Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Editing table permissions

Use the table permissions to grant permissions to display, insert, edit, and delete the objects. You can define conditions to further limit the permissions for the objects. You can use the conditions, for example, to link the editability of the employees to their last names. For instance, users can be given read-only access to the employees whose last names begin with A-F, whereas they can edit employees with last names beginning with G-Z.

NOTE: Permissions are always edited in the Permissions Editor for the permissions group that you selected in the Permissions Editor toolbar in the Permissions group menu. If you wish to grant permissions for another permissions group, first select this permissions group in the menu and then edit the permissions.

To edit the table permissions for a permissions group

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit permissions task.

  3. In the Permissions Editor toolbar in the Permissions group menu, select the permissions group for which you want to grant the permissions.

  4. Select the table at the top of the Permissions Editor.

    TIP: Use Shift + select or Ctrl + select to select multiple tables.

  5. In the Permissions section, edit the permissions for the permissions group.

    • To insert new permissions, select the New context menu and enable the associated check boxes. Grant the following permissions:

      • Viewable: The table data is displayed.

      • Insertable: New data can be added to the table.

      • Editable: Table data can be edited.

      • .Deletable: Table data can be deleted

      NOTE: If you grant the Insertable, Editable, or Deletable permissions, the Viewable permission is also granted.

    • To withdraw permissions, disable the associated checkbox.

    • Use the Delete context menu, to withdraw all permissions from a table.

  6. (Optional) To specify other conditions for table permissions, go to the lower part of the Permissions Editor and switch to the Group permissions for table view and select the Permissions filter tab.

    NOTE: You can only define permissions filters for the tables that map application data.

    • Enter the conditions as valid WHERE clauses for database queries. You can enter the following permissions filters.

      • Viewing Condition: Limiting condition for displaying data sets.

      • Edit condition: Limiting condition for editing data sets.

      • Insert condition: Limiting condition for inserting data sets.

      • Deletion condition: Limiting condition for deleting data sets.

      Example: Permissions filter

      A user should be able to see all employees, but only edit the employees whose last names begin with B. Specify the limiting edit condition as follows, for example:

      Lastname like 'B%'

      TIP: Use the SQL check button to test the condition. This checks the syntax. The number of objects that match the condition is returned.

  7. Select the Database > Save to database and click Save.

Related topics

Editing column permissions

IMPORTANT:

  • If you grant permissions to columns, you must also grant the permissions to the tables. For example, a column is only viewable if the table is also viewable.

  • To insert objects into a table, the Insert permission is required at least for the mandatory fields in the table.

  • If you grant Insert or Edit permissions, View permissions are also granted.

  • Column definition allows you to use scripts to conditionally display or edit a column. For example, in this way you can control whether or not a column, on a main data form in the Manager, is displayed or can be edited only if another column has a specific value. The script does not change the user’s permissions but simply the behavior if the object is loaded in one of the One Identity Manager tools. For more information about editing column definitions, see the One Identity Manager Configuration Guide.

NOTE: Permissions are always edited in the Permissions Editor for the permissions group that you selected in the Permissions Editor toolbar in the Permissions group menu. If you wish to grant permissions for another permissions group, first select this permissions group in the menu and then edit the permissions.

To edit column permissions for a permissions group

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit permissions task.

  3. In the Permissions Editor toolbar in the Permissions group menu, select the permissions group for which you want to grant the permissions.

  4. Select the table at the top of the Permissions Editor and select the column.

    TIP: Use Shift + select or Ctrl + select to select multiple columns.

  5. In the Permissions section, edit the permissions for the permissions group.

    • To insert new permissions, select the New context menu and enable the associated check boxes. Grant the following permissions:

      • Viewable: The column is dislayed.

      • Editable: The value in the column can be changed.

      • Insertable: The value of the column can be edited when adding a new data record. Once the data record has been saved it can no longer be edited.

    • To withdraw permissions, disable the associated checkbox.

    • Use the Delete context menu item, to delete all permissions from a column.

  6. Select the Database > Save to database and click Save.

Related topics

Copying table permissions and column permissions

To transfer the permissions of a permissions group quickly from one table to another table, you can copy the table permissions and column permissions. Two methods are provided in the Permissions Editor to do this:

  • Copy and Insert: This method copies permissions of the source table (source column) of a permissions group. The permissions are copied for the permissions group that you selected in the Permissions Editor toolbar in the Permissions group menu.

    All copied permissions are inserted for the target table (target column). Already existing permissions for the target table (target column) remain the same.

  • Copy all permissions and Paste all permissions: This method copies all source table (source column) permissions. The initial selection of the permissions group in the Permissions Editor makes no difference here. All permissions from all permissions groups for the source table (source column) are applied.

    All copied permissions are inserted for the target table (target column). Existing permissions for target table (target column) that do not exist for the source table (source column) are removed from the target table (target column).

To copy permissions of a permission group

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit permissions task.

  3. In the Permissions Editor toolbar in the Permissions group menu, select the permissions group for which you want to grant the permissions.

  4. To transfer the table permissions.

    1. Select the table at the top of the Permissions Editor from which you want to transfer the permissions.

    2. Use the Copy context menu item to copy the permissions to the clipboard.

    3. Select the table at the top of the Permissions Editor from which you want to transfer the permissions.

    4. Use the Insert context menu to insert the permissions.

    5. If necessary, repeat step c) and d) for other tables.

  5. To transfer the column permissions

    1. Select the table at the top of the Permissions Editor and select the column from which you want to transfer permissions.

    2. Use the Copy context menu to copy the permissions.

    3. Select the table at the top of the Permissions Editor and select the column for which you want to transfer permissions.

    4. Use the Insert context menu to insert the permissions.

    5. If necessary, repeat step c) and d) for other columns.

  6. Select the Database > Save to database and click Save.

Related topics

Simulating permissions for system users

By simulating the permissions in the Permissions Editor, you can see which permissions a system user has based on their permissions group. You can specify which permissions groups of a system user to include in the simulation. The result displayed shows which of the selected permissions groups has which table permissions and column permissions. Effective permissions for the system user are also displayed.

NOTE: Simulation mode remains active until you end it. In simulation mode, you can edit permissions group permissions and update simulation data.

To run a simulation:

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit translation in database task.

  3. From the Simulation > Start simulation menu, start the simulation wizard.

  4. On the start page of the wizard, click Next.

  5. On the Simulation base configuration page, select the following data.

    • User: Select the system user whose permissions you want to simulate.

    • Direct groups: Use this button to select all permissions groups that are directly assigned to the system user.

    • All groups: Use this button to select all permissions groups that are directly assigned to the system user as well as all permissions groups that the system user inherits indirectly.

    • Permissions groups: Select individual permissions groups directly. Use Ctrl + select to select multiple permissions groups.

  6. On the Simulation configuration page, specify the tables for which the permissions are simulated.

    • In the Selected tables pane, all tables of the One Identity Manager schema are selected. If necessary, limit the selection to individual tables. Click None to undo the selection. Use Shift + select to select individual tables.

    • Using the Context table menu, you can specify a table from which you can view the resulting implicit permissions for the foreign key columns display values.

      Example:

      For the Employee table, viewing permissions have been assigned to the UID_Org column. As a result, viewing permissions are implicitly assigned to columns of the Org table that are used as a display template, for example, Org.Ident_Org.

      To simulate this example, select the Employee table under Context table and the Org table under Selected tables.

  7. The processing progress of the simulation is displayed on the Simulation page. The simulation process can take some time.

  8. To end the wizard, click Finish on the last page.

    After you complete simulation wizard, the system user's effective table permissions and column permissions are displayed in the upper part of the Permissions Editor in the Simulation view.

  9. To determine which table permission or column permission results from which of the system user's permissions groups, select the table or column in the upper part of the Permissions Editor.

    The permissions and permissions groups are displayed in the Permissions simulation view in the lower part of the Permissions Editor.

  10. To end the simulation mode, select the Simulation > End simulation menu.

    The simulation data is deleted and the Permissions simulation view is closed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating