지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Authenticating other applications using OAuth 2.0/OpenID Connect Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Application roles for custom tasks

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available for customer features and tasks.

Table 15: Application roles for custom tasks
Application role Description

Administrators

Administrators must be assigned to the Custom | Administrators application role.

Users with this application role:

  • Administrate custom application roles.

  • Set up other application roles for managers if required.

Manager/supervisor

Managers must be assigned to the Custom | Managers application role or a child role.

Users with this application role:

  • Add custom task in One Identity Manager.

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

You can use these application roles, for example, to guarantee One Identity Manager user permissions on custom tables or columns. All application roles that you define here must obtain their permissions through custom permissions groups.

Implementing the application roles

IMPORTANT: To use application roles you must add one employee to the Base roles | Administrators application role. This employee is the authorized to assigned administrative One Identity Manager application roles to other employees.

Run this task once.

To initially add an employee to the Base roles | Administrators application role.

  1. Log into the Manager as a non role-based administrative user.

  2. Select the Employees > Employees category.

  3. Select the employee to be assigned to the Base role | Administrators application role.

  4. Select the Authorize as One Identity Manager administrator task.

    The One Identity Manager user with the Base roles | Administrators application role can now add more employees to application roles and edit the application role main data.

NOTE: Once you update the view in the Manager, the Authorize as One Identity Manager administrator task is no longer displayed in the task view. That means that the task can only be run when there are no other employees assigned to this application role.

After you have been working with One Identity Manager for a while, it is possible that no more employees are assigned to the Base roles | Administrators application role. In this case, proceed as described above in order to reassign an employee to this application role.

Related topics

Creating and editing application roles

To set up your first application roles you need to add an employee to the application role Base roles | Administrators. This employee is authorized to add more employees to different administration application roles. For more information, see Implementing the application roles.

Administrators can edit child application roles, set up more application roles and assigned employees.

NOTE: To edit the application role, log on to the Manager using a role-based authentication module.

To edit an application role

  1. In the Manager in the One Identity Manager Administration category, select the Application role.

  2. Select the Change main data task.

  3. Edit the application role's main data.

  4. Save the changes.

To create a new application role

  1. In the Manager in the One Identity Manager Administration category, select the application role under which you want to create a new application role.

  2. Click in the result list.

  3. Enter the application role main data.

  4. Save the changes.

NOTE: You cannot delete default application roles.

Related topics

Main data of application roles

Table 16: Application role properties

Property

Meaning

Application role

Application role name.

Internal name

Empty text field for a internal company identifier

Full name

Full name of application role. Is made up automatically from the application role name and the parent application role.

Parent application role

Application role to which the application role being edited is subordinate.

Department, location, cost center

Additional information for the application role definition. These input fields are only used for information. They do not indicate for which department, cost center or location the application roles are responsible.

Manager

Manager responsible for the application role.

Deputy manager

Deputy manager for the application role.

Permissions group

Permissions group for determining permissions for role-based login. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role.

Administrators can assign the rest of the application roles to custom defined permissions groups. For more information, see Custom extension of application role permissions.

NOTE: Permissions groups for default administrator application roles for cannot be edited.

Description

Text field for additional explanation.

Comment

Text field for additional explanation.

Certification status

Status of the application role's certification. The following values can be selected.

  • New: The application role was newly created in the One Identity Manager database.

  • Certified: The main data of the application role is approved by a manager.

  • Denied: The application role main data was not approved by a manager.

Block inheritance

Specifies whether inheritance for this application role can be discontinued. Set this option to prevent company resources being inherited by child application roles.

NOTE: Inheritance of application roles can only be discontinued if they are custom application roles.

Dynamic roles not allowed

Specifies whether a dynamic role can be created for the application role.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택