サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.1.1 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Primary assignment

You make a primary assignment using a department, cost center, or location foreign key reference in employee, device and workdesk objects. To do this, use the role fields on the employee, device, and workdesk main data forms. Primary assignment inheritance can be enabled through configuration parameters. Primary assignment is enabled by default for employee objects.

Figure 8: A primary assignment schema

NOTE: Changes to the configuration parameter result in the inheritance data being recalculated! That means: if the primary assignment is disabled at a later date, the inheritance data created in this way will be removed from the database.

Table 1: Configuration parameters for primary assignment

Configuration parameter

Effect when set

QER | Structures | Inherite | Employee

Employees can inherit through primary assignments.

QER | Structures | Inherite | Employee| GroupExclusion

Employees inherit assignments from their primary department (Person.UID_Department).

QER | Structures | Inherite | Employe | FromLocality

Employees inherit assignments from their primary location (Person.UID_Locality).

QER | Structures | Inherite | Employee| FromProfitCenter

Employees inherit assignments from their primary cost center (Person.UID_ProfitCenter).

QER | Structures | Inherite | Hardware

Devices can inherit through primary assignments.

QER | Structures | Inherite | Hardware | FromDepartment

Devices inherit assignments from their primary department (Hardware.UID_Department).

QER | Structures | Inherite | Hardware | FromLocality

Devices inherit assignments from their primary location (Hardware.UID_Locality).

QER | Structures | Inherite | Hardware | FromProfitCenter

Devices inherit assignments from their primary cost center (Hardware.UID_ProfitCenter).

QER | Structures | Inherite | Workdesk

Workdesks can inherit though primary assignment.

QER | Structures | Inherite | Workdesk | FromDepartment

Workdesks inherit assignments from their primary department (Workdesk.UID_Department).

QER | Structures | Inherite | Workdesk | FromLocality

Workdesks inherit assignments from their primary location (Workdesk.UID_Locality).

QER | Structures | Inherite | Workdesk | FromProfitCenter

Workdesks inherit assignments from their primary cost center (Workdesk.UID_ProfitCenter).

Assigning company resources through dynamic roles

Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Employees, devices, and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices, or workdesks fulfill these conditions. This means the role memberships change dynamically. For example, company resources can be assigned dynamically to all employees in a department in this way; if an employee leaves the department they immediately lose the resources assigned to them.

Related topics

Assigning company resources through IT Shop requests

Assignment through the IT Shop is a special case of indirect assignment. Add employees to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the employees after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.

Figure 9: Schema of assignment by requests

Basics of calculating inheritance

Objects assigned through inheritance are calculated by the DBQueue Processor. Tasks are added to the DBQueue when assignments relevant to inheritance are made. These tasks are processed by the DBQueue Processor and result in follow-on tasks for the DBQueue or in processes for process component HandleObjectComponent in the Job queue. Resulting assignments of permissions to user accounts in the target system are inserted, modified, or deleted during process handling.

Figure 10: Overview of inheritance calculation

Detailed information about this topic
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択