SharePoint permission policies
On the permission policy overview form, you can view the web application and the user policies to which the permission policy is assigned. All permissions are listed that have been explicitly granted or denied.
To obtain an overview of a permission policy
- Select the SharePoint > Permission policies category.
- Select the permission policy from the result list.
- Select the SharePoint permission policy overview task.
The denied SharePoint permission "Deny write" is displayed. SharePoint groups internally several single permissions together that are only found as single permissions in the SharePoint interface. One Identity Manager maps the SharePoint internal permission. That is why only the permission "Deny write" appears in the One Identity Manager interface. Single permissions are therefore not known to One Identity Manager.
SharePoint user policies
User policies have a dynamic foreign key (column AuthenticationObject) that references the appropriate authentication object. An additional employee can be assigned if the dynamic foreign key references an Active Directory or an LDAP user account.
Each user policy represents an object from an authentication system. This object can be a group or a user.
To edit user policy main data
- Select the SharePoint > User accounts category.
- Select the SharePoint role in the result list. Select the Change main data task.
- Enter the required data on the main data form.
- Save the changes.
The following properties are displayed for user polices.
Table 36: Main data for a user policy
| Display name |
Display name for the user policy. |
| User account |
Specifies whether the user policy's authentication object is a user account. |
| Login name |
Login name for the user policy. It is found using a template. |
| System account |
Specified whether the user policies in the SharePoint environment operates as a system account. |
| Employee |
Employee using the user policy. If an authentication object is assigned, the connected employee is found through the authentication object by using a template. If there is no authentication object assigned, the employee can be assigned manually.
An employee can only be assigned if the User account option is set. |
| Web application |
Unique identifier for the web application for which the user policy is setup. |
| Zone |
Unique identifier of the SharePoint zone for which the user policy is valid. |
| |
Authentication object referencing the user policy. Each user policy represents an object from an authentication system trusted by the SharePoint installation. If this authentication system is managed as a target system in One Identity Manager, the object used for authentication can be saved as the authentication object in the user policy.
The authentication object is assigned during automatic synchronization. If the User account option is set, the following authentication objects can be assigned:
- Active Directory user accounts
- LDAP user accounts
If the User account option is disabled, the following authentication objects can be assigned:
- Active Directory groups
- LDAP groups
|
NOTE: When an authentication object assigned to a SharePoint user policy is deleted from the One Identity Manager database, the link to the authentication object is removed from the user policy. Employees assigned to it remain assigned if necessary.
Global user policies
Global user polices are user policies that are valid for all zones. They are mapped in the SharePoint > Hierarchical view > <farm> > Web applications > <web application> > Global user policies category.
Zone-specific user policies
Zone specific user policies are user policies that are valid for a single zone in a web application. They are displayed in the SharePoint > Hierarchical view > <farm> > Web applications > <web application> > Zone specific user policies > <zone> category.
Reports about SharePoint objects
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SharePoint farms.
NOTE: Other sections may be available depending on the which modules are installed.
Table 37: Data quality target system report
|
Show overview |
User account |
This report shows an overview of the user account and the assigned permissions. |
|
Show overview including origin |
User account |
This report shows an overview of the user account and origin of the assigned permissions. |
|
Show overview including history |
User account |
This report shows an overview of the user accounts including its history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Overview of all assignments |
group
Role |
This report finds all roles containing employees who have the selected system entitlement. |
|
Show overview |
group
Role |
This report shows an overview of the system entitlement and its assignments. |
|
Show overview including origin |
group
Role |
This report shows an overview of the system entitlement and origin of the assigned user accounts. |
|
Show overview including history |
group
Role |
This report shows an overview of the system entitlement and including its history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Show entitlement drifts |
Site collection |
This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager. |
|
Show user accounts overview (incl. history) |
Site
Site collection |
This report returns all the user accounts with their permissions including a history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Show user accounts with an above average number of system entitlements |
Site collection |
This report contains all user accounts with an above average number of system entitlements. |
|
Show employees with multiple user accounts |
Site collection |
This report shows all the employees that have multiple user accounts. The report contains a risk assessment. |
|
Show system entitlements overview (incl. history) |
Site
Site collection |
This report shows the system entitlements with the assigned user accounts including a history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Overview of all assignments |
Web applications
Site collection |
This report finds all roles containing employees with at least one user account in the selected target system. |
|
Show unused user accounts |
Site collection |
This report contains all user accounts, which have not been used in the last few months. |
|
Show orphaned user accounts |
Site collection |
This report shows all user accounts to which no employee is assigned. |
Related topics
Overview of all assignments
The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Examples:
-
If the report is created for a resource, all roles are determined in which there are employees with this resource.
-
If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
-
If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
-
If the report is created for a department, all roles are determined in which employees of the selected department are also members.
-
If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.
To display detailed information about assignments
-
To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
-
Click the 
Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the 
icon in the report's toolbar.
-
Double-click a control to show all child roles belonging to the selected role.
-
By clicking the 
button in a role's control, you display all employees in the role with the base object.
-
Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.
Figure 6: Toolbar of the Overview of all assignments report.
Table 38: Meaning of icons in the report toolbar
|
|
Show the legend with the meaning of the report control elements |
|
|
Saves the current report view as a graphic. |
|
|
Selects the role class used to generate the report. |
|
|
Displays all roles or only the affected roles. |
