Account definitions are assigned to company identities.
Indirect assignment is the default method for assigning account definitions to identities. Account definitions are assigned to departments, cost centers, locations, or roles. The identities are categorized into these departments, cost centers, locations, or roles depending on their function in the company and thus obtain their account definitions. To react quickly to special requests, you can assign individual account definitions directly to identities.
You can automatically assign special account definitions to all company identities. It is possible to assign account definitions to the IT Shop as requestable products. Department managers can then request user accounts from the Web Portal for their staff. It is also possible to add account definitions to system roles. These system roles can be assigned to identities through hierarchical roles or added directly to the IT Shop as products.
In the One Identity Manager default installation, the processes are checked at the start to see if the identity already has a user account in the target system that has an account definition. If no user account exists, a new user account is created with the account definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. In this case, you must change the user account manage level afterward.
NOTE: As long as an account definition for an identity is valid, the identity retains the user account that was created by it. If the account definition assignment is removed, the user account that was created from this account definition, is deleted. User accounts marked as Outstanding are only deleted if the QER | Person | User | DeleteOptions | DeleteOutstanding configuration parameter is set.
Prerequisites for indirect assignment of account definitions to identities
-
Assignment of identities and account definitions is permitted for role classes (departments, cost centers, locations, or business roles).
To configure assignments to roles of a role class
-
In the Manager, select role classes in the Organizations > Basic configuration data > Role classes category.
- OR -
In the Manager, select role classes in the Business roles > Basic configuration data > Role classes category.
-
Select the Configure role assignments task and configure the permitted assignments.
-
To generally allow an assignment, enable the Assignments allowed column.
-
To allow direct assignment, enable the Direct assignments permitted column.
- Save the changes.
For more information about preparing role classes to be assigned, see the One Identity Manager Identity Management Base Module Administration Guide.
Detailed information about this topic
Assign account definitions to departments, cost centers, and locations in order to assign identities to them through these organizations.
To add account definitions to hierarchical roles
-
In the Manager, select the SAP R/3 > Basic configuration data > Account definitions > Account definitions category.
-
Select an account definition in the result list.
-
Select the Assign organizations task.
-
In the Add assignments pane, assign the organizations:
-
On the Departments tab, assign departments.
-
On the Locations tab, assign locations.
-
On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.
To remove an assignment
- Save the changes.
NOTE: This function is only available if the Business Roles Module is installed.
You can assign account definitions to business roles in order to assign them to identities through business roles.
To add account definitions to hierarchical roles
-
In the Manager, select the SAP R/3 > Basic configuration data > Account definitions > Account definitions category.
-
Select an account definition in the result list.
-
Select the Assign business roles task.
-
In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.
To remove an assignment
- Save the changes.
Use this task to assign the account definition to all internal identities. Identities that are marked as external do not obtain this account definition. Once a new internal identity is created, they automatically obtain this account definition. The assignment is calculated by the DBQueue Processor.
IMPORTANT: Only run this task if you can ensure that all current internal identities in the database and all pending newly added internal identities obtain a user account in this target system.
To assign an account definition to all identities
-
In the Manager, select the SAP R/3 > Basic configuration data > Account definitions > Account definitions category.
-
Select an account definition in the result list.
-
Select the Change main data task.
-
Select the Disable automatic assignment to identities task.
-
Confirm the security prompt with Yes.
- Save the changes.
NOTE: To automatically remove the account definition assignment from all identities, run the Disable automatic assignment to identities task. The account definition cannot be reassigned to identities from this point on. Existing assignments remain intact.