Chat now with support
Chat with Support

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Creating system users

To create a new system user

  1. In the Designer, select the Permissions category.

  2. Start the User & Permissions Group Editor with the Show / edit permissions group task.

  3. Add a new system user using the User | New menu item.

  4. Edit the system user's master data.

  5. Add the system user to permissions groups.

  6. Save the changes.

NOTE: You can create an administrative system user in User & Permissions Group Editor using the Create administrator menu. Administrative system users are automatically added to all non role-based permissions groups.

Related topics

System users’ passwords

The One Identity Manager password policy is used for logging in to One Identity Manager with a system user. This password policy defined the settings for the system user passwords (DialogUser.Password and Person.DialogUserPassword) as well as the access code for a one off log in on the Web Portal (Person.Passcode).

If necessary, adjust the password policy to your requirements in the Designer. For detailed information about editing password policies, see One Identity Manager Operational Guide.

NOTE: The One Identity Manager password policy is marked as the default policy. This password policy is applied if no other password policy can be found for employees, user accounts or system users.

To prevent passwords expiring for service accounts, for example, in the Designer, you can enable the Password never expires (DialogUser.PasswordNeverExpires) option for the respective system users.

Related topics

System user properties

Table 20: Properties of a system user
Property Description
System users Name of the system user for logging in to the administration tools.
Password and password confirmation Password with which the system logs into the administration tools.

Password last changed

Date of last password change.

Password never expires

Specifies whether the password expires. Enable the option for service accounts, for example, to prevent the password from expiring. This option overwrites the maximum age of the password.

Remarks Text field for additional explanation.
Read-only Set the option if a system user is a member of all permissions groups, but should only have viewing permissions for the objects. This results in overwriting all other edit permissions that the system user obtains through permissions group memberships.
Logins

Logins with which the system user can log in to the One Identity Manager tools. Enter the login in the form: Domain\User. This information is required if the Account based system user authentication module is used to log into the One Identity Manager tools.

Administrative user

Specifies whether this is an administrative system user. Administrative system users are automatically added to all non role-based permissions groups.

NOTE: You can create an administrative system user in the User & Permissions Group Editor using the Create administrator menu.

Service account

Specifies whether this is a system user that is used by a service account. This system user is not allocated a permissions groups but has all access permissions, tasks, and program functionality.

External password management

Specifies whether the system user password is determined by an external password management system. You cannot change the password in One Identity Manager. The determination of the system user password must be customized.

Related topics

Adding system users to permission groups

Add the system user to permissions groups, thereby granting the system user permissions for the tables and columns of the One Identity Manager data model and make the user interface available.

NOTE:

  • You cannot add system users to role-based permissions groups. Dynamic system users are calculated for role-based login.
  • Administrative system users are automatically added to all non role-based permissions groups.
  • The QBM_BaseRights permissions group defines the base permissions that are required for a system user to log in to the One Identity Manager tools. This permissions group is always assigned implicitly.
  • The viadmin system user has all of the specified permissions and the complete user interface. The system user implicitly receives the authorizations and user interface parts of the custom permissions groups.

A system user's memberships of permissions groups are presented in the User & Permissions Group Editor. Use the Options | Display permissions group inheritance menu to specify whether to display the direct and inherited memberships of permissions groups for system users.

Figure 2: System user permissions group memberships

Table 21: Meaning of icons in the hierarchical display
Icon Meaning
The selected system user is not assigned to this permissions group.
The selected system user is assigned to this permissions group.
The selected system user is indirectly assigned to this permissions group.
The selected system user is directly and indirectly assigned to this permissions group.

To assign a system user to a permissions group

  1. In the Designer, select the Permissions | System user category.
  2. Select a system user and start the User & Permissions Group Editor with the Edit system user task.
  3. Select the required permissions group in the hierarchical view. By clicking on the icon you add or delete the selected system user to or from a permissions group.

TIP: To assign a system user to several permissions groups, use the User | Permissions groups menu.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating