The Application Governance Module allows you to quickly and simply run the onboarding process for new applications from one place using one tool. An application created with the Application Governance Module combines all the permissions application users require for their regular work. You can assign entitlements and roles to your application and plan when they become available as service items (for example, in the Web Portal).
About this guide
Configuring the Web Portal
IT shop configuration
WebAuthn security keys
Starling Two-Factor Authentication
Requesting by reference user
Sending the shopping cart
Approver options
Approval decisions about URL links
Displaying user-specific processes in the Web Portal
Configuring self-registration of new users
Configuring the four eyes principle for issuing a passcode.
Configuring password questions
Configuring the search
Setting up Starling Two-Factor Authentication
Starling Two-Factor Authentication for specific people
Logging in without Starling 2FA tokens
Activating Starling Two-Factor Authentication for the Operations Support Web Portal
Application Governance Module
Configuring password questions
Password Reset Portal
Setting up a Password Reset Portal
Recommendations for secure operation of web applications
Installing the Password Reset Portal
Authentication
Settable passwords
Excluding passwords from being reset
Central password
Setting up a new application token
Configuring Password Reset Portal login using target system user accounts
Using HTTPS
Disable automatic password storage
Disabling the HTTP request method TRACE
Using HTTP Strict Transport Security (HSTS)
Disabling insecure encryption mechanisms
Setting the "HttpOnly" attribute for ASP.NET session cookies
Setting the "same-site" attribute for ASP.NET session cookies
Setting the "secure" attribute for ASP.NET session cookies
Disabling Windows IIS 8.3 short names
Removing the HTTP response header in Windows IIS
Creating X-Frame-Options HTTP response header
Running web applications in release mode
Application Governance Module
Application Governance Module
Configuring entitlements
To enable employees to view, create, and manage applications as well as approve requests for application products in the Web Portal, you must assign specific application roles to employees.
NOTE: Managing an application involves the following:
-
Editing the application's main data and the assigned entitlements and roles
-
Assigning entitlements and roles to the application
-
Unassigning entitlements and roles from the application
-
Deploying the application and associated entitlements and roles
-
Undeploying the application and its associated permissions and roles
To assign an application role for application governance to employees
-
Start the Manager.
-
Connect to the relevant database.
-
Select the One Identity Manager Administration category.
-
In the upper navigation pane, click the application role you want to assign to employees:
-
Application Governance | Administrators: Members of this application role create new applications and manage all applications in the Web Portal.
-
Application Governance | Owners: If this application role is assigned to an application as an owner application role, the members manage the application in the Web Portal.
-
Application Governance | Approvers: If this application role is assigned to an application as an approver application role, the members can approve requests for products of this application (if the BE - Approver of an application approval procedure is used).
-
-
In the Tasks pane, select the Assign employees task.
-
In the Add Assignments area, double-click the employees to whom you want to assign the application role.
-
Click
(Save).
Filling application hyperviews
In the Web Portal, an overview is available to users for each application in the form of a hyperview. The Fill application overview schedule collects all the data for this hyperview and fills it.
To start the schedule to populate the hyperview
-
Start the Designer.
-
In the Designer, select the Base data > General > Schedules category.
-
In the list, select the Fill application overview schedule.
-
In the schedule's details pane, click Start.
-
Confirm the security prompt with Yes.
To edit the schedule for filling the application's hyperview
-
Start the Designer.
-
In the Designer, select the Base data > General > Schedules category.
-
In the list, select the Fill application overview schedule.
-
In the schedule's details pane, edit the schedule's main data.
For more information about schedule and their properties, see One Identity Manager Operational Guide.
-
Select the Database > Commit to database menu item and click Save.
Configuring password questions
Configuring password questions
If Web Portal users forget their password, they can set a new one with the help of the password questions.
To configure the use of password questions.
-
Start the Designer.
-
Configure the following configuration parameters:
NOTE: See the One Identity Manager Configuration Guide, to find out how to edit configuration parameters in the Designer.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerDefinitions: Specify how many password questions and answers users must enter. Users who do not enter enough or any questions and answers, cannot reset their password.
NOTE: The value must not be less than the value in the QueryAnswerRequests configuration parameter.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerRequests: Specify how many password questions users have to answer before they can reset their password.
NOTE: The value must not be higher than the value in the QueryAnswerDefinitions configuration parameter.
-
QER | Person | PasswordResetAuthenticator | InvalidateUsedQuery: Specify whether users must enter new password questions and answers after successfully resetting their password. In this case, correctly answered questions are deleted.
-