サポートと今すぐチャット
サポートとのチャット

Identity Manager On Demand - Starling Edition Hosted - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Basics for mapping company structures in One Identity Manager

One Identity Manager supplies identities in a company with company resources. For example, permissions, or software, according to their function. To do this, the company structures are represented in hierarchical role form in One Identity Manager.

Roles are objects through which company resources can be assigned. Identities, devices, and workdesks are assigned to roles as members. Members can obtain their company resources through these roles when One Identity Manager is appropriately configured.

Company resource assignments are not made to individual identities, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

In One Identity Manager, the following roles are defined for mapping company structures:

  • Departments, cost centers, and locations

    Departments, cost centers, locations, and business roles are each mapped to their own hierarchy under Organizations. This is due to their special significance for daily work schedules in many companies.

  • Business roles

    Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example. For more information about business roles, see the One Identity Manager Business Roles Administration Guide.

    NOTE: This function is only available if the Business Roles Module is installed.

  • Application roles

    Application roles are used to grant One Identity Manager object permissions to One Identity Manager users. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Detailed information about this topic

Hierarchical role structure basic principles

Departments, cost centers, locations, and application roles are arranged hierarchically. Assigned company resources are inherited by members through these hierarchies. Company resource assignments are not made to individual identities, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

Hierarchies can either be created following the top-down or the bottom-up model in One Identity Manager. In the top-down model, roles are defined based on the area of activity and the company resources required to fulfill the activities are assigned to the roles. In the case of the bottom-up model, company resource assignments are analyzed and the roles result from this.

Detailed information about this topic

Inheritance directions within a hierarchy

The direction of inheritance decides the distribution of company resources within a hierarchy. One Identity Manager basically recognizes two directions of inheritance:

  • Top-down inheritance

    In One Identity Manager, top-down inheritance maps the default structure within a company. With its help, a company’s multilevel form can be represented with main departments and respective subdepartments.

  • Bottom-up inheritance

    Whereas in top-down inheritance, assignments are inherited in the direction of more detailed classifications, bottom-up inheritance operates in the other direction. This inheritance direction was introduced to map project groups in particular. The aim being, to provide someone coordinating several project groups with the company resources in use by each of the project groups.

NOTE: The direction of inheritance is only taken into account in relation to the inheritance of company resources. The direction of inheritance does not have any effect on the selection of the manager responsible. The manager with a parent role is always responsible for all child roles.

The effect on the allocation of company resources is explained in the following example for assigning an application.

Example: Assigning company resources top-down

In the diagram above a section of a company’s structure is illustrated. In addition, software applications are listed that are assigned to the respective department. An identity in dealer sales is assigned all the software applications that are allocated to their department and all those on the entire organization path. In this case, they are email, text processing, address management and internet software.

Figure 1: Assignment through top-down inheritance

Example: Assigning company resources bottom-up

The next figure shows bottom-up inheritance based on a project framework. In addition, software applications are listed that are assigned to the respective project group. An identity from the "Project lead" project group receives software applications from the project group as well as those from the projects groups below. In this case, it is project management, CASE tool, development environment, assembler tool, and prototyping tool.

Figure 2: Assignment through bottom-up inheritance

Discontinuing inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The point at which the inheritance should be discontinued within a hierarchy is specified by the Block inheritance option. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the Block inheritance option do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.

  • In bottom-up inheritance, the role labeled with the “Block inheritance” option inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

The Block inheritance option does not have any effect on the calculation of the manager responsible.

Example: Discontinuing inheritance top-down

If the Block inheritance option is set for the "Sales" department in the top-down example, it results in sales identities only being assigned the "Address management" software and identities in the "Dealer sales" department inherit the "Address management" and "Internet" software. Software applications in the "Entire organization" department are however, assigned to identities in the "Sales" and "Dealer sales" departments.

Figure 3: Discontinuing inheritance top-down

Example: Discontinuing inheritance bottom-up

An identity from the "Programming" project group receives software applications from the project group as well as those from the projects groups below. In this case, the development environment, assembler tool and the prototyping tool. If the "Programming" project group has labeled with the Block inheritance option, it no longer passes down inheritance. As a result, only the CASE tool is assigned to identities in the "Project lead" project group along with the software application project management. Software applications from the "Programming", "System programming", and "Interface design" projects groups are not distributed to the project lead.

Figure 4: Discontinuing inheritance bottom-up

Related topics
セルフ・サービス・ツール
ナレッジベース
通知および警告
製品別サポート
ソフトウェアのダウンロード
技術文書
ユーザーフォーラム
ビデオチュートリアル
RSSフィード
お問い合わせ
ライセンスアシスタンス の取得
Technical Support
すべて表示
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択