Identity Manager 9.0 LTS - Authorization and Authentication Guide

Authentication data is formatted from the authentication module and its parameters and values. You can specify initial data for the parameters and their values. By default, the initial data is preset for each authentication process.

Syntax for authentication data:

Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

Example:

Module=DialogUser;User=<user name>;Password=<password>

Setting initial data for authentication modules

Table 34: Authentication data for authentication modules
Authentication module	Display name	Parameters and meaning
DialogUser	System users	User: User name Password: The user's password
ADSAccount	Active Directory user account	No parameters required
DynamicADSAccount	Active Directory user account (dynamic)	Product: Usage. The system user is determined through the use case configuration data.
DynamicManualADS	Active Directory user account (manual input)	Product: Usage. The system user is determined through the use case configuration data. User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem \| ADS \| AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. Password: The user's password.
RoleBasedADSAccount	Active Directory user account (role-based)	No parameters required
RoleBasedManualADS	Active Directory user account (manual input/role-based)	User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem \| ADS \| AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. Password: The user's password
Employee	Employee	User: Employee's central user account. Password: The user's password
DynamicPerson	Employee (dynamic)	Product: Usage. The system user is determined through the use case configuration data. User: User name. Password: The user's password
RoleBasedPerson	Employee (role-based)	User: User name. Password: The user's password.
HTTPHeader	HTTP header	Header: The HTTP header to use. KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names. Default: CentralAccount, PersonnelNumber
RoleBasedHTTPHeader	HTTP header (role-based)	Header: The HTTP header to use. KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names. Default: CentralAccount, PersonnelNumber
DynamicLdap	LDAP user account (dynamic)	User: User name. Default: CN, DistinguishedName, UserID, UIDLDAP Password: The user's password
RoleBasedLdap	LDAP user account (role-based)	User: User name. Default: CN, DistinguishedName, UserID, UIDLDAP Password: The user's password
RoleBasedGeneric	Generic single sign-on (role-based)	SearchTable: Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table. SearchColumn: Column from the SearchTable in which to search for the user name of the logged-in user. DisabledBy: Pipe (\|) delimited list of Boolean columns which block a user account from logging in. EnabledBy: Pipe (\|) delimited list of Boolean columns which release a user account for logging in.
OAuth	OAuth 2.0/OpenID Connect	Dependent on the authentication method of the secure token service.
OAuthRoleBased	OAuth 2.0/OpenID Connect (role-based)	Dependent on the authentication method of the secure token service.
DialogUserAccountBased	Account based system user	No parameters required
QERAccount	User account	No parameters required
RoleBasedQERAccount	User account (role-based)	No parameters required
RoleBasedManualQERAccount	User account (manual input/role-based)	User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem \| ADS \| AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. Password: The user's password
PasswordReset	Password reset	No parameters required
RoleBasedPasswordReset	Password reset (role-based)	No parameters required
DecentralizedId	Decentralized identity	Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail) Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier).
RoleBasedDecentralizedId	Decentralized Identity (role-based)	Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail) Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier).
Token		Internal authentication module in the application server for authentication using OAuth 2.0/OpenID Connect access tokens. For more information, see Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API. URL: URL of the application server. ClientId: ID of the application on the identity provider. ClientSecret: Secret value for authentication at the token endpoint. TokenEndpoint: Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.

Configuration data for system user dynamic authentication

In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.

TIP: For system users used for dynamic authentication modules, enable the Disabled for direct login option. This prevents direct login to One Identity Manager tools with these system users.

To specify configuration data

In the Designer, select the Base data > Security settings > Programs category.
Select the application and adjust the Configuration data.

Use XML syntax for entering the configuration data:

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

<Usermapping

DialogUser = "System user name"

...

</Usermappings>

</DialogUserDetect>

Enter the system user (DialogUser) in the Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.

You can assign function groups to permissions groups on order to deal with complex permissions and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.

If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.

<FunctionGroupMapping

PersonToFunction = "View mapping employee to function group"

FunctionToGroup = "View mapping function group to permissions group"

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

...

</Usermappings>

</DialogUserDetect>

Example of a simple system user assignment

All employees should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.

To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:

<Usermapping

DialogUser = "dlg_all"

</Usermappings>

</DialogUserDetect>

Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:

Employee contact data
Requesting a product
Unsubscribing a product

Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.

Example of a system user assignment using a selection criterion

The scenario described in the previous example is extended such that only the cost center manager can see an employee’s leaving date. You need to add the input field LeavingDate to the contact data form to do this.

Permissions are used for controlling viewing and editing. Set up a new dlg_kst system user and include the system user in the vi_DE-CentralPwd, vi_DE-ITShopOrder and WebShop_Customer_Grp permissions groups. You should also give the system user read and write permissions to the Person.Exitdate column.

Extend the application configuration data in such a way that the cost center managers use the dlg_kst system user to log in. All other employees use the dlg_all system user to log in.

Change the configuration data as follows:

<Usermapping

DialogUser = "dlg_kst"

Selection = "select 1 where %uid% in (select uid_personhead from profitcenter)"

<Usermapping

DialogUser = "dlg_all"

</Usermappings>

</DialogUserDetect>

Identity Manager 9.0 LTS - Authorization and Authentication Guide

Initial data for authentication modules

Related topics

Configuration data for system user dynamic authentication

Related topics

Example of a simple system user assignment

Related topics

Example of a system user assignment using a selection criterion

Related topics

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 9.0 LTS - Authorization and Authentication Guide

Initial data for authentication modules

Related topics

Configuration data for system user dynamic authentication

Related topics

Example of a simple system user assignment

Related topics

Example of a system user assignment using a selection criterion

Related topics