Employee's central password
An employee's central password can be used for logging into the target systems and for logging in to . Depending on the configuration, an employee's central password is replicated to their user accounts and their system user password.
-
To publish the change in an employee's central user password to all existing user accounts of the employee, check in the Designer if the QER | Person | UseCentralPassword configuration parameter is set. If not, set the configuration parameter.
-
To copy an employee's central password to their system user password for logging in, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword configuration parameter is set. If not, set the configuration parameter.
-
If an employee’s system user account must be unlocked if the central password is given, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword | UnlockByCentralPassword configuration parameter is set. If not, set the configuration parameter.
NOTE:
-
The Employee central password policy password policy is applied to an employee's central password. Ensure that the password policy does not violate the target system's specific password policies.
-
Use the QER | Person | UseCentralPassword | CheckAllPolicies configuration parameter to specify whether the employee’s central password is tested against all the target system’s password policies in which the employee has user accounts. This test is only carried out in the Password Reset Portal.
-
An employee's central password is published to a user account only if the user account's target system is synchronized by the One Identity Manager.
-
If a target system is read-only, an employee's central password is not propagated to user accounts in that target system.
-
An employee's central password is not replicated to privileged user accounts of the employee.
-
If a password cannot be changed due to an error, the employee receives a corresponding email notification.
-
To replicate an employee's central password to a password column of a customer-specific user account table, in the Designer, define a ViewAddOn for the QERVPersonCentralPwdColumn view. The database view returns the password column of the user account tables. The user account table must have a reference to the employee (UID_Person) and a XMarkedForDeletion column. For more information about modifying the One Identity Manager schema, see the One Identity Manager Configuration Guide.
-
If you want to map additional user-specific features, overwrite the QER_Publish_CentralPassword script. For more information about editing scripts, see the One Identity Manager Configuration Guide.
-
The central password, the system user password, and the user account passwords can be changed by using the Password Reset Portal. For more information, see the One Identity Manager Web Designer Web Portal User Guide and the One Identity Manager Web Application Configuration Guide.
Related topics
Mapping multiple employee identities
Table 30: Configuration parameter for representing multiple identities
Person | MasterIdentity | UseMasterForAuthentication |
Specifies whether the main identity should be used to log in to One Identity Manager tools using an employee-linked authentication module.
If this parameter is set, the main identity is used for employee-linked authentication. If this parameter is set, the subidentity is used for employee-linked authentication.
For more information about One Identity Manager authentication modules and about editing system users, see the One Identity Manager Authorization and Authentication Guide. |
Under certain circumstances, it may be necessary for employees to have different identities for their work – for example, identities that result from different contracts at different branches. These identities can differ in their affiliation to departments, or cost centers, or in their access permissions for example. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in One Identity Manager to represent each of the identities and to group them at a central location.
In target systems, different types of user accounts are available to provide the employees with different permissions. An employee can have different identities to use multiple user accounts with different types. In order to improve the assignment of authorizations to the target systems, the sub-identities of the employees are split into different identity types. This classification corresponds to the user account types.
Main identity
-
A main identity represents a real person.
-
A main identity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
-
The employee main data of a main identity is shown in One Identity Manager.
-
A main identity can have several subidentities.
Subidentity
-
A subidentity is a virtual employee.
-
A subidentity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
-
A subidentity is always assigned to a main identity.
-
Employee main data of a subidentity is displayed in One Identity Manager. This can be copied from the main identity data using the appropriate templates.
-
Enter a main identity for the subidentity using Main identity on the employee’s main data form.
TIP: If an employee works with several identities, but only one of these is currently known in the One Identity Manager, then you should:
-
Create a main identity for this employee
-
Assign the identity known until now as a subidentity
-
Create new subidentities for the additional identities
In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.
Related topics
Employee identity types
To differentiate the different identities of an employee, use the following identity types.
Table 31: Identity types
Primary identity |
Employee's default identity. The employee has a default user account. |
Organizational identity |
Virtual employee (subidentity) for mapping different roles to an employee in the organization. The sub-identity has a user account of the Organizational identity type.
Also enter a main identity. |
Personalized admin identity |
Virtual employee (subidentity) that belongs to a user account of the Personalized administrator identity type.
Also enter a main identity. |
Sponsored identity |
Pseudo employee associated with a user account of the Sponsored identity type.
Assign a manager to the employee. |
Shared identity |
Pseudo employee associated with an administrative user account of the Shared identity type.
Assign a manager to the employee. |
Service identity |
Pseudo employee associated with a user account of the Service identity type.
Assign a manager to the employee. |
Machine identity |
Pseudo employee for mapping machine identities. |
The primary identity, the organizational identity, and the personal admin identity are different identities under which the same actual employee can run their different tasks within the company.
Employees with a personal admin identity or an organizational identity are set up as sub-identities. These subidentities are then linked to user accounts, enabling you to assign the required permissions to the different user accounts.
The sponsored identity, the shared identity, and the service identity represent pseudo employees that are used to provide the linked user accounts with permissions in the respective target systems. The classification of pseudo employees to hierarchical roles or as customers in the IT Shop enables the assignment of permissions to the user accounts. Requests in the IT Shop can be triggered only by the manager of these pseudo employees. When evaluating reports, attestations, or compliance checks, check whether pseudo employees need to be considered separately.
Related topics
Password policies for employees
provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.
Detailed information about this topic