Chat now with support
Chat with Support

Identity Manager 8.1.5 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Application roles for organizations

The following application roles are available for the administration of departments, cost centers and locations:

Table 7: Application roles for organizations
Application role Description

Administrators

 

Administrators must be assigned to the Identity Management | Organizations | Administrators application role.

Users with this application role:

  • Set up and edit departments, cost centers, and locations.
  • Assign company resources to departments, cost centers, and locations.
  • Administrate application roles for role approvers, role approvers (IT), and attestors.
  • Set up other application roles as required.

Attestors

 

Attestors must be assigned to the Identity Management | Organizations | Attestors application role or a child application role.

Users with this application role:

  • Attest correct assignment of company resources to departments, cost centers, and locations for which they are responsible.
  • Can view master data for departments, cost centers, and locations but cannot edit them.
NOTE: This application role is available if the module Attestation Module is installed.

Role approver

 

Role approvers must be assigned to the Identity Management | Organizations | Role approvers application role or a child application role.

Users with this application role:

  • Are approvers for the IT Shop.
  • Approve request from departments, cost centers, and locations for which they are responsible.

Role approver (IT)

 

IT role approvers must be assigned to the Identity Management | Organizations | Role approvers (IT) application role or a child application role.

Users with this application role:

  • Are IT role approvers for the IT Shop.
  • Approve request from departments, cost centers, and locations for which they are responsible.

Application roles for employees

The following application role is available for employee administration:

Table 8: Application roles for employees
Application role Description

Administrators

Employee administrators must be assigned to the Identity Management | Employees| Administrators application role.

Users with this application role:

  • Can edit master data for all employees

  • Can assign a manager.

  • Can assign company resources to employees.

  • Check and authorize employee master data.

  • Create and edit risk index functions.

  • Edit password policies for employee passwords

  • Delete employee's security keys (WebAuthn)

Application roles for the IT Shop

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available for the IT Shop administration:

Table 9: Application roles for the IT Shop
Application role Description

Administrators

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Create the IT Shop structure with shops, shelves, customers, templates, and service catalog.
  • Create approval policies and approval workflows.
  • Specify which approval procedure to use to find attestors.
  • Create products and service items.
  • Set up request notifications.
  • Monitor request procedures.
  • Administrate application roles for product owners and attestors.
  • Set up other application roles as required.
  • Create extended properties for company resources of any type.
  • Edit the resources and assign them to IT Shop structures and employees.
  • Assign system entitlements to IT Shop structures.

Product owners

Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.

Users with this application role:

  • Approve through requests.
  • Edit service items and service categories under their management.

Attestors

Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

Users with this application role:

  • Attest correct assignment of company resource to IT Shop structures for which they are responsible.
  • Can view master data for these IT Shop structures but not edit them.
NOTE: This application role is available if the module Attestation Module is installed.

Chief approval team

Chief approvers must be assigned to the Request & Fulfillment | IT Shop | Chief approval team application role.

Users with this application role:

  • Approve through requests.
  • Assign requests to other approvers.
NOTE: Approvers in charge are determined through approval procedures. Other application roles may be applied here. Application roles for approvers are defined in different modules and are available there.

Application roles for target systems

NOTE: Application roles are dependent on the target system and are contained in One Identity Manager modules. Application roles are not available until the modules are installed.

The following application roles are available for target system administration:

Table 10: Application roles for target systems
User Tasks

Target system administrators

 

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

 

Target system managers must be assigned to the Target systems | <target system> application role or a child application role.

NOTE: There is at least one application role per target system for target system managers. This application role is available if the target system module is installed.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare system entitlements to add to the IT Shop.

  • Can add employees who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

Target system managers for Unified Namespace

Target system managers must be assigned to the Target systems | Unified Namespace application role or a child application role.

Users with this application role:

  • Obtain view of the objects in the connected target systems across all target systems.
  • Can create reports across all target systems.

If the users are also target system managers of the basic underlying target systems, you can manage these target systems through the Unified Namespace.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating