|
Property |
Meaning |
|---|---|
|
Application role |
Application role name. |
|
Internal name |
Empty text field for a internal company identifier |
|
Full name |
Full name of application role. Is made up automatically from the application role name and the parent application role. |
|
Parent application role |
Application role to which the application role being edited is subordinate. |
|
Department, location, cost center |
Additional information for the application role definition. These input fields are only used for information. They do not indicate for which department, cost center or location the application roles are responsible. |
|
Manager |
Manager responsible for the application role. |
|
Deputy manager |
Deputy manager for the application role. |
|
Permissions group |
Permissions group for determining write permissions on role-based login. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role. Administrators can assign the rest of the application roles to custom defined permissions groups. For more information, see Customized extension of application role edit permissions. NOTE: Permissions groups for default administrator application roles for cannot be edited. |
|
Description |
Text field for additional explanation. |
|
Comment |
Text field for additional explanation. |
|
Certification status |
Status of the application role's certification. The following values can be selected.
|
|
Block inheritance |
Specifies whether inheritance for this application role can be discontinued. Set this option to prevent company resources being inherited by child application roles. |
|
Dynamic roles not allowed |
Specifies whether a dynamic role can be created for the application role. |
|
Spare field no. 01 ... Spare field no. 10 |
Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields. |
About this guide
One Identity Manager application roles
Application roles overview
Granting One Identity Manager schema permissions through permissions groups
Application roles for basic functions
Compliance and security officer
Auditors
Application roles for identity audit
Application roles for company policies
Application roles for attestation
Application roles for subscribable reports
Management level
Application roles for business roles
Application roles for organizations
Application roles for employees
Application roles for the IT Shop
Application roles for target systems
Application roles for Universal Cloud Interface
Application roles for custom tasks
Implementing the application roles
Creating and editing application roles
Master data of application roles
Assigning employees to application roles
Customized extension of application role edit permissions
Additional tasks for managing application roles
Creating and editing dynamic roles for application roles
Specifying mutually exclusive application roles
Assigning subscribable reports to application roles
Assigning extended properties to application roles
Generating assignment resources for application roles
Reports about application roles
Predefined permissions groups and system users
Rules for determining the valid permissions for tables and columns
Processing permissions groups
Managing permissions to program features
Permissions groups properties
Permissions group dependencies
Copying permissions groups
Creating permissions groups
Editing system users
Creating system users
System users’ passwords
System user properties
Adding system users to permission groups
Which employees use the system user?
Deleting dynamic system users
Editing table permissions and column permissions
Displaying the permissions of a permissions group
Displaying permissions for tables
Editing table properties
Editing column permissions
Copying table permissions and column permissions
Simulating permissions for system users
Displaying permissions for objects
Displaying permissions for the current user
Assigning permissions groups to applications
Program functions for starting the One Identity Manager tools
Displaying the current user's program functions
Assigning program function to permissions groups
Permissions for executing scripts
Permissions for executing methods
Permissions for triggering processes
Modifying permissions for executing actions in the Launchpad
One Identity Manager authentication modules
System users
Generic single sign-on (role-based)
Employee
Employee (role-based)
Employee (dynamic)
User account
User account (role-based)
Account based system user
Active Directory user account
Active Directory user account (role-based)
Active Directory user account (manual input)
Active Directory user account (manual input/role-based)
Active Directory user account (dynamic)
LDAP user account (role-based)
LDAP user account (dynamic)
HTTP header
HTTP header (role-based)
OAuth 2.0/OpenID Connect
OAuth 2.0/OpenID Connect (role-based)
Synchronization authentication module
Web agent authentication module
Component authentication module
Crawler
Password reset
Password reset (role-based)
Editing authentication modules
OAuth 2.0 / OpenID Connect configuration
Enabling authentication modules
Assigning authentication modules to applications
Disabling or enabling authentication modules for applications
Authentication module properties
Initial data for authentication modules
Configuration data for system user dynamic authentication
Checking authentication
Expiry of the OAuth 2.0/OpenID Connect authentication
Creating the OAuth 2.0/OpenID Connect configuration
Assigning OAuth 2.0/OpenID Connect configuration to web applications
Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications
Specifying enabled and disabled columns for logging in
Logging information about OAuth 2.0/OpenID Connect authentication
Multi-factor authentication in One Identity Manager
Editing table properties
Preparing the Starling 2FA token request
Requesting a security code
Allowing approval decisions using the Starling 2FA app
Granulated permissions for the SQL Server and database
Master data of application roles
Assigning employees to application roles
Assigned employees obtain all the write permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role.
Employees of the parent application role are inherited if no employees are directly assigned to an application role.
NOTE: The application roles for Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers, and Base roles | Birthright Assignments are automatically assigned to employees. Do not make any manually assignments to these application roles.
To assign employees to an application role
- In the Manager, select an application role in the One Identity Manager Administration category.
- Select the Assign employees task.
-
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.
To remove an assignment
- Select the employee and double-click
.
- Select the employee and double-click
- Save the changes.
Related topics
Customized extension of application role edit permissions
For role-based login, the application roles require a link to a permissions group in which write permissions for One Identity Manager are defined. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.
Some of the default application roles are already assigned permissions groups. These permissions groups have the edit permissions for the tables and columns and are equipped with menu items, forms, tasks, and program functions, which allow the application data to be edited in the Manager and in the Web Portal.
You can assign customized permissions groups to application roles so that the write permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.
NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.
Proceed as follows:
-
Create a new permissions group in the Designer.
NOTE: Set the Only use for role-based authentication option for the permissions group. - In the Designer, make the new permissions group dependent on the default permissions group of the application role. Assign the default permissions group as a parent permissions group. As a result, the newly defined permissions group inherits the properties of the default permissions group.
- In the Designer, grant additional edit permissions for menu items, forms, tables, or columns.
- In the Manager, assign the new permissions group to the application role.
A user who logs in to the Manager or to the Web Portal with an application role changed in this way receives – in addition to the default privileges of this application role – the custom edit permissions.
Related topics
Additional tasks for managing application roles
After you have entered the master data, you can run the following tasks.