Identity Manager 8.1.5 - Administration Guide for Connecting to SharePoint Online

To obtain an overview of a role

1. In the Manager, select the SharePoint Online | Roles category.

2. Select the role in the result list.

3. Select the SharePoint Online role overview task.

The behavior described under Effectiveness of SharePoint Online entitlement assignments can also be used for SharePoint Online roles.

The effect of the assignments is mapped in the O3SUserHasO3SRLAssign and BaseTreeHasO3SRLAssign tables through the XIsInEffect column.

Prerequisites

• The QER | Structures | Inherite | GroupExclusion configuration parameter is set.
• Mutually exclusive SharePoint Online roles belong to the same site collection.

To exclude SharePoint Online roles

1. In the Manager, select the SharePoint Online | Roles category.
2. Select the role in the result list.
3. Select the Exclude SharePoint Online roles task.
4. In the Add assignments pane, assign the roles that are mutually exclusive to the selected role.

   - OR -

   In the Remove assignments pane, remove the roles that no longer exclude each other.

5. Save the changes.

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

• Managing user accounts and employees

  An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval procedure. The user account is not created until it has been agreed by an authorized person, such as a manager.

• Managing entitlement assignments

  When an entitlement is assigned to an IT Shop shelf, the entitlement can be requested by the customer in the Web Portal. The request undergoes a defined approval procedure. The entitlement is not assigned until it has been approved by an authorized person.

  In the Web Portal, managers and administrators of organizations can assign entitlements to the departments, cost centers, or locations for which they are responsible. The entitlements are inherited by all persons who are members of these departments, cost centers, or locations.

  If the Business Roles Module is available, managers and administrators of business roles in the Web Portal can assign entitlements to the business roles for which they are responsible. The entitlements are inherited by all persons who are members of these business roles.

  If the System Roles Module is available, supervisors of system roles in the Web Portal can assign entitlements to the system roles. The entitlements are inherited by all persons to whom these system roles are assigned.

• Attestation

  To enable this, attestation policies are configured in the Manager. The attesters use the Web Portal to approve attestation cases.

• Governance administration

  The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check and resolve rule violations and to grant exception approvals.

  If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

• Risk assessment

  You can use the risk index of entitlements to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

• Reports and statistics

For more information about the named topics, refer to the following guides:

• One Identity Manager Web Portal User Guide

• One Identity Manager Attestation Administration Guide

• One Identity Manager Compliance Rules Administration Guide

• One Identity Manager Company Policies Administration Guide

• One Identity Manager Risk Assessment Administration Guide

To manage SharePoint Online in One Identity Manager, the following basic data is relevant.

• Authentication modes

  Authentication mode used for logging in on the SharePoint Online server with this user account. For SharePoint Online, AzureAD is the only authentication mode.

  For more information, see SharePoint Online authentication modes.

• Target system types

  Target system types are required for configuring target system comparisons. Tables containing outstanding objects are maintained on target system types.

  For more information, see Post-processing outstanding objects.

• Account definitions

  One Identity Manager has account definitions for automatically allocating user accounts to employees during working hours. You can create account definitions for every target system. If an employee does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an employee.

  For more information, see Account definitions for SharePoint Online user accounts.

• Server

  In order to handle SharePoint Online -specific processes in One Identity Manager, the synchronization server and its server functions must be declared.

  For more information, see Job server for SharePoint Online-specific process handling.

• Target system managers

  A default application role exists for the target system manager in One Identity Manager. Assign the employees who are authorized to edit all tenants in One Identity Manager to this application role.

  Define additional application roles if you want to limit the edit permissions for target system managers to individual tenants. The application roles must be added under the default application role.

  For more information, see Target system managers.