Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to SharePoint Online

Mapping a SharePoint Online environment in One Identity Manager Synchronizing a SharePoint Online environment Managing SharePoint Online user accounts and employees Managing the assignments of SharePoint Online groups and roles Mapping of SharePoint Online objects in One Identity Manager
SharePoint Online tenants SharePoint Online user accounts SharePoint Online groups SharePoint Online permission levels SharePoint Online site collections SharePoint Online sites SharePoint Online roles
Handling of SharePoint Online objects in the Web Portal Basic data for managing a SharePoint Online environment Configuration parameters for managing SharePoint Online Default project template for SharePoint Online Editing system objects About us

Master data for account definitions

Enter the following data for an account definition:

Table 8: Master data for an account definition

Property

Description

Account definition

Account definition name.

User account table

Table in the One Identity Manager schema that maps user accounts.

Target system

Target system to which the account definition applies.

Required account definition

Required account definition. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is automatically requested or assigned with it.

TIP: You can enter the account definition of the corresponding Azure Active Directory tenant here. In this case, an Azure Active Directory user account is first created for the employee. If this exists, the SharePoint Online user account is added.

Description

Text field for additional explanation.

Manage level (initial)

Manage level to use by default when you add new user accounts.

Risk index

Value for evaluating the risk of assignments to employees. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Service item

Service item through which you can request the account definition in the IT Shop. Assign an existing service item or add a new one.

IT Shop

Specifies whether the account definition can be requested through the IT Shop. The account definition can be ordered by an employee over the Web Portal and distributed using a defined approval process. The account definition can also be assigned directly to employees and roles outside the IT Shop.

Only for use in IT Shop

Specifies whether the account definition can only be requested through the IT Shop. The account definition can be ordered by an employee over the Web Portal and distributed using a defined approval process. This means, the account definition cannot be directly assigned to roles outside the IT Shop.

Automatic assignment to employees

Specifies whether the account definition is assigned automatically to all internal employees. The account definition is assigned to every employee not marked as external, on saving. New employees automatically obtain this account definition as soon as they are added.

IMPORTANT: Only set this option if you can ensure that all current internal employees in the database and all pending newly added internal employees obtain a user account in this target system.

Disable this option to remove automatic assignment of the account definition to all employees. The account definition cannot be reassigned to employees from this point on. Existing account definition assignments remain intact.

Retain account definition if permanently disabled

Specifies the account definition assignment to permanently disabled employees.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Retain account definition if temporarily disabled

Specifies the account definition assignment to temporarily disabled employees.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on deferred deletion

Specifies the account definition assignment on deferred deletion of employees.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on security risk

Specifies the account definition assignment to employees posing a security risk.

Option set: the account definition assignment remains in effect. The user account stays the same.

Option not set: the account definition assignment is not in effect. The associated user account is deleted.

Resource type

Resource type for grouping .

Spare field 01 - spare field 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Editing manage levels

One Identity Manager supplies a default configuration for manage levels:

  • Unmanaged: User accounts with the Unmanaged manage level are linked to the employee but they do no inherit any further properties. When a new user account is added with this manage level and an employee is assigned, some of the employee's properties are transferred initially. If the employee properties are changed at a later date, the changes are not passed onto the user account.

  • Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned employee. When a new user account is created with this manage level and an employee is assigned, the employee's properties are transferred in an initial state. If the employee properties are changed at a later date, the changes are passed onto the user account.

To edit a manage level

  1. In the Manager, select the SharePoint Online | Basic configuration data | Account definitions | Manage levels category.

  2. Select the manage level in the result list.

  3. Select the Change master data task.

  4. Edit the manage level's master data.

  5. Save the changes.

Related topics

Creating manage levels

One Identity Manager supplies a default configuration for the Unmanaged and Full managed manage levels. You can define other manage levels depending on your requirements.

IMPORTANT: In the Designer, extend the templates by adding the procedure for the additional manage levels. For detailed information about templates, see the One Identity Manager Configuration Guide.

To create a manage level

  1. In the Manager, select the SharePoint Online | Basic configuration data | Account definitions | Manage levels category.

  2. Click in the result list.

  3. On the master data form, edit the master data for the manage level.
  4. Save the changes.
Related topics

Master data for manage levels

Enter the following data for a manage level.

Table 9: Master data for manage levels
Property Description

Manage level

Name of the manage level.

Description

Text field for additional explanation.

IT operating data overwrites

Specifies whether user account data formatted from IT operating data is automatically updated. Permitted values are:

  • Never: Data is not updated.

  • Always: Data is always updated.

  • Only initially: Data is only determined at the start.

Retain groups if temporarily disabled

Specifies whether user accounts of temporarily disabled employees retain their group memberships.

Lock user accounts if temporarily disabled *)

Specifies whether user accounts of temporarily disabled employees are locked.

Retain groups if permanently disabled

Specifies whether user accounts of permanently disabled employees retain group memberships.

Lock user accounts if permanently disabled *)

Specifies whether user accounts of permanently disabled employees are locked.

Retain groups on deferred deletion

Specifies whether user accounts of employees marked for deletion retain their group memberships.

Lock user accounts if deletion is deferred*)

Specifies whether user accounts of employees marked for deletion are locked.

Retain groups on security risk

Specifies whether user accounts of employees posing a security risk retain their group memberships.

Lock user accounts if security is at risk*)

Specifies whether user accounts of employees posing a security risk are locked.

Retain groups if user account disabled

Specifies whether disabled user accounts retain their group memberships.

NOTE: SharePoint Online user accounts cannot be locked.

When an employee is disabled, deleted (with delay) or rated as a security risk, their SharePoint Online user accounts remain enabled. For logging into a SharePoint Online site collection, you need to know if the user account referenced as an authentication object is locked or disabled. To prevent a disabled, deleted, or security risk employee logging into a SharePoint Online site collection, manage the user accounts linked as authentication objects using account definitions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating