Many cloud applications use different entitlement types to manage user entitlements. In addition to groups, these can also be roles or permissions sets, for example. Using synchronization projects created with the Synchronization of a One Identity Starling Connect environment project template, the different types are mapped in the One Identity Manager as follows.
Type |
Table |
Display name |
---|---|---|
Group |
UCIGroup |
Groups |
Role |
UCIGroup1 |
System entitlements 1 |
Profiles |
UCIGroup2 |
System entitlements 2 |
Entitlement |
UCIGroup3 |
System entitlements 3 |
Permissionset |
UCIItem |
Permissions controls |
NOTE: In synchronization projects created with a One Identity Manager version older than 8.2, objects of type Profile are also mapped in the UCIItem table.
A user account obtains the required entitlements for accessing target system resources through its memberships in groups and system entitlements. Depending on the target system, memberships are either maintained in the user accounts (user-based membership) or in the system entitlements (entitlement-based membership). When setting up synchronization using the One Identity Starling Connect synchronization project template, the SCIM connector determines the object type where the memberships are stored. Memberships are mapped in the following tables:
UCIUserHasGroup |
Groups: Assignments to user accounts |
UCIUserHasGroup1 |
System entitlement 1: Assignments to user accounts |
UCIUserHasGroup2 |
System entitlement 2: Assignments to user accounts |
UCIUserHasGroup3 |
System entitlement 3: Assignments to user accounts |
UCIUserHasItem |
User accounts: Permission control assignments |
UCIUserInGroup |
User accounts: Assignment to groups |
UCIUserInGroup1 |
User accounts: Assignment to system entitlements 1 |
UCIUserInGroup2 |
User accounts: Assignment to system entitlements 2 |
UCIUserInGroup3 |
User accounts: Assignment to system entitlements |
Permissionset type memberships are always user-based.
By default, only groups are mapped by synchronization projects created with the SCIM Synchronization project template. The SCIM connector determines the object type where the memberships are stored and maps them accordingly either in the UCIUserHasGroup table or in the UCIUserInGroup table.
The cloud application stores which system entitlement types are used and whether the memberships are stored with user accounts or system entitlements.
To display the types of system entitlements used
-
In the Manager, select the Universal Cloud Interface > Basic configuration data > Cloud applications category.
-
In the result list, select a cloud application and select the Change main data task.
-
System entitlement types used: List of types of system entitlements used in the cloud application.
-
User account contains memberships: List of types of system entitlements for which memberships are stored with the user account. For types not listed here, the memberships are stored with the system entitlements.
-
TIP: If the cloud application schema cannot be adequately represented by any default project template, customize the synchronization configuration. At the same time, define how the system entitlements are mapped in the One Identity Manager schema. When you are setting up synchronization, ensure that the base object for the cloud application(CSMRoot) is created in the database and the System entitlements types used (GroupUsageMask) and User account contains memberships (UserContainsGroupList) properties are set correctly.