Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.0 LTS - Authorization and Authentication Guide

Table of Contents

About this guide One Identity Manager application roles

Application roles overview

Application roles for basic functions Application role for the Operations Support Web Portal Application role for Compliance & Security Officers Application role for auditors Application roles for identity audit Application roles for company policies Application roles for attestation Application roles for subscribable reports Application roles for management levels Application roles for business roles Application roles for organizations Application role for application roles Application for employee administrators Application roles for the IT Shop Application roles for target systems Application roles for Universal Cloud Interface Application role for Privileged Account Governance Application roles for Application Governance Application roles for custom tasks

Implementing the application roles Creating and editing application roles

Main data of application roles Assigning employees to application roles Custom extension of application role permissions Creating and editing dynamic roles for application roles Specifying mutually exclusive application roles Assigning subscribable reports to application roles Assigning extended properties to application roles Generating assignment resources for application roles Reports about application roles

Granting One Identity Manager schema permissions through permissions groups

Predefined permissions groups and system users Rules for determining the valid permissions for tables and columns Editing permissions groups

Dependencies between permissions groups Permissions group dependencies Copying permissions groups Creating permissions groups Permissions group properties

Editing system users

Creating system users System users’ passwords System user properties Adding system users to permission groups Which employees use the system user? Dynamic system user

Permissions for tables and columns

Displaying permissions of a permissions group Displaying permissions for tables Editing table permissions Editing column permissions Copying table permissions and column permissions Simulating permissions for system users

Displaying permissions for objects Displaying permissions for the current user Assigning role-based permissions groups to an applications

Managing permissions to program functions

Displaying the current user's program functions Assigning program functions to permissions groups Permissions for running scripts Permissions for running methods Permissions for triggering processes Modifying permissions for running actions in the Launchpad

One Identity Manager authentication modules

System users Generic single sign-on (role-based) Employee Employee (role-based) Employee (dynamic) User account User account (role-based) User account (manual input/role-based) Account based system user Active Directory user account Active Directory user account (role-based) Active Directory user account (manual input) Active Directory user account (manual input/role-based) Active Directory user account (dynamic) LDAP user account (role-based) LDAP user account (dynamic) HTTP header HTTP header (role-based) OAuth 2.0/OpenID Connect OAuth 2.0/OpenID Connect (role-based) Synchronization authentication module Web agent authentication module Component authentication module Crawler Password reset Password reset (role-based) Decentralized identity Decentralized Identity (role-based) Editing authentication modules

Enabling authentication modules Assigning authentication modules to applications Disabling or enabling authentication modules for applications Authentication module properties Initial data for authentication modules Configuration data for system user dynamic authentication

Example of a simple system user assignment Example of a system user assignment using a selection criterion Example of a function group assignment

Checking authentication

OAuth 2.0/OpenID Connect authentication

Expiry of the OAuth 2.0/OpenID Connect authentication Creating the OAuth 2.0/OpenID Connect configuration Assigning OAuth 2.0/OpenID Connect configuration to web applications Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications Specifying enabled and disabled columns for logging in Logging information about OAuth 2.0/OpenID Connect authentication Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API

Setting up OAuth 2.0/OpenID Connect authentication for accessing the REST API Authentication module for using OAuth 2.0/OpenID Connect for authentication access to the REST API Authenticating external applications using OAuth 2.0/OpenID Connect

Multi-factor authentication in One Identity Manager

Multi-factor authentication with One Identity Defender

Configuring RSTS for multi-factor authentication Configuring authentication with OAuth 2.0/OpenID Connect in the Web Portal Configuring authentication with OAuth 2.0/OpenID Connect

Granular permissions for the SQL Server and database

Displaying database server logins Displaying users' access levels Displaying server roles and database roles permissions

Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Enabling authentication modules

NOTE: After the initial schema installation, only the System user and Component authenticator authentication modules and the role-based authentication modules are enabled in One Identity Manager.

To use an authentication module for logging in, you must enable the authentication module.

To enable an authentication module

In the Designer, select the Base data > Security settings > Authentication modules category.
In the List Editor, select the authentication module.
In the Properties view, set the Activated property to True.
Select the Database > Save to database and click Save.

Related topics

Assigning authentication modules to applications

NOTE: Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.

If create custom authentication modules, assign them to the existing programs. In general, you do not need to change assignments of predefined authentication modules.

To assign an authentication module to an application

In the Designer, select the Base data > Security settings > Authentication modules category.
Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.
In List Editor, select the authentication module.
Assign the application in the Applications edit view.
Select the Database > Save to database and click Save.

Related topics

Disabling or enabling authentication modules for applications

NOTE: Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.

To use an authentication module for login, assignment of the authentication module to the application must be enabled.

To enable an authentication module for an application

In the Designer, select the Base data > Security settings > Authentication modules category.
Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.
In List Editor, select the authentication module.
In the Application edit view, select the assigned application.
Disable the Disable option.
Select the Database > Save to database and click Save.

To disable an authentication module for an application

In the Designer, select the Base data > Security settings > Authentication modules category.
Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.
In List Editor, select the authentication module.
In the Application edit view, select the assigned application.
Enable the Disable option.
Select the Database > Save to database and click Save.

Related topics

Authentication module properties

Table 33: Authentication module properties
Property	Meaning
Enabled	Specifies whether the authentication module can be used.
Display name	Display name for displaying the authentication module in the connection dialog of the administration tools.
Authentication module	Internal name of the authentication module.
Authentication type	Authentication module type. You can choose from Dynamic and Role based.
Processing status	The processing status is used for creating custom configuration packages.
Initial data	Initial data for logging in with this authentication module. Syntax: property1=value1;property2=value2 Example: User=<user name>;Password=<password>
Class	Authentication module class.
Assembly name	Name of the assembly file.
Sort order	Specify the order in which the modules are displayed in the login window.
Single sign-on	Specifies whether the authentication module may be authenticated without a password.
Select in front-end	Specifies whether the authentication module can be selected in the login window.

Related topics

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center