As long as an account definition for an identity is valid, the identity retains the user account that was created by it. If the account definition assignment is removed, the user account that was created from this account definition, is deleted. User accounts marked as Outstanding are only deleted if the QER | Person | User | DeleteOptions | DeleteOutstanding configuration parameter is set.
In the Manager, you can delete a user account that was not created using an account definition in the result list or from the menu bar. After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is locked in One Identity Manager and permanently deleted from the One Identity Manager database and the target system depending on the deferred deletion setting.
To delete a user account that is not managed using an account definition
-
In the Manager, select the Custom Target Systems > <target system> > User accounts category.
-
Select the user account in the result list.
- Click
in the result list.
- Confirm the security prompt with Yes.
Deferred deletion is taken into account if a user account is being deleted. You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. You can reenable the user accounts up until deferred deletion runs.
If the QER | Person | User | DeleteOptions | ReapplyTemplatesOnRestore is set, the template is applied again when reenabling a user account marked for deletion that is managed through an account definition. This means that properties dependent on the IT operating data are automatically recreated according to the current configuration.
To restore a user account
-
In the Manager, select the Custom Target Systems > <target system> > User accounts category.
-
Select the user account in the result list.
-
Click 
in the result list.
For more information about deactivating and deleting identities and user accounts, see the One Identity Manager Target System Base Module Administration Guide.
Use this task to obtain an overview of the most important information about a user account.
To obtain an overview of a user account
-
In the Manager, select the Custom Target Systems > <target system> > User accounts category.
-
Select the user account in the result list.
-
Select the User account overview task.
Groups and system entitlements represent the objects used in the target system to control access to target system resources. A user account obtains the required permissions for accessing target system resources through its memberships in groups and system entitlements.
To create a group
-
In the Manager, select the Custom Target Systems > <target system> > Groups category.
-
Click 
in the result list.
-
On the main data form, edit the main data of the group.
- Save the changes.
To edit group main data
-
In the Manager, select the Custom Target Systems > <target system> > Groups category.
-
Select the group in the result list.
-
Select the Change main data task.
-
On the main data form, edit the main data of the group.
- Save the changes.
Enter the following main data of a group.
Table 26: Entering main data of a group
|
Name |
Name of the group. |
|
Canonical name |
The canonical name is generated automatically and should not be changed. |
|
Group type |
Detailed name of the group type. |
|
Distinguished name |
The distinguished name is determined using a template and must not be changed. |
|
Object GUID |
Unique ID used for managing the object in the target system. |
|
Display name |
Name for displaying the group in the user interface of One Identity Manager tools. |
|
Target system |
Name of the target system. |
|
Container |
Container in which to create the group. |
|
Service item |
Service item data for requesting the group through the IT Shop. |
|
Risk index |
Value for evaluating the risk of assigning the group to user accounts. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.
For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide. |
|
Category |
Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the drop-down. |
|
Description |
Text field for additional explanation. |
|
IT Shop |
Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. The group can still be assigned directly to hierarchical roles. |
|
Only for use in IT Shop |
Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. Direct assignment of the group to hierarchical roles or user accounts is not permitted. |
|
Read-only memberships |
Specifies whether memberships are read-only. For example, dynamic groups. The memberships are regulated by the target system. Manual changes to memberships in One Identity Manager are not permitted. |
