サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.0 LTS - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Permitting assignments of employees, devices, workdesks, and company resources to roles

The default method for assigning company resources is through secondary assignment. For this, employees, devices, and workdesks as well as company resources are added to roles through secondary assignment.

Use role classes to specify how and if employees, devices, workdesks, and company resource are permitted as secondary assignments to roles. Role classes form the basis of mapping hierarchical roles in One Identity Manager. Role classes are used to group similar roles together. The following role classes are available by default in the One Identity Manager:

  • Department

  • Cost center

  • Location

  • Application role

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignments allowed: This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignments allowed: Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers, or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in the IT Shop, dynamic roles, or system roles.

Example:

To assign employees directly to a department in the Manager, enable the Assignment allowed and the Direct assignment allowed options on the Employees entry in the Department role class.

If employees can only obtain membership in a department through the IT Shop, enable the Assignment allowed option but not the Direct assignment allowed option on the Employees entry in the Department role class. A corresponding assignment resource must be available in the IT Shop.

NOTE: Employee, device, workdesk ,and company resource assignments are predefined for departments, cost centers, location, and application roles. The configuration of application role assignments cannot be changed.

To configure assignments to roles of a role class

  1. In the Manager, select role classes in the Organizations > Basic configuration data > Role classes category.

  2. Select the Configure role assignments task.

  3. Use the Allow assignments column to specify whether assignment is generally allowed.

    NOTE: You can only reset the Assignment allowed option if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.

  4. Use the Allow direct assignments column to specify whether a direct assignment is allowed.

    NOTE: You can only reset the Direct assignment allowed option if there are no direct assignments of the respective objects to roles of this role class.

  5. Save the changes.

Blocking inheritance using roles

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the Block inheritance option do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.

  • In bottom-up inheritance, the role labeled with the Block inheritance option inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance for departments, cost centers, or locations

  1. In the Manager, in the Organizations category, select a department, cost center or location.

  2. Select the Change main data task.

  3. Set the Block inheritance option.

  4. Save the changes.

NOTE: In the case of application roles, inheritance can only be discontinued for custom application roles. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Related topics

Preventing employees, devices, or workdesks from inheriting individual roles

Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.

To prevent inheritance for departments, cost centers, or locations

  1. In the Manager, in the Organizations category, select a department, cost center or location.

  2. Select the Change main data task.

  3. Set one or more of the following options:

    • To prevent employees from inheriting, set the Employees do not inherit option.

    • To prevent devices from inheriting, set the Devices do not inherit option.

    • To prevent workdesks from inheriting, set the Workdesks do not inherit option.

  4. Save the changes.

NOTE: This option cannot be configured for application roles. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Related topics

Preventing inheritance to individual employees, devices, or workdesks

Inheritance of company resources can be prevented for single employees, devices, or workdesks. You can use this behavior to correct data after importing employees before and then apply inheritance.

To prevent an employee from inheriting

  1. In the Manager, select the employee in the Employees category.

  2. Select the Change main data task.

  3. Set the No inheritance option.

    The employee does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.

  4. Save the changes.

To prevent an device from inheriting

  1. In the Manager, select the device in the Devices & Workdesks > Devices category.

  2. Select the Change main data task.

  3. Set the No inheritance option.

    The device does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.

  4. Save the changes.

To prevent a workdesk from inheriting

  1. In the Manager, select the workdesk in the Devices & Workdesks > Workdesks category.

  2. Select the Change main data task.

  3. Set the No inheritance option.

    The workdesk does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.

  4. Save the changes.
Related topics
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択