Chat now with support
Chat with Support

Identity Manager 9.1 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Displaying locked employees and system users

If a user has exceeded the maximum number of failed logins, the employee or system user will not be able to log in to One Identity Manager.

  • Locked employees are displayed in the Manager in the Employees > Locked employees category. An additional message referring to the locked login is also displayed on the overview form for an employee.

  • Locked system users are displayed in the Designer in the Permissions > System users > Locked system users category. An additional message referring to the locked login is also displayed on the overview form for a system user.

You can reset the passwords of employees and system users who have been blocked in Password Reset Portal. This unlocks the employees and system users again. For more information, see the One Identity Manager Web Designer Web Portal User Guide and the One Identity Manager Web Application Configuration Guide.

Related topics

Creating and editing employees

In One Identity Manager, you can manage main data of company employees as well as external employees. Because the described main data is the same for internal and external employees, the Employee term is used in the following description.

In the Manager, enter employee main data in the Employees category. Employees are filters by different criteria in this category.

  • Employees: All activated and temporarily deactivated employees.

  • Inactive employees: All permanently deactivated employees.

  • Locked employees: All employees who are locked due to incorrect password input.

  • Certification: All employees by certification status.

  • Data source: All employees by import data source.

  • Identity: All employees according to their identity type.

To create or edit employees

  1. In the Manager, select the Employees > Employees category.

  2. Select an employee in the result list and run the Change main data task.

    – OR –

    Click in the result list.

    This opens the main data form for an employee.

  3. Edit the employee's main data.

  4. Save the changes.

Ensure you fill out all compulsory fields when you edit the main data. Certain main data is inherited by the employee user account through templates.

NOTE: Employee properties loaded from a target system can only be edited to a limited degree in One Identity Manager. Certain properties are locked because this target system is the primary system. The source from which the employee main data is imported determines which properties are locked.

Detailed information about this topic

General employee main data

Enter the following general main data of an employee. This data applies to personal and job-related employee data.

Table 35: General main data

Property

Description

First name

Employee's first name.

Last name

Employee's last name.

Middle name

Second middle name.

Form of address

Employee's form of address. This is automatically set depending on gender.

Title

Employee's title.

Surname prefix

Employee's surname prefix, for example du, or von.

Preferred name

Employee's preferred name.

Initials

Employee's initials. These are automatically taken from first and last names.

Gender

Employee's gender.

Date of birth

Employee's date of birth.

Name at birth

Employee's name at date.

Job description

Description of employee's job within your company.

Generational affix

  • Affix, for example Senior or Junior.

  • Language

    Language used for sending email notifications to the employee. This setting is also used for Web Portal's display.

    Language for value formatting

    Language used to display values, for example, date, time, or number formats. The setting is taken into account when email notifications are sent to the employee. This setting is also used for Web Portal's display.

    Sub-organization

    Note about sub-organizations to which the Employee belongs.

    Permanently disabled

    Specifies whether the employee is currently employed by the company. If this option is set, the employee has left the company. All privileges as One Identity Manager user are removed.

    NOTE: Employees who are permanently deactivated can no longer log in to One Identity Manager.

    Certification status

    Specifies whether the employee main data was approved by the employee's manager. Certification status is set through certification procedures. The following certification status are permitted:

    • New: The employee was newly added to the One Identity Manager database.
    • Certified: The employee main data has been approved by the manager.
    • Denied: The employee main data was not approved by the manager. The employee is permanently disabled.

    VIP

    Labels the employee as important.

    Security risk

    Specifies whether the employee is considered a risk for the company.

    Resource inheritance can be prevented for employees who are classified as security risks. Configure the behavior in the resource properties.

    Permissions inheritance can be prevented for employees who are classified as security risks. The user accounts of the employee can be blocked. Configure this in the account definition properties. For more information about account definitions, see the One Identity Manager Target System Base Module Administration Guide.

    NOTE: Employees who are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

    No inheritance

    Specifies whether the employee inherits company resources through roles. If this option is set, the employee cannot inherit. Company resources the employee receives through IT Shop requests are not assigned either. Direct assignments remain intact.

    If the configuration parameter QER | Attestation | UserApproval is set, this option is set depending on the option Disabled permanently. If the employee is permanently disabled, the option No inheritance is set through a formatting rule.

    External

    Specifies whether the employee is employed internally or externally by your company. If this option is set, the employee is external. External employees are excluded from automatic account definition assignment in the default version of One Identity Manager.

    Employee type

    More accurate classification of the employee taking their contractual relationship with the company into account. Permitted values are Employee, Apprentice, Contractor, Consultant, Partner, Customer, Other.

    Contact email address

    Email address to which the registration link is sent when a new user account is created using the Self-Registration Web Portal.

    Company

    Enter a company. Use the next to the field to add a new company.

    Workdesk

    Employee's workdesk.

    Risk index (calculated)

    A risk index is calculated to evaluate the risk of an employee based on their permissions. An employee's risk index is determined from the risk indexes of their user accounts. This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

    Description

    Text field for additional explanation.

    Comment

    Text field for additional explanation.

    Spare field no. 01 ... Spare field no. 10

    Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

    Related topics

    Organizational employee main data

    Enter the following general main data of an organization.

    Table 36: Organizational main data

    Property

    Description

    Personnel number

    Employee's personnel number.

    Primary department

    Department to which the employee is primary assigned. The employee can obtain company resources through this assignment when One Identity Manager is configured respectively.

    Furthermore, IT operating data for user accounts and mailboxes can be determined though the department.

    Primary cost center

    Cost center to which the employee is primarily assigned. The employee can obtain company resources through this assignment when One Identity Manager is configured respectively.

    Furthermore, IT operating data for user accounts and mailboxes can be determined though the cost center.

    Primary business roles

    Business role to which the employee is assigned. The employee can obtain company resources through this assignment when One Identity Manager is configured respectively.

    Furthermore, IT operating data for user accounts and mailboxes can be determined though the business role.

    NOTE: This property is available if the Business Roles Module is installed.

    Security identification

    Security code for the employee for, for example, access permission.

    User account creation date

    Date on which to create the user account in the target system. This date should be earlier than the entry date. Use custom processes to automatically create user accounts in One Identity Manager on this date.

    Entry date

    Date the employee started at the company. This is filled with the current date when the employee is added.

    End date

    Date the employee started at the company. Enter an end date for the employee to lock their user account at a specific point in time. The end date is checked regularly by the schedule Lock accounts of employees that have left the company. When the end date arrives, the employee is blocked.

    Company member

    Additional information about the employee’s affiliation.

    Temporarily disabled

    Specifies whether the employee is temporarily absent from the company If this option is set, enter the time period for the temporary absence.

    NOTE: Employees who are temporarily deactivated can no longer log in to One Identity Manager.

    Temporarily disabled from

    Date from which the employee and associated user accounts are disabled.

    Temporarily disabled until

    Date until which the employee and associated user accounts are disabled. A Enable temporarily disabled accounts schedule is implemented that monitors the end date of the temporary deactivation. When this date is reached the employee and their user accounts are re-enabled.

    Last working day

    Enter the date of the last working day if, for example, an employee leaves the company on a specific day but has access to their data until this date.

    NOTE: The date of the last working day is copied to the employee’s user accounts as the expiration date. This overwrites the existing account expiration date.

    Manager

    An employee’s manager can assume several tasks in One Identity Manager such as:

    • Edit employee main data of their staff

    • Certify employee main data of their staff

    • Attest company resources assigned to their staff

    • Approve request for their staff in the IT Shop

    Employee cannot be assigned as their own manager.

    Sponsor

    When a new employee is added through the Web Portal, you can make additional notes like the manager or sponsor.

    Related topics
    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating