サポートと今すぐチャット
サポートとのチャット

Identity Manager 8.2.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Privileged user accounts

Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).

NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.

  2. If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.

  3. Specify the effect of temporarily or permanently disabling or deleting, or the security risk of an employee on its user accounts and group memberships for each manage level.

  4. Create a formatting rule for the IT operating data.

    You use the mapping rule to define which rules are used to map IT operating data for user accounts and which default values are used if no IT operating data can be determined through a person's primary roles.

    The type of IT operating data required depends on the target system. The following settings are recommended for privileged user accounts:

    • In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.

    • You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.

    • To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount column with a default value of 0 and set the Always use default value option.

  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to employees who work with privileged user accounts.

    When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, specify how the login names are formatted in the template.

  • To use a prefix for the login name, in the Designer, set the TargetSystem | ADS | Accounts | PrivilegedAccount | SAMAccountName_PrefixTargetSystem configuration parameter.

  • To use a postfix for the login name, in the Designer, set the TargetSystem | ADS | Accounts | PrivilegedAccount | SAMAccountName_Postfix configuration parameter.

These configuration parameters are evaluated in the default installation, if a user account is marked with the Privileged user account property (IsPrivilegedAccount column). The user account login names are renamed according to the formatting rules. This also occurs if the user accounts are labeled as privileged using the Mark selected user accounts as privileged schedule. If necessary, modify the schedule in the Designer.

Related topics

Updating employees when Active Directory user account are modified

In One Identity Manager, modifications to employee properties are forwarded to the associated user accounts and subsequently provisioned in the target system. In certain circumstances, it may be necessary to forward user account modifications in the target system to employee properties in One Identity Manager.

Example:

During testing, user accounts from the target system are only read into One Identity Manager and employees created. User account administration (creating, modifying, and deleting) should be done later through One Identity Manager. During testing, user accounts are modified further in the target system, which can lead to drifts in user account properties and employee properties. Due to this, user account modifications loaded on resynchronization should be temporarily published to employees who are already created. This means data is not lost when user account administration is put into effect through One Identity Manager.

To update employees when user accounts are modified

  • In the Designer, set the TargetSystem | ADS | PersonUpdate configuration parameter.

Modifications to user accounts are loaded into One Identity Manager during synchronization. These modifications are forwarded to the associated employees through subsequent scripting and processing.

NOTE:

  • When making changes to user accounts, the employees are only updated for user accounts with the Unmanaged manage level and that are linked to an employee.

  • Only the employee created by the modified user account is updated. The data source from which the employee was created is shown in the Import data source property. If other user accounts are assigned to the employee, changes to these user accounts do not cause the employee to be update.

  • For employees who do not yet have the Import data source set, the user account's target system is entered as the data source for the import during the first update of the connected user account.

User account properties are mapped to employee properties using the ADS_PersonUpdate_ADSAccount script. Contact properties are mapped to employee properties using the ADS_PersonUpdate_ADSContact script. To make the mapping easier to customize, the scripts are overwritable.

To customize, create a copy of the script and start the script coding follows:

Public Overrides Function ADS_PersonUpdate_ADSAccount(ByVal UID_Account As String, OldAccountDN As String, ProcID As String)

Public Overrides Function ADS_PersonUpdate_ADSContact(ByVal UID_Account As String, OldAccountDN As String, ProcID As String)

This redefines the script and overwrites the original. The process does not have to be changed in this case.

Automatic creation of departments and locations based on user account information

You can create new departments and locations in One Identity Manager based on user account department and location data. Furthermore, departments, and locations are assigned to employees of the user accounts as primary department and primary location. These employees can obtain their company resources through these assignments if One Identity Manager is configured correspondingly.

Prerequisites for using this method

Employees must be created automatically when user accounts are added or modified. At least one of the following configuration parameters must be activated and the corresponding method implemented.

Table 14: Configuration Parameter for automatic employee assignment
Configuration parameter Effect when set

TargetSystem | ADS | PersonAutoDefault

Automatic employee assignment for user accounts added to the database outside synchronization based on the given mode.

TargetSystem | ADS | PersonAutoFullsync

Based on the given mode, automatic employee assignment is carried out on user accounts created or updated in the database by synchronization.

TargetSystem | ADS | PersonUpdate

Employee objects are updated continuously from linked user accounts.

To implement this method

  • In the Designer, set the TargetSystem | ADS | AutoCreateDepartment configuration parameter to generate departments from the user account information.

  • In the Designer, set the TargetSystem | ADS | AutoCreateLocality configuration parameter to generate locations from the user account information.

Related topics

Specifying deferred deletion for Active Directory user accounts and Active Directory contacts

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

    In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the ADSAccount and the ADSContact tables.

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the ADSAccount and ADContact tables.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For detailed information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択