Chat now with support
Chat with Support

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Allowing approval decisions using the Starling 2FA app

Table 44: Configuration parameters for approving with the Starling 2FA app

Configuration parameter

Meaning

QER | Person | Starling | UseApprovalAnywhere

This configuration parameter defines whether requests can be approved by Starling 2FA app.

QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire

This configuration parameter specifies the timeout in seconds after which approval by Starling 2FA app expires.

To provide approvers who are temporarily unable to access One Identity Manager tools, with the option of making approval decisions for requests, you can set up approval by Starling 2FA app. This means, approvers are prompted by the Starling 2FA app to approve or deny a request . This option is only available if you use Starling Cloud for multi-factor authentication and the approvers are registered with Starling Two-Factor Authentication.

To use the Starling 2FA app for approval decisions

  • In the Designer, set the QER | Person | Starling | UseApprovalAnywhere configuration parameter.

    The approver must make the approval decision within 5 minutes. If this times out, the approver must use the Web Portal to approve the request .

    To change the timeout, modify the value in the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter. Enter a timeout in seconds.

Granulated permissions for the SQL Server and database

To implement a One Identity Manager database or a One Identity Manager History Database on a SQL Server or a managed instance in Azure SQL Database, you are provided with SQL Server logins and database users for administrative users, configuration users and end users. Permissions at server and database level are matched to suit the user's tasks.

Normally, you cannot edit users and permissions. It may be necessary to set up an additional database user to use a One Identity Manager History Database.

For detailed information about users and their permissions, see the One Identity Manager Installation Guide and the One Identity Manager Data Archiving Administration Guide.

Related topics

Minimum access levels of One Identity Manager tools

NOTE:

  • Connections that do not use the expected access level for SQL Server logins are not shown in the connection dialog.

  • If you select an existing database connection in the connections dialog, the access level of the login to be used is shown in a tooltip.

You require the following minimum access level for One Identity Manager tools.

Table 45: Access level for One Identity Manager tools
Tool Minimum access level

Analyzer

End user

Application server

End user or configuration user (depending on the application server's task)

AppServer.Installer.CMD.exe

Configuration user

API Designer

Configuration user

API Server

End user

Configuration Wizard

Administrative user

Crypto Configuration

Configuration user

Data Import

End user

Configuration user (saves import definition)

DataImporterCMD.exe

End user

Database Compiler

Configuration user

DBCompilerCMD.exe

Configuration user

Database Transporter

Configuration user

DBTransporterCMD.exe

Administrative user

DBClone

Administrative user

DBComparer

Configuration user

Designer

Configuration user

Job Queue Info

Configuration user

Launchpad

End user

Some application that are started from the Launchpad, required different access levels

License Meter

End user

Manager

End user

Some functions require configuration user access levels, for example, consistency checking or opening target systems' synchronization projects.

HistoryDB Manager

End user

Object Browser

End user

One Identity Manager Service

Configuration users for process collection with the MSSQLJobProvider

Report Editor

Configuration user

Schema Extension

Configuration user

SchemaExtensionCmd.exe

Configuration user

Server Installer

Configuration user

Software Loader

Configuration user

SoftwareLoaderCMD.exe

Configuration user

Synchronization Editor

Configuration user

System Debugger

Configuration user

Web Designer

Configuration user

Web Designer Configuration Editor

Configuration user

VI.WebDesigner.CompilerCmd.exe

Configuration user

WebDesigner.InstallerCMD.exe

Configuration user

Web Portal

End user

Password Reset Portal

End user

Operations Support Web Portal

End user

Quantum.MigratorCmd.exe

Administrative user

Related topics

Displaying database server logins

To display login information

  1. In the Designer, select the Base data | Security settings | Database server permissions | Database server login category.

  2. Select the database server login. The following information is displayed:

    • Login name: The user's SQL Server login.
    • Database server login: Type of database user.
    • Access level: The access level for logging in. The access levels displayed are End user, Configuration user, Administrative user, System administrator, and Unknown.

  3. To show the database roles and server roles that are assigned, select the Database or server role tab.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating