Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.0 LTS - Authorization and Authentication Guide

Table of Contents

About this guide One Identity Manager application roles

Application roles overview

Application roles for basic functions Application role for the Operations Support Web Portal Application role for Compliance & Security Officers Application role for auditors Application roles for identity audit Application roles for company policies Application roles for attestation Application roles for subscribable reports Application roles for management levels Application roles for business roles Application roles for organizations Application role for application roles Application for employee administrators Application roles for the IT Shop Application roles for target systems Application roles for Universal Cloud Interface Application role for Privileged Account Governance Application roles for Application Governance Application roles for custom tasks

Implementing the application roles Creating and editing application roles

Main data of application roles Assigning employees to application roles Custom extension of application role permissions Creating and editing dynamic roles for application roles Specifying mutually exclusive application roles Assigning subscribable reports to application roles Assigning extended properties to application roles Generating assignment resources for application roles Reports about application roles

Granting One Identity Manager schema permissions through permissions groups

Predefined permissions groups and system users Rules for determining the valid permissions for tables and columns Editing permissions groups

Dependencies between permissions groups Permissions group dependencies Copying permissions groups Creating permissions groups Permissions group properties

Editing system users

Creating system users System users’ passwords System user properties Adding system users to permission groups Which employees use the system user? Dynamic system user

Permissions for tables and columns

Displaying permissions of a permissions group Displaying permissions for tables Editing table permissions Editing column permissions Copying table permissions and column permissions Simulating permissions for system users

Displaying permissions for objects Displaying permissions for the current user Assigning role-based permissions groups to an applications

Managing permissions to program functions

Displaying the current user's program functions Assigning program functions to permissions groups Permissions for running scripts Permissions for running methods Permissions for triggering processes Modifying permissions for running actions in the Launchpad

One Identity Manager authentication modules

System users Generic single sign-on (role-based) Employee Employee (role-based) Employee (dynamic) User account User account (role-based) User account (manual input/role-based) Account based system user Active Directory user account Active Directory user account (role-based) Active Directory user account (manual input) Active Directory user account (manual input/role-based) Active Directory user account (dynamic) LDAP user account (role-based) LDAP user account (dynamic) HTTP header HTTP header (role-based) OAuth 2.0/OpenID Connect OAuth 2.0/OpenID Connect (role-based) Synchronization authentication module Web agent authentication module Component authentication module Crawler Password reset Password reset (role-based) Decentralized identity Decentralized Identity (role-based) Editing authentication modules

Enabling authentication modules Assigning authentication modules to applications Disabling or enabling authentication modules for applications Authentication module properties Initial data for authentication modules Configuration data for system user dynamic authentication

Example of a simple system user assignment Example of a system user assignment using a selection criterion Example of a function group assignment

Checking authentication

OAuth 2.0/OpenID Connect authentication

Expiry of the OAuth 2.0/OpenID Connect authentication Creating the OAuth 2.0/OpenID Connect configuration Assigning OAuth 2.0/OpenID Connect configuration to web applications Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications Specifying enabled and disabled columns for logging in Logging information about OAuth 2.0/OpenID Connect authentication Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API

Setting up OAuth 2.0/OpenID Connect authentication for accessing the REST API Authentication module for using OAuth 2.0/OpenID Connect for authentication access to the REST API Authenticating external applications using OAuth 2.0/OpenID Connect

Multi-factor authentication in One Identity Manager

Multi-factor authentication with One Identity Defender

Configuring RSTS for multi-factor authentication Configuring authentication with OAuth 2.0/OpenID Connect in the Web Portal Configuring authentication with OAuth 2.0/OpenID Connect

Granular permissions for the SQL Server and database

Displaying database server logins Displaying users' access levels Displaying server roles and database roles permissions

Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Displaying users' access levels

NOTE:

If you select an existing database connection in the connections dialog, the access level of the login to be used is shown in a tooltip.
Some user interfaces expect configuration user permissions at least. Logging in as an end user is not possible in this case.

To find the access level of the logged in user

To display user information, double-click the icon in the program status bar

On the System user tab, in the SQL access level field, you will see the access level for the current login. The access levels displayed are End user, Configuration user, Administrative user, System administrator, and Unknown.

Related topics

Displaying database server logins

Displaying server roles and database roles permissions

Server and database permissions are predefined and cannot be modified.

NOTE: The End user role database role is permitted for custom schema extensions.

To display server and database permissions

In the Designer, select server role or the database role in the Base data > Security settings > Database server permissions > Database server login category.

This opens the List Editor showing a list of permissions.

Installing One Identity Redistributable STS

The Redistributable STS (RSTS) is a Secure Token Server component service designed to provide user authentication using standard federation protocols such as WS-Federation and OAuth 2.0. One Identity Manager uses the RSTS for authentication to web applications with Webauthn and OAuth 2.0.

For more information about the Webauthn configuration, see the One Identity Manager Web Application Configuration Guide.

To install the RSTS

Launch autorun.exe from the root directory of the One Identity Manager installation medium.
Switch to the Other products tab
Select One Identity Redistributable STS and click Install.
On the start page of the installation wizard, click Next.
On the Select database page, select the One Identity Manager database connection. Select a user who has a minimum of administrative permissions for the database.
On the Installation settings page, enter the required information.
On the Installation page you can see the installation progress. When the installation has finished, click Next.
Click Finish to close the installation wizard.

Related topics

Preventing blind SQL injection

Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE, NOT LIKE, <, <=, >, or >=.

In order to continue using certain functions in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function.

Users who do not have this program function can only run database queries that are classified as trusted or pose no risk (risk index = 0.0). Some of the functions in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function.

If you want to allow certain users to run security-critical queries, you can assign permissions to users through permission groups.

The QBM_Critical_WhereClause permissions group is provided for non role-based login. This group owns the program function. Add the system users who are allowed to run security-critical queries to the permissions group. Administrative system users automatically obtain these permissions groups.
The QER_4_Critical_WhereClause permissions group is provided for non role-based login. This group owns the program function. The permissions group is linked to the Base roles | security-critical queries application role. Add the system users who are allowed to run security-critical queries in the application role.

Using configuration parameters, you can also control the risk assessment of running the SQL statements.

NOTE: The configuration parameters are effective only for users who have the Common_AllowRiskyWhereClauses program function.

Use the QBM | SQLCheck | RiskEvaluation configuration parameter to define the risk assessment of running the SQL statements. Permitted values are:
- Low: SQL statements with some risk are allowed.
- Medium: The risk of SQL statements is assessed at a mitigated level. Thus, the threshold for blocking the user is reached later and more queries are possible.
- Strict: The risk of SQL statements is assessed in full. However, the user is not blocked until a certain threshold is reached.
If the configuration parameter is not set, the risk assessment is performed with the value Strict.
Use the QBM | SQLCheck | SubSelect configuration parameter to specify how SQL statements with sub-queries are assessed. If the configuration parameter is set, then places where SQL statements with sub-queries are found are classified as higher risk.

Notes for customizations

As an example, database queries that are required on customized forms or database queries that are run over the application server API, must be formulated as predefined database queries in One Identity Manager. Database queries are always run with the permissions of the current user. For more information about using predefined database queries, see the One Identity Manager Configuration Guide.
You will find examples on the installation medium in the QBM\dvd\AddOn\ApiSamples directory.
For the alphabetical display of objects such as employees or company structures, you can use the QERVFirstUnicodeChar table in customized menus.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center