The following terminology is used in connection with managing identities in One Identity Manager.
Table 26: Terms for managing identities
Identity |
An identity usually represents a real person. In addition, identities that do not represent real people, such as machine identities or service identities, can be mapped in One Identity Manager. |
Main identity/subidentity |
Describes how an identity is associated to another identity. Here, the main identity is the parent identity and the subidentity is the child identity. A main identity is a primary identity and always represents a real person. A subidentity is a virtual identity that is set up for a specific purpose. |
Primary identity |
A primary identity represents a real person. The identity can have user accounts and permissions assigned to it. Primary identities can be used as main identities. |
Organizational identity |
A virtual identity for mapping different organizational role of a person in the company, such as subcontracts with other functional areas. The identity can have user accounts and permissions assigned to it. An organizational identity must be assigned a main identity. |
Personalized administrator identity |
A virtual identity for mapping administrative roles of a person in the company. This identity requires allocation of administrative user accounts and permissions. A main identity must be assigned to a personal administrator identity. |
Sponsored identity |
Virtual identity that represents an additional, functionally related identity. This identity requires allocation of user accounts and permissions that are tied to an additional function, such as permissions in a training or test environment. An additional identity must be assigned a manager. |
Shared identity |
Virtual identity for mapping function-related, cross-organizational roles in a company, such as the IT support group or the IT representatives of an company. A group identity can be used as a subidentity of mulitple main identities. An group identity must be assigned a manager. |
Service identity |
Virtual identity that maps to a system administrative role in an organization. Service identities are assigned to service accounts and permissions. A service identity must be assigned a manager. |
Machine identity |
Virtual identity that represents a machine or a non-human entity. A machine identity can have user accounts and permissions assigned to it. An machine identity must be assigned a manager. |
Detailed information about this topic
Sometimes, in large companies, employees may to have different identities for their work such as ones that result from different contracts for different branches. These identities can differ in their affiliation to departments, or cost centers, or in their access permissions for example. External employees at different locations can also be used and represented with different identities in the system.
To map individual identities and group them at a central location, you can define main identities and subidentities in One Identity Manager. For example, if an identity has several user accounts in one target system that must be assigned to different groups, create a separate subidentity for each user account with a link to the main identity.
It is possible to test the identity’s permitted permissions per subidentity or for the main identity within the bounds of an identity audit by including all subidentities. For more information, see the One Identity Manager Compliance Rules Administration Guide.
Main identities and subidentities can be used to log in to One Identity Manager via various authentication modules. For more information, see the One Identity Manager Authorization and Authentication Guide.
Main identity
-
A main identity can be assigned to one or more machine roles.
-
A main identity is a primary identity and always represents a real person.
-
A main identity is the central location where identities are brought together for different purposes.
-
Main identities can be assigned user accounts and permissions and can initiate requests in the IT Shop.
Subidentity
-
A subidentity is always connected to a main identity.
-
A subidentity is a virtual identity that is set up for a specific purpose, such as for an administrative user account or to map different roles in the company.
-
Enter a main identity for the subidentity using Main identity on the identity’s main data form.
-
A subidentity can be assigned user accounts and permissions and can initiate requests in the IT Shop.
-
In order to improve the assignment of authorizations to the target systems, the subidentities can be divided into different identity types.
The identity’s central user account is used to form the user account login name in the active system. The central user account is still used for logging into the One Identity Manager tools.
In the One Identity Manager default installation, the central user account is made up of the first and the last name of the identity. If only one of these is known, then it is used for the central user account. There is always a check to see if a central user account with that value already exists. If this is the case, an incremental number is added to the end of the value.
Table 27: Example of forming of central user accounts
Alex |
|
ALEX |
|
Miller |
MILLER |
Alex |
Miller |
ALEXM |
Alex |
Meyer |
ALEXM1 |
Use the QER | Person | CentralAccountGlobalUnique configuration parameter to define how to map the central user account.
-
If this configuration parameter is set, the central user account for an identity is formed uniquely in relation to the central user accounts of all identities and the user account names of all permitted target systems.
-
If the configuration parameter is not set, it is only formed uniquely related to the central user accounts of all identities. This is the default.
The identity’s default email address is displayed on the mailboxes in the activated target system. In the One Identity Manager default installation, the default email address is formed from the identity’s central user account and the default mail domain of the active target system.
The default mail domain is determined using the QER | Person | DefaultMailDomain configuration parameter.
Related topics