The criteria for employee assignments are defined for the site collection. In this case, you specify which user account properties must match the employee’s properties such that the employee can be assigned to the user account. You can limit search criteria further by using format definitions. The search criterion is written in XML notation to the Search criteria for automatic employee assignment column (AccountToPersonMatchingRule) in the SPSSite table.
Search criteria are evaluated when employees are automatically assigned to user accounts. Furthermore, you can create a suggestion list for assignments of employees to user accounts based on the search criteria and make the assignment directly.
NOTE: When the employees are assigned to user accounts on the basis of search criteria, user accounts are given the default manage level of the account definition entered in the user account's target system. You can customize user account properties depending on how the behavior of the manage level is defined.
It is not recommended to make assignments to administrative user accounts based on search criteria. Use Change master data to assign employees to administrative user accounts for the respective user account.
NOTE: One Identity Manager supplies a default mapping for employee assignment. Only carry out the following steps when you want to customize the default mapping.
To specify criteria for employee assignment
- Select the SharePoint | Site collections category.
- Select the site collection in the result list.
- Select the Define search criteria for employee assignment task.
- Specify which user account properties must match with which employee so that the employee is linked to the user account.
Table 27: Default search criteria for user accounts
| User accounts (user authenticated) |
Central user account (CentralAccount) |
Login name (LoginName) |
- Save the changes.
Direct assignment of employees to user accounts based on a suggestion list
In the Assignments pane, you can create a suggestion list for assignments of employees to user accounts based on the search criteria and make the assignment directly. User accounts are grouped in different views for this.
Table 28: Manual assignment view
|
Suggested assignments |
This view lists all user accounts to which One Identity Manager can assign an employee. All employees are shown who were found using the search criteria and can be assigned. |
|
Assigned user accounts |
This view lists all user accounts to which an employee is assigned. |
|
Without employee assignment |
This view lists all user accounts to which no employee is assigned and for which no employee was found using the search criteria. |
TIP: By double-clicking on an entry in the view, you can view the user account and employee master data.
To apply search criteria to user accounts
To assign employees directly using a suggestion list
- Click Suggested assignments.
- Check the Selection box of all the user accounts to which you want to assign the suggested employees. Multi-select is possible.
- Click Assign selected.
- Confirm the security prompt with Yes.
The employees found using the search criteria are assigned to the selected user accounts.
– OR –
- Click No employee assignment.
- Click the Select employee option of the user account to which you want to assign an employee. Select an employee from the menu.
- Check the Selection box of all the user accounts to which you want to assign the selected employees. Multi-select is possible.
- Click Assign selected.
- Confirm the security prompt with Yes.
The employees displayed in the Employee column are assigned to the selected user accounts.
To remove assignments
- Click Assigned user accounts.
- Click the Selection box of all user accounts you want to delete the employee assignment from. Multi-select is possible.
- Click Remove selected.
- Confirm the security prompt with Yes.
The assigned employees are removed from the selected user accounts.
NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the assignment of an account definition is removed, the user account that was created from this account definition is deleted.
To delete a user account
- Select the SharePoint | User accounts (group authenticated) or the SharePoint | User accounts (user authenticated) category.
- Select the user account in the result list.
- Click
to delete the user account.
- Confirm the security prompt with Yes.
To restore a user account
- Select the SharePoint | User accounts (group authenticated) or the SharePoint | User accounts (user authenticated) category.
- Select the user account in the result list.
- Click
in the result list.
When an authentication object assigned to a SharePoint user account is deleted from the One Identity Manager database, the link to the authentication object is removed from the SharePoint user account. Define a custom process to delete these user accounts from the One Identity Manager database.
Configuring deferred deletion
By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially locked. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore. In the Designer, you can set an alternative delay on the SPSUser table.
NOTE: SharePoint user accounts cannot be locked. A user account marked for deletion remains enabled until deferred deletion has expired and the user account is finally deleted from the One Identity Manager database.
Lock the user account linked to the SharePoint user account as authentication object to prevent a user from logging into a site when the SharePoint user account is marked for deletion.
User accounts inherit SharePoint permissions through SharePoint roles and SharePoint groups. SharePoint groups are always defined for one site collection in this way. SharePoint roles are defined for sites. They are assigned to groups, and the user accounts that are members of these groups inherit SharePoint permissions through them. SharePoint roles can also be assigned directly to user accounts. User account permissions on individual sites in a site collection are restricted through the SharePoint roles that are assigned to it.
Terms
- A SharePoint Role is the permission level linked to a fixed site.
- The assignment of SharePoint permissions to a permission level is called a role definition.
- The assignment of user account or groups to a SharePoint role is called a role assignment.
Child sites can inherit permissions from the sites that the user accounts have on those sites. Every root site of a site collection or every site that has a child site. This permits the following scenarios:
- The child site inherits role definitions and role assignments.
The permission levels and role definitions are valid as well as the role assignments from the parent (inheritance) site. User and groups cannot be explicitly authorized for the site. Only user accounts that have permissions for the parent (inheritance) site have access to the site.
- The child site inherits the role definitions and role assignments.
You cannot define unique permission levels for child site. The SharePoint roles for this site reference the permission levels of the parent (inheritance) site and its role definitions. User accounts and groups can be assigned to the SharePoint roles of the child site based on this. If there are unique permission levels defined for the child site the permissions are overwritten by the inherited permissions.
- The child site does not inherit role definitions or role assignments.
In this case unique permission levels with their role definitions can be added in the same way as the root site. The SharePoint roles based on the definitions are assigned to user accounts and groups.
Figure 2: SharePoint user accounts inheriting SharePoint permissions in One Identity Manager
You can use groups in SharePoint to provide users with the same permissions. Groups that you add for site collections are valid for all sites in that site collection. SharePoint roles that you define for a site are assigned directly to groups. All user accounts that are members of these groups obtain the permissions defined in the SharePoint roles for this site.
You can edit the following group data in the One Identity Manager:
- Object properties like display name, owner, or visibility of memberships
- Assigned SharePoint role and user accounts
- Usage in the IT Shop
- Risk assessment
- Inheritance through roles and inheritance restrictions
To edit group master data
- Select the SharePoint | Groups category.
- Select the group in the result list. Select the Change master data task.
- OR -
Click 
in the result list.
- Enter the required data on the master data form.
- Save the changes.
Detailed information about this topic
Related topics
