Chat now with support
Chat with Support

Identity Manager 9.1 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Permanently deactivating employees

NOTE: Employees who are permanently deactivated can no longer log in to One Identity Manager.

Employees can be deactivated permanently when, for example, they leave the company. It might be necessary, to remove access to this employee's entitlements in connected target systems and their company resources.

Effects of permanent deactivating an identity are:

  • The employee cannot be assigned to employees as a manager.

  • The employee cannot be assigned to roles as a supervisor.

  • The employee cannot be assigned to attestation policies as an owner.

  • There is no inheritance of company resources through roles, if the additional No inheritance option is set for an employee.

  • Employee user accounts are locked or deleted and then removed from group memberships.

Trigger permanent deactivation through:

  • The Deactivate employee permanently task

    This task ensures that the Permanently deactivates option is enabled and the leaving date and last working day are set to the current date.

  • The leaving date is reached

    NOTE:

    • In the Designer, check the Lock accounts of employees that have left the company schedule. This schedule regularly checks the leaving date and sets the Permanently deactivated option on reaching the date.

    • The Re-enable employee task ensures that the employee is re-enabled.

  • The Denied certification status

    If an employee's certification status is set to Denied manually or as a result of attestation, the employee is immediately permanently deactivated. When the employee's certification status is changed to Certified, the employee is activated again.

    NOTE: This function is only available if the Attestation Module is installed.

Related topics

Reactivate permanently deactivated employees

Employees who are permanently deactivated can be re-enabled if they were not disabled by certification.

To reactivate an employee

  1. In the Manager, select the Employees > Inactive employees category.

  2. Select the employee in the result list.

  3. Select the Reactivate employee task.

  4. Confirm the security prompt with Yes if the employee should be enabled.

    On the main data form for the employee, the Permanently deactivated option is not set. The end date and last working day are deleted assuming the dates are past.

  5. Save the changes.
Related topics

Deferred deletion of employees

When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.

By default, employees are finally deleted from the database after 30 days. During this period it is possible to re-enable the employee. A restore is not possible once deferred deletion has expired.

In the Designer, you can set an alternative delay on the Person table. For more information on configuring the deferred deletion, refer to the One Identity Manager Configuration Guide.

Related topics

Deleting all employee related data

A procedure called QER_PPersonDelete_GDPR is provided to support the special process for deleting employee related data, which implements the General Data Protection Regulation (GDPR) of the European Union. You can use this procedure to delete all data relating to an employee from the One Identity Manager database. For certain dependencies, processes that are handled by the One Identity Manager Service are created by the procedure.

NOTE: While this procedure is running, the database does not allow any triggers. Therefore, it is recommended to only run the procedure in maintenance periods.

You can run the procedure in any program suitable for running SQL queries.

Calling syntax:

exec QER_PPersonDelete_GDPR ' <employee UID from the Person table, UID_Person column>'

NOTE: Personal data may be subject to further regulations such as legal retention periods. Personal data from the One Identity Manager History Database is not automatically deleted by default because of this. It is recommended to operate One Identity Manager History Databases that correspond to the report periods. After a specified reporting period has expired, you can set up a new One Identity Manager History Database. You set up custom processes for deleting personal data.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating