Chat now with support
Chat with Support

Identity Manager On Demand Hosted - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Miscellaneous employee main data

Enter the following general main data of an employee. This data applies to the target system login, identities, One Identity Manager login data, and employee import data.

Table 38: Miscellaneous main data

Property

Description

Central user account

One Identity Manager user identifier. In One Identity Manager default installation, the central user account is made up of the first and the last name of the employee. An employee’s central user account affects the composition of user accounts in each target system. The central user account is still used for logging into the One Identity Manager tools.

Central SAP user account

Name used to form the user account name in the SAP R/3 target system. In the One Identity Manager default installation, the central user account is made up of the first and the last name of the employee.

NOTE: This property is only available if the SAP R/3 User Management module Module is installed.

E-Business Suite user account

Name used to form the user account name in the Oracle E-Business Suite target system. In the One Identity Manager default installation, the E-Business Suite user account is formed from the employee's central user account.

NOTE: This property is only available if the Oracle E-Business Suite Module is installed.

E-Business Suite ID

Unique ID for the HR employee, the AP customer, the AP supplier or the AR parties in the Oracle E-Business Suite.

NOTE: This property is only available if the Oracle E-Business Suite Module is installed.

E-Business Suite employee ID

Personnel number of the HR employee in the Oracle E-Business Suite.

NOTE: This property is only available if the Oracle E-Business Suite Module is installed.

Central password and password confirmation

An employee's central password can be used for logging into the target systems and for logging in to One Identity Manager. Depending on the configuration, an employee's central password is replicated to their user accounts and their system user password.

Use the Password Reset Portal to change the central password. For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Decentralized identity and confirmation

Identifier of the decentralized identity to identify the employee. This identifier can be used to log in to One Identity Manager.

Default email address

Default email address for setting up the employee's mailboxes in the individual target systems. This data is absolutely necessary for automatically creating mailboxes. In the One Identity Manager default installation, the default email address is composed of the employee’s central user account and the default mail domain of the active target system.

Identity

Identity type of the person.

Main identity

Allocate a main identity here if the employee is managed as a sub-identity in the One Identity Manager. A subidentity allows you to set up special cases in One Identity Manager. If an employee has several user accounts in one target system that must be assigned to different groups, create a separate subidentity for each user account with a link to the main identity.

Pseudo employee

Specifies whether the employee represents an actual employee or a pseudo employee used for connecting to administrative user accounts, for example.

Actual employee

Unique ID of the actual employee.

X500 pseudo employee

Specifies whether the employee is managed as an X500 pseudo employee in the One Identity Manager. If an employee has several X500 entries with different properties, you can also use pseudo employee here. Label the employee with the option X500 pseudi employee for the user case and configure a link to the real X500 employee.

X500 employee

Assign the X500 pseudo employee to an existing employee.

Logins

Logins with which the employee can log in to the One Identity Manager administration tools. Enter the login in the form: Domain\User. This information is required if the authentication modules User account and User account (role-based) are used for logging in to One Identity Manager tools.

For more information about One Identity Manager On Demand authentication modules, see the One Identity Manager Authorization and Authentication Guide.

Starling 2FA user ID User ID for multi-factor authentication. For more information on multifactor authentication, see the One Identity Manager IT Shop Administration Guide.

System users

System user with which the employee can log in to the One Identity Manager administration tools. The login data is analyzed by the authentication module in use.

For more information about One Identity Manager On Demand authentication modules, see the One Identity Manager Authorization and Authentication Guide.

System user password and password confirmation

Employee's system user password. Password with which the employee logs in to the One Identity Manager tools.

Use the Password Reset Portal to change the system user password. For more information, see the One Identity Manager Web Designer Web Portal User Guide.

User account name (mainframe)

If an employee is permitted access to the mainframe with their user account, enter the login name here.

Notebook user

Just for information.

Company car

Just for information.

Login permitted on terminal server

Specifies whether this employee is permitted to log in on the terminal server with their user account.

Remote access permitted

Specifies whether the employee can dial in to the network with their user account.

Resetting the password through the help desk is permitted.

Specifies whether the password can be reset with the help of password help desk staff. If this option is set, password help desk staff in the Operations Support Web Portal can reset the employee's password.

Help desk employee

Specifies whether the employee can handle help desk calls. For more information about the help desk, see One Identity Manager Help Desk Module User Guide.

NOTE: This option is only available if the Helpdesk Module is installed.

Import data source

Target system or data source respectively, from which the employee was imported. This property is also set by scripts for automatically assigning employees to user accounts.

Distinguished name

Distinguished name of the imported employee. This property should be set by the import.

Canonical name

Fully qualified name of the imported employee. This property should be set by the import.

Related topics

Disabling and deleting employees

How employees are handled, particularly in the case of permanent or partial withdrawal of an employee, varies between individual companies. There are companies that never delete employees, and only disable them when they leave the company.

Detailed information about this topic

Temporarily deactivating employees

NOTE: Employees who are temporarily deactivated can no longer log in to One Identity Manager.

The employee has temporarily left the company and is expected to return at a predefined date. The desired course of action could be to disable the user account and remove all group memberships. Or the user accounts could be deleted and reestablished with the employee's return, even if it is with a new system identification number (SID).

Temporary disabling of an employee is triggered by:

  • TheTemporary disabled option

  • The start and end date for deactivation (Temporary disabled from and Temporary disabled until)

NOTE:

  • Configure the Lock accounts of employees that have left the company schedule in the Designer. This schedule checks the start date for disabling and sets the Temporarily disabled option when it is reached.

  • In the Designer, configure the Enable temporarily disabled accounts schedule. This schedule monitors the end date of the disabled period and enables the employee with their user accounts when the date expires. Employee's user accounts that were disabled before the period of temporary absence are also re-enabled once the period has expired.

Related topics

Permanently deactivating employees

NOTE: Employees who are permanently deactivated can no longer log in to One Identity Manager.

Employees can be deactivated permanently when, for example, they leave the company. It might be necessary, to remove access to this employee's entitlements in connected target systems and their company resources.

Effects of permanent deactivating an identity are:

  • The employee cannot be assigned to employees as a manager.

  • The employee cannot be assigned to roles as a supervisor.

  • The employee cannot be assigned to attestation policies as an owner.

  • There is no inheritance of company resources through roles, if the additional No inheritance option is set for an employee.

  • Employee user accounts are locked or deleted and then removed from group memberships.

Trigger permanent deactivation through:

  • The Deactivate employee permanently task

    This task ensures that the Permanently deactivates option is enabled and the leaving date and last working day are set to the current date.

  • The leaving date is reached

    NOTE:

    • In the Designer, check the Lock accounts of employees that have left the company schedule. This schedule regularly checks the leaving date and sets the Permanently deactivated option on reaching the date.

    • The Re-enable employee task ensures that the employee is re-enabled.

  • The Denied certification status

    If an employee's certification status is set to Denied manually or as a result of attestation, the employee is immediately permanently deactivated. When the employee's certification status is changed to Certified, the employee is activated again.

    NOTE: This function is only available if the Attestation Module is installed.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating