Chat now with support
Chat with Support

Identity Manager 9.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Application roles for company policies

NOTE: This application role is available if the Company Policies Module is installed.

The following application roles are available for managing company policies:

Table 4: Application roles for company policies
Application role Description

Administrators

 

Administrators must be assigned to the Identity & Access Governance | Company policies | Administrators application role.

Users with this application role:

  • Enter base data for setting up company policies.

  • Set up policies and assign policy supervisors to them.

  • Can calculation policies and view policy violations if required.

  • Set up reports about policy violations.

  • Enter mitigating controls.

  • Create and edit risk index functions.

  • Administer application roles for policy supervisors, exception approvers and attestors.

  • Set up other application roles as required.

Policy supervisors

 

Policy supervisors must be assigned to the Identity & Access Governance | Company policies | Policy supervisors application role or another child application role.

Users with this application role:

  • Are responsible for the contents of company policies.

  • Edit working copies of company policies.

  • Enable and disable company policies.

  • Can calculation policies and view policy violations if required.

  • Assign mitigating controls.

Exception approvers

 

Exception approvers must be assigned to the Identity & Access Governance | Company policies | Exception approvers application role or a child application role.

Users with this application role:

  • Edit policy violations.

  • Can grant exception approval or revoke it.

Attestors

 

Attestors must be assigned to the Identity & Access Governance | Company policies | Attestors application role.

Users with this application role:

  • Attest company policies and exception approvals in the Web Portal for which they are responsible.

  • Can view the main data for these company policies but not edit them.

NOTE: This application role is available if the module Attestation Module is installed.

Application roles for attestation

NOTE: This application role is available if the Attestation Module is installed.

The following application roles are available for managing attestation procedures:

Table 5: Application roles for attestation
Application role Description

Administrators

Administrators are assigned to the Identity & Access Governance | Attestation | Administrators application role.

Users with this application role:

  • Define attestation procedures and attestation policies.

  • Create approval policies and approval workflows.

  • Specify which approval procedure to use to find attestors.

  • Set up attestation case notifications.

  • Configure attestation schedules.

  • Enter mitigating controls.

  • Create and edit risk index functions.

  • Monitor attestation cases.

  • Manage application roles for attestation policy owners.

  • Maintain members of the chief approval team.

Chief approval team

The chief approver must be assigned to the Identity & Access Governance | Attestation | Chief approval team application role.

Users with this application role:

  • Approve using attestation cases.

  • Assign attestation cases to other attestors.

Attestors for external users

Attestors for external users must be assigned to the Identity & Access Governance | Attestation | Attestors for external users application role.

Users with this application role:

  • Attests new, external employees.

Attestation policy owner

Owners of attestation policies must be assigned to a child application role of the Identity & Access Governance | Attestation | Attestation policy owners application role.

Users with this application role:

  • Are responsible for its content and handle the attestation policies assigned to it.

  • Assign the attestation procedure, approval policy, and calculation schedule.

  • Assign approvers, mitigating controls, and compliance frameworks.

  • Monitor attestation cases and attestation runs.

NOTE: Attestors in charge are determined through approval procedures. Other application roles may be applied here. Application roles for attestors are defined in different module and are available if the Attestation Module is installed.

Application roles for subscribable reports

NOTE: This application role is available if the module Report Subscription Module is installed.

The following application role is available for managing subscribable reports:

Table 6: Application roles for subscribable reports
Application role Description

Administrators

 

Administrators must be assigned to the Identity & Access Governance | Company policies | Report Subscriptions application role.

Users with this application role:

  • Create subscribable reports from existing reports.

  • Configure report parameters for subscribable reports.

  • Assign subscribable reports to employees, company structures or IT Shop shelves.

  • Create custom mail templates for sending subscribed reports by email.

Application roles for management levels

NOTE: This application role is available if the module Identity Management Base Module is installed.

The user must be assigned to the Identity Management | Management level application role.

Users with this application role:

  • Can view reports and statistics in the Web Portal that are intended for their company's management level.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating