Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Testing dynamic role conditions

NOTE: To perform the task, users require the Common_AllowRiskyWhereClauses program function.

NOTE: This task is only visible when the dynamic role condition is displayed as an SQL query.

You should test which objects fulfill the given condition before you save a dynamic role.

To test the SQL condition for a dynamic role

  1. In the Manager, select the role for which the dynamic role was created.

  2. Open the role's overview form.

  3. Select Dynamic roles and click on the dynamic role.

  4. Select Change main data.

  5. Click (Edit SQL) on the form.

    This displays the condition as SQL query.

  6. Select the Test condition task.

    On the main data form, in the Test result field, all objects determined by the condition are displayed.

Related topics

Calculating role memberships for dynamic roles

To calculate the role memberships, One Identity Manager tests every dynamic role to ensure that:

  • There is at least one object that satisfies the condition but is not assigned to the role

  • There is at least one object that does not satisfy the condition but is assigned to the role

  • The exclusion list was changed

If one of the conditions is fulfilled, a request to add or delete memberships is sent to the DBQueue Processor.

NOTE: When the dynamic roles are tested, identities that are marked for deletion are:

  • Not added to roles through dynamic roles even if the miscellaneous condition is fulfilled.

  • Removed from the role even if the miscellaneous condition should be fulfilled

The calculation of role memberships in dynamic roles can be triggered by different methods.

  • Cyclical checking using a schedule

  • Recalculation when objects are changed

  • Start recalculation manually

Related topics

Schedules for calculating dynamic roles

NOTE: When a schedule is started, all dynamic roles that have this schedule assigned and where the No recalculation of assignments option is not set are recalculated.

In the standard installation of One Identity Manager, the Dynamic roles check schedule is already defined. This schedule is used when creating a new dynamic role. All dynamic role memberships are checked using this schedule and recalculation tasks are sent to the DBQueue Processor if necessary. Checks are made at predefined intervals. If necessary, you can change the default schedule for dynamic roles or create new schedules.

For more information about schedules, see the One Identity Manager Operational Guide.

Related topics

Creating and editing dynamic role schedules

If necessary, you can change the default schedule for dynamic roles or create new schedules.

To edit a schedule

  1. In the Manager, select the Organizations > Basic configuration data > Schedules category.

    The result list shows all the schedules configured for dynamic roles.

  2. Select a schedule in the result list and run the Change main data task.

  3. Edit the schedule’s main data.

  4. Save the changes.

To create a schedule

  1. In the Manager, select the Organizations > Basic configuration data > Schedules category.

  2. Click in the result list.

  3. Edit the schedule’s main data.

  4. Save the changes.

Edit the following schedule properties.

Table 5: Schedule properties

Property

Meaning

Name

Schedule ID.

Description

Detailed description of the schedule.

Enabled

Specifies whether the schedule is enabled.

Time zones

Unique identifier for the time zone that is used for running the schedule. Choose between Universal Time Code or one of the time zones in the menu.

Start (date)

The day on which the schedule should be run for the first time. If this day conflicts with the defined interval type, the first run is on the next available day based on the start date.

Validity period

Period within which the schedule is run.

  • If the schedule will be run for an unlimited period, select the Unlimited duration option.

  • To set a validity period, select the Limited duration option and enter the day the schedule will be run for the last time in End (date).

Occurs

Interval in which the task is run. Other settings may be required depending on the settings.

  • Hourly: The schedule is run at defined intervals of a multiple of hours such as every two hours.

    • Under Repeat every, specify after how many hours the schedule is run again.

    • The starting point is calculated from the rate of occurrence and the interval type.

  • Daily: The schedule is run at specified times in a defined interval of days such as every second day at 6am and 6pm.

    • Under Start time, specify the times to run the schedule.

    • Under Repeat every, specify after how many days the schedule is run again.

  • Weekly: The schedule is run at a defined interval of weeks, on a specific day, at a specified time such as every second week on Monday at 6am and 6pm.

    • Under Start time, specify the times to run the schedule.

    • Under Repeat every, specify after how many weeks the schedule is run again.

    • Specify the set day of the week for running the schedule.

  • Weekly: The schedule is run at a defined interval of months, on a specific day, at a specified time such as every second month on the 1st and the 15th at 6am and 6pm.

    • Under Start time, specify the times to run the schedule.

    • Under Repeat every, specify after how many months the schedule is run again.

    • Specify the days of the month (1st - 31st of the month).

    NOTE: If the Monthly interval type with the sub interval 29, 30 or 31 does not exist in this month, the last day of the month is used.

    Example:

    A schedule that is run on the 31st day of each month is run on April 30th. In February, the schedule is run on the 28th (or 29th in leap year).

  • Yearly: The schedule is run at a defined interval of years, on a specific day, at a specified time such as every year on the 1st, the 100th, and the 200th day at 6am and 6pm.

    • Under Start time, specify the times to run the schedule.

    • Under Repeat every, specify after how many years the schedule is run again.

    • Specify the days of the year (1st - 366th day of the year).

      NOTE: If you select the 366th day of the year, the schedule is only run in leap years.

  • Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday: The schedule is run on a defined day of the week, in specified months, at specified times such as every second Saturday in January and June at 10am.

    • Under Start time, specify the times to run the schedule.

    • Under Repeat every, specify after how many days of the month the schedule is run again. The values 1 to 4, -1 (last day of the week), and -2 (last day but one of the week) are permitted.

    • Specify in which month to run the schedule. The values 1 to 12 are permitted. If the value is empty, the schedule is run each month.

Start time

Fixed start time Enter the time in local format for the chosen time zone. If there is a list of start times, the schedule is started at each of the given times.

Repeat every

Rate of occurrence for running the schedule within the selected time interval.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating