Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Mapping multiple employee identities

Table 30: Configuration parameter for representing multiple identities

Configuration parameter

Effect when set

Person | MasterIdentity | UseMasterForAuthentication

Specifies whether the main identity should be used to log in to One Identity Manager tools using an employee-linked authentication module.

If this parameter is set, the main identity is used for employee-linked authentication. If this parameter is set, the subidentity is used for employee-linked authentication.

For more information about One Identity Manager authentication modules and about editing system users, see the One Identity Manager Authorization and Authentication Guide.

Under certain circumstances, it may be necessary for employees to have different identities for their work – for example, identities that result from different contracts at different branches. These identities can differ in their affiliation to departments, or cost centers, or in their access permissions for example. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in One Identity Manager to represent each of the identities and to group them at a central location.

In target systems, different types of user accounts are available to provide the employees with different permissions. An employee can have different identities to use multiple user accounts with different types. In order to improve the assignment of authorizations to the target systems, the sub-identities of the employees are split into different identity types. This classification corresponds to the user account types.

Main identity
  • A main identity represents a real person.

  • A main identity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.

  • The employee main data of a main identity is shown in One Identity Manager.

  • A main identity can have several subidentities.

Subidentity
  • A subidentity is a virtual employee.

  • A subidentity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.

  • A subidentity is always assigned to a main identity.

  • Employee main data of a subidentity is displayed in One Identity Manager. This can be copied from the main identity data using the appropriate templates.

  • Enter a main identity for the subidentity using Main identity on the employee’s main data form.

TIP: If an employee works with several identities, but only one of these is currently known in the One Identity Manager, then you should:

  • Create a main identity for this employee

  • Assign the identity known until now as a subidentity

  • Create new subidentities for the additional identities

In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.

Related topics

Employee identity types

To differentiate the different identities of an employee, use the following identity types.

Table 31: Identity types

Value

Description

Primary identity

Employee's default identity. The employee has a default user account.

Organizational identity

Virtual employee (subidentity) for mapping different roles to an employee in the organization. The sub-identity has a user account of the Organizational identity type.

Also enter a main identity.

Personalized admin identity

Virtual employee (subidentity) that belongs to a user account of the Personalized administrator identity type.

Also enter a main identity.

Sponsored identity

Pseudo employee associated with a user account of the Sponsored identity type.

Assign a manager to the employee.

Shared identity

Pseudo employee associated with an administrative user account of the Shared identity type.

Assign a manager to the employee.

Service identity

Pseudo employee associated with a user account of the Service identity type.

Assign a manager to the employee.

Machine identity

Pseudo employee for mapping machine identities.

The primary identity, the organizational identity, and the personal admin identity are different identities under which the same actual employee can run their different tasks within the company.

Employees with a personal admin identity or an organizational identity are set up as sub-identities. These subidentities are then linked to user accounts, enabling you to assign the required permissions to the different user accounts.

The sponsored identity, the shared identity, and the service identity represent pseudo employees that are used to provide the linked user accounts with permissions in the respective target systems. The classification of pseudo employees to hierarchical roles or as customers in the IT Shop enables the assignment of permissions to the user accounts. Requests in the IT Shop can be triggered only by the manager of these pseudo employees. When evaluating reports, attestations, or compliance checks, check whether pseudo employees need to be considered separately.

Related topics

Password policies for employees

One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.

Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.

Detailed information about this topic

Predefined password policies

You can customize predefined password policies to meet your own requirements if necessary.

Password for logging in to One Identity Manager

The One Identity Manager password policy is applied for logging in to One Identity Manager. This password policy defines the settings for the system user passwords (DialogUser.Password and Person.DialogUserPassword) as well as the passcode for a one time log in on the Web Portal (Person.Passcode).

NOTE: The One Identity Manager password policy is marked as the default policy. This password policy is applied if no other password policy can be found for employees, user accounts, or system users.

Password policy for forming employees' central passwords

An employee's central password is formed from the target system specific user accounts by respective configuration. The Employee central password policy defines the settings for the (Person.CentralPassword) central password. Members of the Identity Management | Employees | Administrators application role can adjust this password policy.

IMPORTANT: Ensure that the Employee central password policy does not violate the target system-specific requirements for passwords.

Password policies for user accounts

Predefined password policies are provided, which you can apply to the user account password columns of the user accounts. You can define password policies for user accounts for various base objects, for example, for account definitions, manage levels, or target systems.

For more information about password policies for user accounts, see the administration guides of the target systems.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating