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role. Administrators can assign the rest of the application roles to custom defined permissions groups. NOTE: Permissions groups for default administrator application roles for cannot be edited. |
|
Description |
Text field for additional explanation. |
|
Comment |
Text field for additional explanation. |
|
Certification status |
Status of the application role's certification. The following values can be selected.
|
|
Block inheritance |
Specifies whether inheritance for this application role can be discontinued. Set this option to prevent company resources being inherited by child application roles. NOTE: Inheritance of application roles can only be discontinued if they are custom application roles. |
|
Dynamic roles not allowed |
Specifies whether a dynamic role can be created for the application role. |
|
Spare field no. 01 ... Spare field no. 10 |
Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields. |
About this guide
One Identity Manager application roles
Application roles overview
Granting One Identity Manager schema permissions through permissions groups
Application roles for basic functions
Application role for the Operations Support Web Portal
Application role for Compliance & Security Officers
Application role for auditors
Application roles for identity audit
Application roles for company policies
Application roles for attestation
Application roles for subscribable reports
Application roles for management levels
Application roles for business roles
Application roles for organizations
Application role for application roles
Application for employee administrators
Application roles for the IT Shop
Application roles for target systems
Application roles for Universal Cloud Interface
Application role for Privileged Account Governance
Application roles for Application Governance
Application roles for custom tasks
Implementing the application roles
Creating and editing application roles
Main data of application roles
Assigning employees to application roles
Custom extension of application role permissions
Creating and editing dynamic roles for application roles
Specifying mutually exclusive application roles
Assigning subscribable reports to application roles
Assigning extended properties to application roles
Generating assignment resources for application roles
Reports about application roles
Predefined permissions groups and system users
Rules for determining the valid permissions for tables and columns
Editing permissions groups
Managing permissions to program functions
Dependencies between permissions groups
Permissions group dependencies
Copying permissions groups
Creating permissions groups
Permissions group properties
Editing system users
Creating system users
System users’ passwords
System user properties
Adding system users to permission groups
Which employees use the system user?
Dynamic system user
Permissions for tables and columns
Displaying permissions of a permissions group
Displaying permissions for tables
Editing table permissions
Editing column permissions
Copying table permissions and column permissions
Simulating permissions for system users
Displaying permissions for objects
Displaying permissions for the current user
Assigning role-based permissions groups to an applications
Displaying the current user's program functions
Assigning program functions to permissions groups
Permissions for running scripts
Permissions for running methods
Permissions for triggering processes
Modifying permissions for running actions in the Launchpad
One Identity Manager authentication modules
System users
Generic single sign-on (role-based)
Employee
Employee (role-based)
Employee (dynamic)
User account
User account (role-based)
User account (manual input/role-based)
Account based system user
Active Directory user account
Active Directory user account (role-based)
Active Directory user account (manual input)
Active Directory user account (manual input/role-based)
Active Directory user account (dynamic)
LDAP user account (role-based)
LDAP user account (dynamic)
HTTP header
HTTP header (role-based)
OAuth 2.0/OpenID Connect
OAuth 2.0/OpenID Connect (role-based)
Synchronization authentication module
Web agent authentication module
Component authentication module
Crawler
Password reset
Password reset (role-based)
Decentralized identity
Decentralized Identity (role-based)
Editing authentication modules
OAuth 2.0/OpenID Connect authentication
Enabling authentication modules
Assigning authentication modules to applications
Disabling or enabling authentication modules for applications
Authentication module properties
Initial data for authentication modules
Configuration data for system user dynamic authentication
Checking authentication
Expiry of the OAuth 2.0/OpenID Connect authentication
Creating the OAuth 2.0/OpenID Connect configuration
Assigning OAuth 2.0/OpenID Connect configuration to web applications
Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications
Specifying enabled and disabled columns for logging in
Logging information about OAuth 2.0/OpenID Connect authentication
Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API
Multi-factor authentication in One Identity Manager
Granular permissions for the SQL Server and database
Displaying database server logins
Displaying users' access levels
Displaying server roles and database roles permissions
Installing One Identity Redistributable STS
Preventing blind SQL injection
Program functions for starting the One Identity Manager tools
Minimum access levels of One Identity Manager tools
Main data of application roles
. Enter the application role name and assign a parent application role.Assigning employees to application roles
Assigned employees obtain all the permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role.
If there are no employees directly assigned to an application role, the employees of the parent application role inherit the permissions.
NOTE: The application roles for Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers, and Base roles | Birthright Assignments are automatically assigned to employees. Do not make any manually assignments to these application roles.
To assign employees to an application role
-
In the Manager, select an application role in the One Identity Manager Administration category.
-
Select the Assign employees task.
-
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.
To remove an assignment
-
Select the employee and double-click
.
-
- Save the changes.
Related topics
Custom extension of application role permissions
For role-based login, application roles must link to a permissions group in which permissions for One Identity Manager are defined. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role.
Some of the default application roles are already assigned permissions groups. These permissions groups have the permissions for the tables and columns and are equipped with menu items, forms, tasks, and program functions, which allow the application data to be edited in the Manager and in the Web Portal.
You can assign customized permissions groups to application roles so that the permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.
NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.
Proceed as follows:
-
In the Designer, create a new permissions group .
NOTE: Set the Only use for role-based authentication option for the permissions group.
-
In the Designer, make the new permissions group dependent on the default permissions group of the application role. Assign the default permissions group as a parent permissions group. This means the newly defined permissions group inherits the properties of the default permissions group.
-
In the Designer, grant additional edit permissions for menu items, forms, tables, or columns.
-
In the Manager, assign the new permissions group to the application role.
A user who logs in to the Manager or to the Web Portal with an application role changed in this way receives – in addition to the default privileges of this application role – the custom permissions.
Related topics
Creating and editing dynamic roles for application roles
Use this task to assign employees to an application role through dynamic roles. For more information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.
NOTE: The task Create dynamic role is only available for application roles that do not have the option Dynamic roles not allowed set.
To create a dynamic role for the application role
-
In the Manager in the One Identity Manager Administration category, select the application role.
-
Select the Create dynamic role task.
-
Enter the required main data. The following applies to dynamic roles for application roles:
-
Object class: Select Employee.
-
Application role: This data is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.
-
Dynamic role: The dynamic role name is made up of the object class and the full name of the application role by default.
-
- Save the changes.
To edit a dynamic role
-
In the Manager in the One Identity Manager Administration category, select the application role.
-
Select the Application role overview task.
-
In the overview form, click the dynamic role name in the Dynamic roles form element.
-
Select the Change main data task.
-
Edit the dynamic role.
- Save the changes.