Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Connecting to Cloud Applications

Mapping cloud applications in One Identity Manager Synchronizing cloud applications through the Universal Cloud Interface Provisioning object changes Managing provisioning processes in the Web Portal Mapping cloud objects in One Identity Manager
Cloud applications Container structures in cloud applications User accounts in cloud applications Groups and system entitlements in cloud applications Permissions controls in a cloud application
Base data for managing cloud applications Default project template for cloud applications Cloud system object processing methods Configuration parameters for managing cloud applications

System entitlements types in cloud applications

Many cloud applications use different entitlement types to manage user entitlements. In addition to groups, these can also be roles or permissions sets, for example. Using synchronization projects created with the Synchronization of a One Identity Starling Connect environment project template, the different types are mapped in the One Identity Manager as follows.

Table 22: Mapping system entitlements in the One Identity Manager

Type

Table

Display name

Group

UCIGroup

Groups

Role

UCIGroup1

System entitlements 1

Profiles

UCIGroup2

System entitlements 2

Entitlement

UCIGroup3

System entitlements 3

Permissionset

UCIItem

Permissions controls

NOTE: In synchronization projects created with a One Identity Manager version older than 8.2, objects of type Profile are also mapped in the UCIItem table.

A user account obtains the required entitlements for accessing target system resources through its memberships in groups and system entitlements. Depending on the target system, memberships are either maintained in the user accounts (user-based membership) or in the system entitlements (entitlement-based membership). When setting up synchronization using the One Identity Starling Connect synchronization project template, the SCIM connector determines the object type where the memberships are stored. Memberships are mapped in the following tables:

Table 23: User account membership

UCIUserHasGroup

Groups: Assignments to user accounts

UCIUserHasGroup1

System entitlement 1: Assignments to user accounts

UCIUserHasGroup2

System entitlement 2: Assignments to user accounts

UCIUserHasGroup3

System entitlement 3: Assignments to user accounts

UCIUserHasItem

User accounts: Permission control assignments

Table 24: System entitlement membership

UCIUserInGroup

User accounts: Assignment to groups

UCIUserInGroup1

User accounts: Assignment to system entitlements 1

UCIUserInGroup2

User accounts: Assignment to system entitlements 2

UCIUserInGroup3

User accounts: Assignment to system entitlements

Permissionset type memberships are always user-based.

By default, only groups are mapped by synchronization projects created with the SCIM Synchronization project template. The SCIM connector determines the object type where the memberships are stored and maps them accordingly either in the UCIUserHasGroup table or in the UCIUserInGroup table.

The cloud application stores which system entitlement types are used and whether the memberships are stored with user accounts or system entitlements.

To display the types of system entitlements used

  1. In the Manager, select the Universal Cloud Interface > Basic configuration data > Cloud applications category.

  2. In the result list, select a cloud application and select the Change main data task.

    • System entitlement types used: List of types of system entitlements used in the cloud application.

    • User account contains memberships: List of types of system entitlements for which memberships are stored with the user account. For types not listed here, the memberships are stored with the system entitlements.

TIP: If the cloud application schema cannot be adequately represented by any default project template, customize the synchronization configuration. At the same time, define how the system entitlements are mapped in the One Identity Manager schema. When you are setting up synchronization, ensure that the base object for the cloud application(CSMRoot) is created in the database and the System entitlements types used (GroupUsageMask) and User account contains memberships (UserContainsGroupList) properties are set correctly.

Related topics

Groups in cloud applications

Groups and system entitlements represent the objects used in the cloud application to control access to the cloud resources. A user account obtains the necessary permissions to access cloud resources by assigning it to groups and system entitlements.

To display a group's main data

  1. In the Manager, select the Universal Cloud Interface > <cloud application> > Groups category.

  2. Select the group in the result list.

  3. Select the Show main data task.

To display a system entitlement's main data

  1. In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 1 category.

    - OR -

    In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 2 category.

    - OR -

    In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 3 category.

  2. Select the system entitlement in the result list.

  3. Select the Show main data task.

Detailed information about this topic
Related topics

General main data for groups in cloud applications

You are provided with the following general main data of a group.

Table 25: Entering main data of a group

Property

Description

Name

Name of the group.

Container

The group's container.

Cloud application

The group's cloud application.

Distinguished name

Distinguished name of the group.

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Group name

Additional name for the group.

Email address

Group's email address

Account manager

Manager responsible for the group.

Description

Text field for additional explanation.

Group type

Unique group type ID. For example if groups of different types are supplied through one and the same SCIM endpoint.

Resource type

Resource type identifier. The resource type corresponds to a SCIM endpoint, /Groups for example.

Related topics

User-defined main data for groups in cloud applications

You can find customized data for a group on the Custom tab.

Table 26: User-defined main data of a group
Property Description

Spare field no. 01- Spare field no. 05

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Spare date no. 01- Spare date no. 03

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Spare text no. 01- Spare text no. 05

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Spare option no. 01 - Spare option no. 05

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating