지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Authenticating other applications using OAuth 2.0/OpenID Connect Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

System user properties

Table 23: Properties of a system user
Property Description

System users

Name of the system user for logging in to the administration tools.

Password and password confirmation

Password with which the system logs into the administration tools.

Password last changed

Date of last password change.

Password never expires

Specifies whether the password never expires. Enable the option for service accounts, for example, to prevent the password from expiring. This option overwrites the maximum age of the password.

Remarks

Text field for additional explanation.

Read-only

Set the option if a system user is a member in several permissions groups, but has read-only permissions for the objects. This overrides all edit permissions that the system user is granted through memberships in permission groups.

Logins

Logins with which the system user can log in to the One Identity Manager tools. Enter the login in the form: Domain\User. This information is required if the Account based system user authentication module is used to log into the One Identity Manager tools.

Administrative user

Specifies whether this is an administrative system user. Administrative system users are automatically added to all non role-based permissions groups.

NOTE: You can create an administrative system user in the Designer with the User & Permissions Group Editor using the Create administrator menu.

Service account

Specifies whether this is a system user that is used by a service account. This system user is not assigned to a permissions group but has all the permissions, tasks, and program functionality.

External password management

Specifies whether the system user password is determined by an external password management system. You cannot change the password in One Identity Manager. The determination of the system user password must be customized.

Related topics

Adding system users to permission groups

Add the system users to permissions groups, thereby granting permissions for the tables and columns of the One Identity Manager schema and make the user interface available.

NOTE:

  • You cannot add system users to role-based permissions groups. Dynamic system users are calculated for role-based login.

  • Administrative system users are automatically added to all non role-based permissions groups.

  • The QBM_BaseRights permissions group defines the base rights that are required for a system user to log in to the One Identity Manager tools. This permissions group is always assigned implicitly.

  • The viadmin system user has all of the specified permissions and the complete user interface. The system user implicitly receives the authorizations and user interface parts of the custom permissions groups.

A system user's memberships in permissions groups are displayed in the Designer in the User & Permissions Group Editor. Use the Options > Display permissions group inheritance menu to specify whether to display the direct and inherited memberships of permissions groups for a system user.

Figure 2: Memberships of a system user in permissions groups

Table 24: Meaning of icons in the hierarchical display
Icon Meaning

The selected system user is not assigned to this permissions group.

The selected system user is assigned to this permissions group.

The selected system user is indirectly assigned to this permissions group.

The selected system user is directly and indirectly assigned to this permissions group.

To assign a system user to a permissions group

  1. In the Designer, select the Permissions > System user category.

  2. Select a system user and start the User & Permissions Group Editor with the Edit system user task.

  3. In the hierarchical view, select the permission group. By clicking on the icon, you add or delete the selected system user to or from a permissions group.

  4. Select the Database > Save to database and click Save.

TIP: To assign a system user to several permissions groups, use the User > Permissions groups menu.

Related topics

Which employees use the system user?

Employees obtain a system user direct through their main data or dynamically through their One Identity Manager applications roles.

To display which employees are assigned to a system user

  1. In the Designer, select the Permissions > System user category.

  2. Select a system user and start the User & Permissions Group Editor with the Edit system user task.

  3. Select the View > One Identity Manager employees menu item.

    NOTE: You cannot change the assignments in this view.

Dynamic system user

Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions groups to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

NOTE: You cannot edit dynamic system users. If no role-based logins of employees who use dynamic system users are performed for some time, you should delete the dynamic system users for performance reasons. A new dynamic system user is created during the next role-based employee login.

To delete system users

  • In the Designer, enable the Common | DynamicUserLifetime configuration parameter and enter the maximum retention period in days for dynamic system users.

    If the configuration parameter is set, dynamic system users, whose retention period has expired, are deleted from the database as part of the daily maintenance tasks.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택