Chat now with support
Chat with Support

Identity Manager 8.1.4 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Managing departments, cost centers, and locations Working with dynamic roles Employee administration
One Identity Manager users for employee administration Basic data for employee master data Entering employee master data Employee's central user account Employee's central password Employee's default email address Mapping multiple employee identities Disabling and deleting employees Password policies for employees Limited access to One Identity Manager Assigning company resources to employees Displaying the origin of an employee's roles and entitlements Analyzing role memberships and employee assignments Additional tasks for managing employees Determining an employee’s language Determining an employee's working hours Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Effective configuration parameters for setting up employees Configuration parameters for managing devices and workdesks

Permitting assignments of employees, devices, workdesks, and company resources

The default method for assigning company resources is through secondary assignment. For this, employees, devices, and workdesks as well as company resources are added to roles through secondary assignment.

Use role classes to specify how and if employees, devices, workdesks, and company resource are permitted as secondary assignments to roles. Role classes form the basis of mapping hierarchical roles in One Identity Manager. Role classes are used to group similar roles together. The following role classes are available by default in the One Identity Manager:

  • Department
  • Cost center
  • Location
  • Application role

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignments allowed

    This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignments allowed

    Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers, or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in IT Shop, dynamic roles, or system roles.
Example

To assign employees in the Manager directly to a department, set the Assignment allowed and the Direct assignment allowed option on "department".

If employees can only obtain membership in a department through the IT Shop, set the Assignment allowed option but not the Direct assignment allowed option on the "department" role class for the entry "employees". A corresponding assignment resource must be available in the IT Shop.

NOTE: Employee, device, workdesk ,and company resource assignments are predefined for departments, cost centers, location, and application roles.

To configure secondary assignment to roles of a role class

  1. Select the role class under Basic configuration data | Role classes.
  2. Select the Configure role assignments task.
  3. Use the Allow assignments column to specify whether assignment is generally allowed.
    NOTE: You can only reset the Assignment allowed option if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.
  4. Use the Allow direct assignments column to specify whether a direct assignment is allowed.
    NOTE: You can only reset the Direct assignment allowed option if there are no direct assignments of the respective objects to roles of this role class.
  5. Save the changes.

Using roles to limit inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the Block inheritance option do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.

  • In bottom-up inheritance, the role labeled with the Block inheritance option inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance

  1. Open the role's master data form.

  2. Set the Block inheritance option.

  3. Save the changes.

Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.

To prevent a role from inheriting

  1. Open the role's master data form.

  2. Set one or more of the following options:

    • To prevent employees from inheriting, set the Employees do not inherit option.

    • To prevent devices from inheriting, set the Devices do not inherit option.

    • To prevent workdesks from inheriting, set the Workdesks do not inherit option.

  3. Save the changes.

Inheritance of company resources can be done in the same way for single employees, devices, or workdesks. You can use this behavior to correct data after importing employees before and then apply inheritance.

To prevent an employee from inheriting

  1. Open the employee's master data form.

  2. Set the No inheritance option.

    The employee does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent an device from inheriting

  1. Open the device's master data form.

  2. Set the No inheritance option.

    The device does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent a workdesk from inheriting

  1. Open the workdesk's master data form.

  2. Set the No inheritance option.

    The workdesk does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.
  3. Save the changes.
Related topics

Inheritance exclusion: Specifying conflicting roles

You can define conflicting roles to prevent employees, devices, or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, you specify which application roles, departments, cost centers, and locations need to be mutually exclusive. This means you may not assign these roles to one and the same employee (device, workdesk).

NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same employee (device, workdesk). Definitions made on parent or child roles do not affect the assignment.
Example

Cost center B is named as conflicting role to cost center A. Jenna Miller and Hans Peters are members of cost center A. Louise Lotte is a member of cost center B. Hans Peters cannot be assigned to cost center B. Apart from that, One Identity Manager prevents Jenna Miller and Louise Lotte from being assigned to cost center A.

Figure 12: Members in conflicting roles

To configure inheritance exclusion

  • In the Designer, set the QER | Structures | ExcludeStructures configuration parameter and compile the database.
Related topics

Managing departments, cost centers, and locations

Departments, cost centers, locations, and business roles are each mapped to their own hierarchy under Organizations. This is due to their special significance for daily work schedules in many companies. Various company resources can be assigned to organizations, for example, authorizations in different SAP systems or software. You can add employees to single roles as members. Employees obtain their company resources through these assignments when the One Identity Manager is appropriately configured.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating