지금 지원 담당자와 채팅

라이브 도움말 보기
등록 완료

로그인

가격 산정 요청

영업 담당자에게 문의

Identity Manager 8.1.4 - Identity Management Base Module Administration Guide

콘텐츠 탐색

Basics for mapping company structures in One Identity Manager

Hierarchical role structure basic principles

Inheritance directions within a hierarchy Discontinuing inheritance

Basic principles for assigning company resources

Direct assignment Indirect assignment

Secondary assignment Primary assignment

Assignment by dynamic roles Assigning through IT Shop requests

Basics of calculating inheritance

Calculating inheritance by hierarchical roles Calculation of assignments

Preparing hierarchical roles for company resource assignments

Possible assignments of company resources through roles Permitting assignments of employees, devices, workdesks, and company resources Using roles to limit inheritance Inheritance exclusion: Specifying conflicting roles

Managing departments, cost centers, and locations

One Identity Manager users for organizations Basic data for structuring departments, cost centers, and locations

Role classes Role types Functional areas Attestors Role approvers and role approvers (IT)

Editing departments

General master data for a department Contact data for departments Functional area and risk assessment

Editing cost centers

General master data for a cost center Functional area and risk assessment

Editing locations

General master data for a location Location address information Configuring a location's network Directions to location Functional area and risk assessment

Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Setting up IT operating data

Modify IT operating data

Additional tasks for managing departments, cost centers, and locations

Creating dynamic roles for departments, cost centers, and locations Assign organizations Specifying inheritance exclusion for roles

Reports about departments, cost centers, and locations

Working with dynamic roles

Editing dynamic roles

Dynamic role master data

Conditions for dynamic roles Testing a condition of a dynamic role Calculating role memberships Additional tasks for dynamic roles

Dynamic role overview Start immediate recalculation of role memberships

Employee administration

One Identity Manager users for employee administration Basic data for employee master data

Business partners Creating custom mail templates for notifications

General properties of a mail template Creating and editing an email definition

Using base object properties

Customizing email signatures

Entering employee master data

General employee master data Organizational employee master data Address data Miscellaneous employee master data

Employee's central user account Employee's central password Employee's default email address Mapping multiple employee identities

Employee identity types

Disabling and deleting employees

Temporarily deactivating employees Permanently deactivating employees

Re-enabling an employee

Deferred deletion of employees Deleting all employee related data

Password policies for employees

Predefined password policies Using password policies

Changing the password policy for the password columns Assigning password policies to departments, cost centers, locations, and business roles

Editing password policies

General master data for password policies Policy settings Character classes for passwords

Custom scripts for password requirements

Script for checking passwords Script for generating a password

Defining the excluded list for passwords Checking a password Testing password generation Informing employees about expiring passwords Displaying locked employees and system users

Limited access to One Identity Manager

Changing the certification status of an employee

Assigning company resources to employees

Assigning employees to departments, cost centers, and locations Assigning employees to business roles Adding employees to IT Shop custom nodes Assigning application roles to employees Assigning resources directly to employees Assigning software directly to employees Assigning system roles directly to employees Assigning subscribable reports directly to employees

Displaying the origin of an employee's roles and entitlements Analyzing role memberships and employee assignments Additional tasks for managing employees

Employee overview Manually assigning user accounts to employees Entering calls for an employee Assigning extended properties Displaying and deleting employees' Webauthn security keys Setting a secret password question Mutual aid

Determining an employee’s language Determining an employee's working hours Employee reports

Managing devices and workdesks

Basic data for device admin

General master data for a device model Inventory data for a device model

Business partners Device status Workdesk status Workdesk types

Setting up a device

General master data for a device Device networking data

Assigning company resources to devices

Assigning devices to departments, cost centers, and locations Assigning devices to business roles

Additional tasks for managing devices

Overview of devices Assigning service agreements and enter calls

How to set up workdesks

General master data for a workdesk Workdesk location information Additional information about a workdesk

Assigning company resources to workdesks

Assigning workdesks to departments, cost centers, and locations Assigning workdesks to business roles Assigning software directly to workdesks Assigning system roles directly to workdesks

Additional tasks for managing workdesks

Workdesk overview Assigning devices to workdesks Assigning employees to workdesks

Asset data for devices

Basic data for asset management

Asset classes Asset types

Entering investments and investment plans Editing device asset data

Master data for asset data Commercial data

Managing resources

One Identity Manager users for managing resources Basic data for resources

Editing resources

Resource master data

Assigning resources to employees

Assigning resources to departments, cost centers, and locations Assigning resources to business roles Assigning resources directly to employees Adding resources to the IT Shop Adding resources in system roles

Additional tasks for managing resources

Resource overview Assigning extended properties to resources

Editing multi-request resources

Master data for a multi-request resource

Assigning multi-request resources to employees

Adding multi request resources to the IT Shop

Reports about resources

Setting up extended properties

One Identity Manager users for managing extended properties Create property groups Edit extended properties

Extended property master data Specifying scoped boundaries

Additional tasks for managing extended properties

Extended property overview Assign objects Assigning property groups

Configuration parameters for managing departments, cost centers, and locations Effective configuration parameters for setting up employees Configuration parameters for managing devices and workdesks

Employee identity types

To differentiate the different identities of a person, use the following identity types.

Table 38: Identity types
Value	Description
Primary identity	Employee's default identity. The employee has a default user account.
Organizational identity	Virtual employee (subidentity) for mapping different roles to an employee in the organization. The sub-identity has a user account of the Organizational identity type. Also enter a main identity.
Personalized admin identity	Virtual person (sub-identity) that belongs to a user account of the Personalized administrator identity type. Also enter a main identity.
Sponsored identity	Dummy employee who is linked to a user account of the Sponsored identity type. Assign a manager to the employee.
Shared identity	Dummy employee who is linked to an administrative user account of the Shared identity type. Assign a manager to the employee.
Service identity	Dummy employee who is linked to a user account of the Service identity type. Assign a manager to the employee.
Machine identity	Dummy employee for mapping machine identities.

The primary identity, the organizational identity, and the personal admin identity are different identities under which the same actual person can execute their different tasks within the company.

Employees with a personal admin identity or an organizational identity are set up as sub-identities. These subidentities are then linked to user accounts, enabling you to assign the required Entitlements to the different user accounts.

The sponsored identity, group identity, and service identity are dummy persons through which the connected user accounts are given permissions for the relevant target systems. The classification of dummy employees to hierarchical roles or as customers in the IT Shop enables the assignment of permissions to the user accounts. Requests in the IT Shop can be triggered only by the manager of these dummy persons. In the evaluation of reports, attestations, or compliance checks, you check whether dummy employees need to be handled in a specific way.

Related topics

Disabling and deleting employees

How employees are handled, particularly in the case of permanent or partial withdrawal of an employee, varies between individual companies. There are companies that never delete employees, and only disable them when they leave the company.

The following methods are available in the One Identity Manager standard version:

Temporarily deactivating employees

The employee has temporarily left the company and is expected to return at a predefined date. The desired course of action could be to disable the user account and remove all group memberships. Or the user accounts could be deleted and reestablished with the employee's return, even if it is with a new system identification number (SID).

Temporary disabling of an employee is triggered by:

TheTemporary disabled option
The start and end date for deactivation (Temporary disabled from and Temporary disabled until)

NOTE:

Configure the Lock accounts of employees that have left the company schedule in the Designer. This schedule checks the start date for disabling and sets the Temporarily disabled option when it is reached.
In the Designer, configure the Enable temporarily disabled accounts schedule. This schedule monitors the end date of the disabled period and enables the employee with their user accounts when the date expires. Employee's user accounts that were disabled before the period of temporary absence are also re-enabled once the period has expired.

Related topics

Permanently deactivating employees

Employees can be disabled permanently when, for example, they leave the company. It might be necessary, to remove access to this employee's entitlements in connected target systems and their company resources.

Effects of permanent disabling of an employee are:

The employee cannot be assigned to employees as a manager.
The employee cannot be assigned to roles as a supervisor.
The employee cannot be assigned to attestation policies as an owner.
There is no inheritance of company resources through roles, if the additional No inheritance option is set for an employee.
Employee user accounts are locked or deleted and then removed from group memberships.

Trigger permanent deactivation through:

The Disable employee permanently task
This task ensures that the Permanently disabled option is enabled and that the leaving date and the date of the last working day are set to the current date.
Arrival of the leaving date
NOTE: Check the Lock accounts of employees that have left the company schedule in the Designer. This schedule regularly checks the leaving date and sets the Permanently disabled option on reaching the date.

NOTE: The Re-enable employee task ensures that the employee is re-enabled.
The Denied certification status
If an employee's certification status is set to Denied through attestation or manually, the employee is permanently disabled with immediate effect. When the employee's certification status is changed to Certified, the employee is activated again.

NOTE: This function is only available if the Attestation Module is installed.

Related topics

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택

© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center