Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).
NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.
To create privileged users through account definitions
-
Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.
-
If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.
-
Specify the effect of temporarily or permanently disabling or deleting, or the security risk of an employee on its user accounts and group memberships for each manage level.
-
Create a formatting rule for the IT operating data.
You use the mapping rule to define which rules are used to map IT operating data for user accounts and which default values are used if no IT operating data can be determined through a person's primary roles.
The type of IT operating data required depends on the target system. The following settings are recommended for privileged user accounts:
-
In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.
-
You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.
-
To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount column with a default value of 0 and set the Always use default value option.
-
Enter the effective IT operating data for the target system.
Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.
-
Assign the account definition directly to employees who work with privileged user accounts.
When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.
TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, specify how the login names are formatted in the template.
-
To use a prefix for the login name, in the Designer, set the TargetSystem | CSM | Accounts | PrivilegedAccount | SAMAccountName_PrefixTargetSystem configuration parameter.
-
To use a postfix for the login name, in the Designer, set the TargetSystem | CSM | Accounts | PrivilegedAccount | SAMAccountName_Postfix configuration parameter.
These configuration parameters are evaluated in the default installation, if a user account is marked with the Privileged user account property (IsPrivilegedAccount column). The user account login names are renamed according to the formatting rules. This also occurs if the user accounts are labeled as privileged using the Mark selected user accounts as privileged schedule. If necessary, modify the schedule in the Designer.
Related topics
You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.
You have the following options for configuring deferred deletion.
-
Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.
-
Target system specific deferred deletion: Deferred deletion can be configured individually for each target system. This deferred deletion overrides global deferred deletion.
To enable deferred deletion separately for each target system
-
In the Manager, configure deferred deletion for the target system.
-
In the Manager, select the Cloud target systems > Basic configuration data > Cloud target systems category.
-
In the result list, select a target system and run the Change main data task.
-
On the General tab, under Deferred deletion [days], enter the deferred deletion value in days.
- Save the changes.
-
In the Designer, create a Script (deferred deletion) in the CSMUser table.
Example:
Deferred deletion of user accounts in a cloud target system depends on the deferred deletion of the target system (UNSRootB.DeleteDelayDays). The following script is given in the CSMUser table.
If $FK(UID_CSMRoot).DeleteDelayDays:Int$ > 0 Then
Value = $FK(UID_CSMRoot).DeleteDelayDays:Int$
End If
-
Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.
To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the CMSUser table.
Example:
Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.
If Not $IsPrivilegedAccount:Bool$ Then
End If
For detailed information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.
Related topics
Cloud user accounts can be grouped into cloud groups that can be used to regulate access to resources.
In One Identity Manager, you can assign cloud groups directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the groups through the Web Portal. To do this, groups are provided in the IT Shop.
Detailed information about this topic
Many cloud applications use different entitlement types to manage user entitlements. In addition to groups, these can also be roles or permissions sets, for example. If synchronization projects are created with the default project template, the different types are mapped in One Identity Manager as follows.
Table 16: Mapping system entitlements in the Cloud Systems Management Module
|
UCIGroup |
CSMGroup |
Groups |
|
UCIGroup1 |
CSMGroup1 |
System entitlements 1 |
|
UCIGroup2 |
CSMGroup2 |
System entitlements 2 |
|
UCIGroup3 |
CSMGroup3 |
System entitlements 3 |
|
UCIItem |
CSMItem |
Permissions controls |
A user account obtains the required entitlements for accessing target system resources through its assignments to groups or system entitlements. Depending on the target system, assignments are maintained either on user accounts (user-based assignment) or on system entitlements (entitlement-based assignment). When setting up synchronization with the default project template, the Universal Cloud Interface connector determines which object type is used to store the assignments. Assignments are mapped in the following tables:
Table 17: User-based assignment
|
CSMUserHasGroup |
Groups: Assignments to user accounts |
|
CSMUserHasGroup1 |
System entitlements 1: Assignments to user accounts |
|
CSMUserHasGroup2 |
System entitlements 2: Assignments to user accounts |
|
CSMUserHasGroup3 |
System entitlements 3: Assignments to user accounts |
|
CSMUserHasItem |
User accounts: Permission control assignments |
Table 18: Entitlement-based assignment
|
CSMUserInGroup |
User accounts: Assignment to groups |
|
CSMUserInGroup1 |
User accounts: Assignment to system entitlements 1 |
|
CSMUserInGroup2 |
User accounts: Assignment to system entitlements 2 |
|
CSMUserInGroup3 |
User accounts: Assignment to system entitlements 3 |
Assignments to permissions controls are always user-based.
The types of system entitlements used and whether the assignments are saved with the user accounts or the system entitlements is stored with the cloud target systems.
To display the types of system entitlements used
-
In the Manager, select the Cloud target systems > Basic configuration data > Cloud target systems category.
-
In the result list, select a cloud target system and run the Change main data task.
-
System entitlement types used: List of system entitlement types used in the cloud target system.
-
User account contains memberships: List of system entitlement types with user-based assignments. For types not listed here, the assignments are stored with the system entitlements.
TIP: If the cloud application schema cannot be adequately represented by the default project template, customize the synchronization configuration. At the same time, define how the system entitlements are mapped in the One Identity Manager schema. When you are setting up synchronization, ensure that the base object for the cloud application(CSMRoot) is created in the database and the System entitlements types used (GroupUsageMask) and User account contains memberships (UserContainsGroupList) properties are set correctly.
NOTE: When setting up attestation procedures, compliance rules, or company policies using system entitlements, be sure to select the correct assignment tables to look at both user-based and entitlement-based assignments.
To set up functions independently of the target system configurations, use the target system mapping in the Unified Namespace. Both user-based and entitlement-based assignments for all types of system entitlements are mapped in the UNSAccountInUNSGroup table; the UNSGroup table contains all system entitlements regardless of type.
For more information about the Unified Namespace, see the One Identity Manager Target System Base Module Administration Guide.
Detailed information about the attestation functions, compliance rules, and company policies can be found in the following guides:
One Identity Manager Attestation Administration Guide
One Identity Manager Compliance Rules Administration Guide
One Identity Manager Company Policies Administration Guide
Related topics
