Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Examples

If the report is created for a resource, all roles are determined in which there are employees with this resource.
If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
If the report is created for a department, all roles are determined in which employees of the selected department are also members.
If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.
Double-click a control to show all child roles belonging to the selected role.
By clicking the button in a role's control, you display all employees in the role with the base object.
Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.

Figure 3: Toolbar of the Overview of all assignments report.

Table 76: Meaning of icons in the report toolbar
Icon	Meaning
	Show the legend with the meaning of the report control elements
	Saves the current report view as a graphic.
	Selects the role class used to generate the report.
	Displays all roles or only the affected roles.

Configuration parameters for managing an Active Directory environment

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 77: Configuration parameters
Configuration parameter	Description
QER \| ITShop \| GroupAutoPublish	Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to this parameter require the database to be recompiled.
QER \| ITShop \| GroupAutoPublish \| ADSGroupExcludeList	This configuration parameter contains a list of all groups for which automatic IT Shop assignment should not take place. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: .Administrator.\|Exchange.\|.Admins\|.*Operators\|IIS_IUSRS
TargetSystem \| ADS	Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system Active Directory. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.
TargetSystem \| ADS \| Accounts	This configuration parameter permits configuration of user account data.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword	This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword \| SendTo	This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter TargetSystem \| ADS \| DefaultAddress.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	This configuration parameter contains the name of the mail template sent to provide users with the login data for their user accounts. The Employee - new user account created mail template is used.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	This configuration parameter contains the name of the mail template sent to provide users with information about their initial password. The Employee - initial password for new user account mail template is used.
TargetSystem \| ADS \| Accounts \| MailTemplateDefaultValues	This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.
TargetSystem \| ADS \| Accounts \| NotRequirePassword	This configuration parameter defines if the No password required option is enabled in the Active Directory environment when a new user account is created.
TargetSystem \| ADS \| Accounts \| PrivilegedAccount	This configuration parameter allows configuration of settings for privileged Active Directory user accounts.
TargetSystem \| ADS \| Accounts \| PrivilegedAccount \| SAMAccountName_Postfix	This configuration parameter contains the postfix for formatting login names for privileged user accounts.
TargetSystem \| ADS \| Accounts \| PrivilegedAccount \| SAMAccountName_Prefix	This configuration parameter contains the prefix for formatting login names for privileged user accounts.
TargetSystem \| ADS \| Accounts \| ProfileFixedString	This configuration parameter contains a fixed character string that is appended to the user profile's default profile path.
TargetSystem \| ADS \| Accounts \| TransferJPegPhoto	This configuration parameter specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.
TargetSystem \| ADS \| Accounts \| TransferSIDHistory	This configuration parameter specifies whether the history of an SID is loaded from the target system.
TargetSystem \| ADS \| Accounts \| TSProfileFixedString	This configuration parameter contains a fixed character string, which is appended to the user profile's default profile path on a terminal server.
TargetSystem \| ADS \| Accounts \| UnlockByCentralPassword	This configuration parameter specifies whether the employee’s Active Directory user account is also blocked by synchronizing the central password.
TargetSystem \| ADS \| Accounts \| UserMustChangePassword	This configuration parameter defines if the Change password at next login option is enabled when a new user account is created.
TargetSystem \| ADS \| AuthenticationDomains	This configuration parameter contains a pipe (\|) delimited list of domains to be used by the manual Active Directory authentication module to authenticate users. The list is processed in the given order. This list should only contain domains to be synchronized. Example: MyDomain\|MyOtherDomain For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
TargetSystem \| ADS \| AutoCreateDepartment	This configuration parameter specifies whether departments are automatically created when user accounts are modified or synchronized.
TargetSystem \| ADS \| AutoCreateLocality	This configuration parameter specifies whether locations are automatically created when user accounts are modified or synchronized.
TargetSystem \| ADS \| AutoCreateHardwaretype	This configuration parameter specifies whether corresponding device types are created automatically in the database for imported printer objects.
TargetSystem \| ADS \| AutoCreateServers	This configuration parameter specifies whether entries for missing home servers and profile servers are created automatically when user accounts are synchronized.
TargetSystem \| ADS \| AutoCreateServers \| PreferredLanguage	This configuration parameter contains the referred language for automatically created servers.
TargetSystem \| ADS \| DefaultAddress	The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.
TargetSystem \| ADS \| HardwareInGroupFromOrg	The configuration parameter specifies whether computers are added to groups on the basis of group assignment to roles.
TargetSystem \| ADS \| MaxFullsyncDuration	This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.
TargetSystem \| ADS \| MembershipAssignCheck	When assigning group memberships in the One Identity Manager database, this configuration parameter specifies whether permissibility of the membership is verified at the time of saving. Disable this configuration parameter if several trusted domains with access across memberships are managed in the database.
TargetSystem \| ADS \| MemberShipRestriction	General configuration parameter for restricting membership in Active Directory.
TargetSystem \| ADS \| MemberShipRestriction \| Container	This configuration parameter contains the number of Active Directory objects allowed per container before warning email is sent.
TargetSystem \| ADS \| MemberShipRestriction \| Group	This configuration parameter contains the number of Active Directory objects allowed per group before warning email is sent.
TargetSystem \| ADS \| MemberShipRestriction \| MailNotification	This configuration parameter contain the default email address for sending warnings by email.
TargetSystem \| ADS \| PersonAutoDefault	This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.
TargetSystem \| ADS \| PersonAutoDisabledAccounts	This configuration parameter specifies whether employees are automatically assigned to disabled user accounts. User accounts do not obtain an account definition.
TargetSystem \| ADS \| PersonAutoFullSync	This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.
TargetSystem \| ADS \| PersonExcludeList	List of all user accounts for which automatic employee assignment should not take place. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: ADMINISTRATOR\|GUEST\|KRBTGT\|TSINTERNETUSER\|IUSR_.\|IWAM_.\|SUPPORT_.\|. \| $
TargetSystem \| ADS \| PersonUpdate	This configuration parameter specifies whether employees are updated if their user accounts are changed. This configuration parameter is set to allow ongoing update of employee objects from associated user accounts.
TargetSystem \| ADS \| ReplicateImmediately	This configuration parameter is used to speed up synchronization of modifications between two domain controllers. When set, the accumulated modifications in Active Directory are immediately replicated between domain controllers.
TargetSystem \| ADS \| VerifyUpdates	This configuration parameter specifies whether modified properties are checked by updating. If this parameter is set, the objects in the target system are verified after every update.

Default project template for Active Directory

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The template uses mappings for the following schema types.

Table 78: Mapping Active Directory schema types to tables in the One Identity Manager schema
Schema type in Active Directory	Table in the One Identity Manager Schema
builtInDomain	ADSContainer
computer	ADSMachine
contact	ADSContact
container	ADSContainer
domainDNS	ADSDomain
forest (virtual schema type)	ADSForest
group	ADSGroup
inetOrgPerson	ADSAccount
msDS-PasswordSettings	ADSPolicy
organizationalUnit	ADSContainer
printQueue	ADSPrinter
serverInSite	ADSMachineInADSSite
site	ADSSite
trustedDomain	DomainTrustsDomain
user	ADSAccount

Configuration parameter	Description
QER \| ITShop \| GroupAutoPublish	Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to this parameter require the database to be recompiled.
QER \| ITShop \| GroupAutoPublish \| ADSGroupExcludeList	This configuration parameter contains a list of all groups for which automatic IT Shop assignment should not take place. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: .Administrator.\|Exchange.\|.Admins\|.*Operators\|IIS_IUSRS
TargetSystem \| ADS	Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system Active Directory. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.
TargetSystem \| ADS \| Accounts	This configuration parameter permits configuration of user account data.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword	This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword \| SendTo	This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter TargetSystem \| ADS \| DefaultAddress.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	This configuration parameter contains the name of the mail template sent to provide users with the login data for their user accounts. The Employee - new user account created mail template is used.
TargetSystem \| ADS \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	This configuration parameter contains the name of the mail template sent to provide users with information about their initial password. The Employee - initial password for new user account mail template is used.
TargetSystem \| ADS \| Accounts \| MailTemplateDefaultValues	This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.
TargetSystem \| ADS \| Accounts \| NotRequirePassword	This configuration parameter defines if the No password required option is enabled in the Active Directory environment when a new user account is created.
TargetSystem \| ADS \| Accounts \| PrivilegedAccount	This configuration parameter allows configuration of settings for privileged Active Directory user accounts.
TargetSystem \| ADS \| Accounts \| PrivilegedAccount \| SAMAccountName_Postfix	This configuration parameter contains the postfix for formatting login names for privileged user accounts.
TargetSystem \| ADS \| Accounts \| PrivilegedAccount \| SAMAccountName_Prefix	This configuration parameter contains the prefix for formatting login names for privileged user accounts.
TargetSystem \| ADS \| Accounts \| ProfileFixedString	This configuration parameter contains a fixed character string that is appended to the user profile's default profile path.
TargetSystem \| ADS \| Accounts \| TransferJPegPhoto	This configuration parameter specifies whether changes to the employee's picture are published in existing user accounts. The picture is not part of default synchronization. It is only published when employee data is changed.
TargetSystem \| ADS \| Accounts \| TransferSIDHistory	This configuration parameter specifies whether the history of an SID is loaded from the target system.
TargetSystem \| ADS \| Accounts \| TSProfileFixedString	This configuration parameter contains a fixed character string, which is appended to the user profile's default profile path on a terminal server.
TargetSystem \| ADS \| Accounts \| UnlockByCentralPassword	This configuration parameter specifies whether the employee’s Active Directory user account is also blocked by synchronizing the central password.
TargetSystem \| ADS \| Accounts \| UserMustChangePassword	This configuration parameter defines if the Change password at next login option is enabled when a new user account is created.
TargetSystem \| ADS \| AuthenticationDomains	This configuration parameter contains a pipe (\|) delimited list of domains to be used by the manual Active Directory authentication module to authenticate users. The list is processed in the given order. This list should only contain domains to be synchronized. Example: MyDomain\|MyOtherDomain For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
TargetSystem \| ADS \| AutoCreateDepartment	This configuration parameter specifies whether departments are automatically created when user accounts are modified or synchronized.
TargetSystem \| ADS \| AutoCreateLocality	This configuration parameter specifies whether locations are automatically created when user accounts are modified or synchronized.
TargetSystem \| ADS \| AutoCreateHardwaretype	This configuration parameter specifies whether corresponding device types are created automatically in the database for imported printer objects.
TargetSystem \| ADS \| AutoCreateServers	This configuration parameter specifies whether entries for missing home servers and profile servers are created automatically when user accounts are synchronized.
TargetSystem \| ADS \| AutoCreateServers \| PreferredLanguage	This configuration parameter contains the referred language for automatically created servers.
TargetSystem \| ADS \| DefaultAddress	The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.
TargetSystem \| ADS \| HardwareInGroupFromOrg	The configuration parameter specifies whether computers are added to groups on the basis of group assignment to roles.
TargetSystem \| ADS \| MaxFullsyncDuration	This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.
TargetSystem \| ADS \| MembershipAssignCheck	When assigning group memberships in the One Identity Manager database, this configuration parameter specifies whether permissibility of the membership is verified at the time of saving. Disable this configuration parameter if several trusted domains with access across memberships are managed in the database.
TargetSystem \| ADS \| MemberShipRestriction	General configuration parameter for restricting membership in Active Directory.
TargetSystem \| ADS \| MemberShipRestriction \| Container	This configuration parameter contains the number of Active Directory objects allowed per container before warning email is sent.
TargetSystem \| ADS \| MemberShipRestriction \| Group	This configuration parameter contains the number of Active Directory objects allowed per group before warning email is sent.
TargetSystem \| ADS \| MemberShipRestriction \| MailNotification	This configuration parameter contain the default email address for sending warnings by email.
TargetSystem \| ADS \| PersonAutoDefault	This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.
TargetSystem \| ADS \| PersonAutoDisabledAccounts	This configuration parameter specifies whether employees are automatically assigned to disabled user accounts. User accounts do not obtain an account definition.
TargetSystem \| ADS \| PersonAutoFullSync	This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.
TargetSystem \| ADS \| PersonExcludeList	List of all user accounts for which automatic employee assignment should not take place. Names are listed in a pipe (\|) delimited list that is handled as a regular search pattern. Example: ADMINISTRATOR\|GUEST\|KRBTGT\|TSINTERNETUSER\|IUSR_.\|IWAM_.\|SUPPORT_.\|. \| $
TargetSystem \| ADS \| PersonUpdate	This configuration parameter specifies whether employees are updated if their user accounts are changed. This configuration parameter is set to allow ongoing update of employee objects from associated user accounts.
TargetSystem \| ADS \| ReplicateImmediately	This configuration parameter is used to speed up synchronization of modifications between two domain controllers. When set, the accumulated modifications in Active Directory are immediately replicated between domain controllers.
TargetSystem \| ADS \| VerifyUpdates	This configuration parameter specifies whether modified properties are checked by updating. If this parameter is set, the objects in the target system are verified after every update.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 8.1.4 - Administration Guide for Connecting to Active Directory

Overview of all assignments

Examples

Configuration parameters for managing an Active Directory environment

Default project template for Active Directory