Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Specifying mutually exclusive application roles

It is possible that employees cannot own certain system roles at the same time. Thus, for example, exception approvers for rule violations may not be rule supervisors at the same time. To implement this behavior, you can specify mutually exclusive application roles. Then you cannot assign these application roles to the same person anymore.

NOTE: Only system roles, which are defined directly as conflicting application roles, cannot be assigned to the same employee. Definitions made on parent or child application roles do not effect the assignment.

To configure inheritance exclusion

  • In the Designer, set the QER | Structures | ExcludeStructures configuration parameter and compile the database.

To specify inheritance exclusion for application roles

  1. In the Manager in the One Identity Manager Administration category, select the application role for which you want to define an inheritance exclusion.

  2. Select the Edit conflicting application roles task.

  3. In the Add assignments pane, assign application roles that are mutually exclusive to the selected system role.

    - OR -

    In the Remove assignments pane, remove the application roles that are no longer mutually exclusive.

  4. Save the changes.

Assigning subscribable reports to application roles

Use this task to assign subscribable reports to an application role. All employee in this application role can subscribe to reports in the Web Portal. For more information about subscribable reports, see the One Identity Manager Report Subscriptions Administration Guide.

NOTE:

  • This function is only available if the Report Subscription Module is installed.

  • The task is only available if a permissions group is assigned to the application role (or a parent application role).

  • Subscribable reports cannot be assigned to the Base roles | Employee Managers, the Base roles | Everyone (Lookup), or the Base roles | Everyone (Change) application role.

To assign subscribable reports to an application role

  1. In the Manager, select an application role in the One Identity Manager Administration category.

  2. Select the Assign subscribable reports task.

  3. In the Add assignments pane, assign reports.

    TIP: In the Remove assignments pane, you can remove report assignments.

    To remove an assignment

    • Select the report and double-click .

  4. Save the changes.

Assigning extended properties to application roles

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager. For more information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for an application role

  1. In the Manager, in the One Identity Manager Administration category, select the Application role.

  2. Select the Assign extended properties task.

  3. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .

  4. Save the changes.

Generating assignment resources for application roles

It is possible to create assignment resources for individual application roles. This means you can limit assignment resources to individual application roles in the Web Portal. When the assignment resource is requested, it is no longer necessary to select the application role as well. The application role is automatically a part of the assignment request. For more information about assignment requests, see the One Identity Manager IT Shop Administration Guide.

To limit an assignment resource to one application role

  1. In the Manager in the One Identity Manager Administration category, select the Application role.

  2. Select the Create assignment resource task.

    This starts a wizard that takes you through the steps for adding an assignment resource.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation