지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2 - Administration Guide for Connecting to Google Workspace

Mapping a Google Workspace environment in One Identity Manager Synchronizing a Google Workspace customer
Setting up initial synchronization of a Google Workspace customer Customizing the synchronization configuration for Google Workspace Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Google Workspace user accounts and identities
Account definitions for Google Workspace user accounts Assigning identities automatically to Google Workspace user accounts Manually linking identities to Google Workspace user accounts Supported user account types Specifying deferred deletion for Google Workspace user accounts
Login credentials for Google Workspace user accounts Managing Google Workspace entitlement assignments Mapping Google Workspace objects in One Identity Manager
Google Workspace customers Google Workspace user accounts Google Workspace groups Google Workspace products and SKUs Google Workspace organizations Google Workspace domains Google Workspace domain aliases Google Workspace admin roles Google Workspace admin privileges Google Workspace admin role assignments Google Workspace external email addresses Reports about Google Workspace objects
Handling of Google Workspace objects in the Web Portal Basic configuration data for managing a Google Workspace customer Troubleshooting the connection to a Google Workspace customer Configuration parameters for managing a Google Workspace environment Default project template for Google Workspace API scopes for the service account Processing methods of Google Workspace system objects Special features in the assignment of Google Workspace groups

Providing administrative user accounts for one identity

Use this task to create an administrative user account that can be used by an identity.

Prerequisites
  • The user account must be labeled as a personalized administrator identity.

  • The identity that will be using the user account must be marked as a personalized administrator identity.

  • The identity that will be using the user account must be linked to a main identity.

To prepare an administrative user account for an identity

  1. Label the user account as a personalized administrator identity.

    1. In the Manager, select the Google Workspace > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity selection list, select Personalized administrator identity.

  2. Link the user account to the identity that will be using this administrative user account.

    1. In the Manager, select the Google Workspace > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity selection list, select the identity that will be using this administrative user account.

      TIP: If you are the target system manager, you can selected to create a new identity.

For more information about mapping identity types, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Providing administrative user accounts for several people

Use this task to create an administrative user account that can be used by more that one identity.

Prerequisite
  • The user account must be labeled as a shared identity.

  • There must be an identity with the type Shared identity available. The shared identity must have a manager.

  • The identities who are permitted to use the user account must be labeled as a primary identity.

To prepare an administrative user account for multiple identities

  1. Label the user account as a shared identity.

    1. In the Manager, select the Google Workspace > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity menu, select Shared identity.

  2. Link the user account to an identity.

    1. In the Manager, select the Google Workspace > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity menu, select an identity the type Shared identity.

      TIP: If you are the target system manager, you can use the button to create a new shared identity.

  3. Assign the identities who will use this administrative user account to the user account.

    1. In the Manager, select the Google Workspace > User accounts category.

    2. Select the user account in the result list.

    3. Select the Assign identities authorized to use task.

    4. In the Add assignments pane, add identities.

      TIP: In the Remove assignments pane, you can remove assigned identities.

      To remove an assignment

      • Select the identity and double-click .

For more information about mapping identity types, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Privileged user accounts

Privileged user accounts are used to provide identities with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).

NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.

  2. If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.

  3. Specify how an identity's temporary deactivation, permanent deactivation, deletion, and security risks affect its user accounts and group memberships in the manage level.

  4. Create a formatting rule for the IT operating data.

    You use the mapping rule to define which rules are used to map IT operating data for user accounts and which default values are used if no IT operating data can be determined through an identity's primary roles.

    The type of IT operating data required depends on the target system. The following settings are recommended for privileged user accounts:

    • In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.

    • You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.

    • To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount_Group, IsGroupAccount_PaSku, and IsGroupAccount_OrgAdminRole columns with a default value of 0 and set the Always use default value option.

  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to identities who work with privileged user accounts.

    When the account definition is assigned to an identity, a new user account is created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of primary mail addresses of privileged user accounts follow a defined naming convention, specify how the email addresses are formatted in the template.

Related topics

Specifying deferred deletion for Google Workspace user accounts

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or locked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

    In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the GAPUser table.

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the GAPUser table.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For more information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택