サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.3 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

User account (manual input/role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials

Login name and password for registering with Active Directory. You do not have to enter the domain.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • Permitted logins are entered in the identity main data. The logins are expected in the form: domain\user.

  • The identity is assigned at least one application role.

  • Domains permitted for login are entered in the TargetSystem | ADS | AuthenticationDomains configuration parameter.

    NOTE: This configuration parameter is available if the Active Directory Module is installed.

Set as default

Yes

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

All identity logins saved in the One Identity Manager database are found. The identity whose login data matches that of the current user is used for logging in. This takes into account the list of permitted Active Directory domains.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Data modifications are attributed to the current user account.

Account based system user

NOTE: This authentication module is available if the Configuration Module is installed.

Credentials

The authentication module uses the Active Directory login data of the user currently logged in on the workstation.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • Permitted logins are entered in the system user's main data. The logins are expected in the form: domain\user.

Set as default

No

Single sign-on

Yes

Front-end login allowed

Yes

Web Portal login allowed

No

Remarks

All system user logins saved in the One Identity Manager database are found. The system user whose login data matches that of the current user is used for logging in.

The user interface and the permissions are loaded through the system user.

Data modifications are attributed to the current user account.

Active Directory user account

NOTE: This authentication module is available if the Active Directory Module is installed.

Credentials

The authentication module uses the Active Directory login data of the user currently logged in on the workstation.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The identity exists in the One Identity Manager database.

  • The system user is entered in the identity's main data.

  • The Active Directory user account exists in the One Identity Manager database and the identity is entered in the user account's main data.

Set as default

Yes

Single sign-on

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager finds the identity assigned to the user account.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

The user interface and permissions are loaded through the system user that is directly assigned to the identity found. If a system user is not assigned to the identity, the system user from the SysConfig | Logon | DefaultUser configuration parameter is used.

Data modifications are attributed to the current user account.

NOTE: If the Connect automatically option is set, authentication is no longer necessary for subsequent logins.

Active Directory user account (role-based)

NOTE: This authentication module is available if the Active Directory Module is installed.

Credentials

The authentication module uses the Active Directory login data of the user currently logged in on the workstation.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • The identity is assigned at least one application role.

  • The Active Directory user account exists in the One Identity Manager database and the identity is entered in the user account's main data.

Set as default

Yes

Single sign-on

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager finds the identity assigned to the user account.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Data modifications are attributed to the current user account.

NOTE: If the Connect automatically option is set, authentication is no longer necessary for subsequent logins.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択