Chatta subito con l'assistenza
Chat con il supporto

Identity Manager On Demand - Starling Edition Hosted - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Dynamic roles with incorrectly excluded identities

In the Manager, you can obtain an overview of all the dynamic roles with conflicting entries in the exclude list. This means that for at least one item in the list the following applies:

  • The dynamic role condition does not apply.

    For example, this might occur if the dynamic role condition was changed after an identity was entered in the exclude list.

    - OR -

  • The excluded identity is also assigned to the role in another way

    such as through inheritance or direct assignment.

Check these entries and correct the assignments.

To check conflicting entries of departments, locations, or cost centers in the exclusion list

  1. In the Manager, select the Organizations > Troubleshooting > Dynamic roles with potentially incorrect excluded identities category.

  2. Select the dynamic role in the result list.

  3. Select the Exclude identities task.

    In the exclusion list you can see which identities are affected by the given conditions.

Related topics

Assign organizations

Use this task to map the relationships of a department, cost center of a location to other roles. This task has the same effect as assigning a department, cost center, or location on the role main data form. The assignment is entered in the respective foreign key column in the base table.

To assign a cost center or location to departments

  1. In the Manager, select the Organizations > Cost centers or the Organizations > Locations category.

  2. Select the role in the result list.

  3. Select the Assign organizations task.

  4. Select the Departments tab.

  5. In the Add assignments pane, assign departments.

    The selected role is primarily assigned to all departments as a cost center or location.

  6. Save the changes.

To assign a department or a location to cost centers

  1. In the Manager, select the Organizations > Departments or the Organizations > Locations category.

  2. Select the role in the result list.

  3. Select the Assign organizations task.

  4. Select the Cost centers tab.

  5. In the Add assignments pane, assign cost centers.

    The selected role is primarily assigned to all cost centers as a department or location.

  6. Save the changes.

To assign a department or a cost center to locations

  1. In the Manager, select the Organizations > Departments or the Organizations > cost centers category.

  2. Select the role in the result list.

  3. Select the Assign organizations task.

  4. Select the Locations tab.

  5. In the Add assignments pane, assign locations.

    The selected role is primarily assigned to all locations as a department or cost center.

  6. Save the changes.

Specifying inheritance exclusion for departments, cost centers, and locations

By assigning identities, devices, or workdesks to roles and through the associated inheritance of company resources, an identity, device, or workdesk may obtain company resources that should not be assigned in this combination. To prevent this, you define inheritance exclusion. o do this, you specify which role of a pair of roles can inherit the company resources if an identity (device or workdesk) is a member in both. Inheritance through excluded roles cannot occur.

NOTE: It is possible to assign identities, devices, or workdesks to an excluded role directly or by assignment request. This can be done at any time. One Identity Manager determines whether the assignment takes effect when it calculates role the memberships.

Example: Inheritance exclusion

  • Group A is assigned through the department "Marketing", group B through the department "Finance", and group C through the department "Controlling".

Jo User1 has a user account in this target system. They belongs to the "Marketing" department. The "Controlling" and "Finance" departments are assigned to them secondarily. The user account would normally, without inheritance exclusion, obtain all permissions of groups A, B, and C.

By using suitable controls, you want to prevent an identity from being able to trigger a request and to pay invoices. Inheritance exclusion is defined for the "Finance" department to do this. An identity that checks invoices may not be able to make invoice payments as well. Inheritance exclusion is defined for "Controlling" department to do this.

Table 27: Definition of inheritance exclusion
Department Excluded department (UID_DepartmentExcluded) Assigned group

Marketing

Group A

Finance

Marketing

Group B

Controlling

Finance

Group C

Table 28: Resulting assignments for user accounts
Identity Member in department Effective department Effective group

Pat Identity1

Marketing

Marketing

Group A

Jan User3

Marketing, finance

Finance

Group B

Jo User1

Marketing, finance, controlling

Controlling

Group C

Chris User2

Marketing, Controlling

Marketing, Controlling

Group A, Group C

Only the group C assignment is in effect for Jo User1 due to inheritance exclusion. If Jo User1 leaves the "controlling" department at a later date, their membership in the department takes effect again and group B is reassigned to the user account.

NOTE: Only directly defined inheritance exclusions between the roles are taken into account.

For Chris User2, group assignments A and C remain because there was no direct inheritance exclusion defined between the "Marketing" and "Controlling" department. That means that the identity is authorized to trigger request and to check invoices. If this should not be allowed either, define further inheritance exclusion for the "Controlling" department.

Table 29: Resulting assignments for the user account
Identity Member in department Excluded department (UID_DepartmentExcluded) Assigned group Effective department Effective group

Chris User2

 

Marketing

 

Group A

Controlling

 

Group C

 

Controlling

 Finance

Marketing

Group C

You can define conflicting roles to prevent identities, devices, or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, specify which departments, cost centers, and locations are mutually exclusive. This means you may not assign these roles to one and the same identity (device, workdesk).

NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same identity (device, workdesk). Definitions made on parent or child roles do not affect the assignment.

To configure inheritance exclusion

  • In the Designer, set the QER | Structures | ExcludeStructures configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

To define inheritance exclusion for a departments

  1. In the Manager, select the Organizations > Departments category.

  2. Select the department in the result list.

  3. Select Edit conflicting departments.

  4. In the Add assignments pane, assign departments that are mutually exclusive to the selected department.

    - OR -

    In the Remove assignments pane, remove the departments that are no longer mutually exclusive.

  5. Save the changes.

To define inheritance exclusion for a cost center

  1. In the Manager, select the Organizations > Cost centers category.

  2. Select the cost center in the result list.

  3. Select Edit conflicting cost centers.

  4. In the Add assignments pane, assign cost centers that are mutually exclusive to the selected cost center.

    - OR -

    In the Remove assignments pane, remove the cost centers that are no longer mutually exclusive.

  5. Save the changes.

To define inheritance exclusion for a cost center

  1. In the Manager, select the Organizations > Locations category.

  2. Select the location in the result list.

  3. Select Edit conflicting locations.

  4. In the Add assignments pane, assign locations that are mutually exclusive to the selected location.

    - OR -

    In the Remove assignments pane, remove the locations that are no longer mutually exclusive.

  5. Save the changes.
Detailed information about this topic

Assigning extended properties to departments, cost centers, and locations

You can assign extended properties to departments, cost centers, and locations. Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

To set extended properties

  1. In the Manager, select the Organizations > <role class> category.

  2. Select the role in the result list.

  3. Select Assign extended properties.

  4. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione