Chat now with support
Chat with Support

Identity Manager 9.1.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Application roles for the IT Shop

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available for the IT Shop administration:

Table 11: Application roles for the IT Shop
Application role Description

Administrators

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Create the IT Shop structure with shops, shelves, customers, templates, and service catalog.

  • Create approval policies and approval workflows.

  • Specify which approval procedure to use to find attestors.

  • Create products and service items.

  • Set up request notifications.

  • Monitor request procedures.

  • Administrate application roles for product owners and attestors.

  • Maintain members of the chief approval team.

  • Set up other application roles as required.

  • Create extended properties for company resources of any type.

  • Edit the resources and assign them to IT Shop structures.

  • Assign system entitlements to IT Shop structures.

Product owners

Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.

Users with this application role:

  • Approve through requests.

  • Edit service items and service categories under their management.

Attestors

Attestors must be assigned to the Request & Fulfillment | IT Shop | Attestors application role.

Users with this application role:

  • Attest correct assignment of company resource to IT Shop structures for which they are responsible.

  • Attest objects that have service items assigned to them.

  • Can view main data for these IT Shop structures but not edit them.

NOTE: This application role is available if the Attestation Module is installed.

Chief approval team

Chief approvers must be assigned to the Request & Fulfillment | IT Shop | Chief approval team application role.

Users with this application role:

  • Approve through requests.
  • Assign requests to other approvers.

NOTE: The approvers responsible are determined through approval procedures. Other application roles may be applied here. Application roles for approvers are defined in different modules and are available there.

Application roles for target systems

NOTE: Application roles are dependent on the target system and are contained in One Identity Manager modules. Application roles are not available until the modules are installed.

The following application roles are available for target system administration:

Table 12: Application roles for target systems
Application role Tasks

Administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | <target system> application role or a child application role.

NOTE: There is at least one application role per target system for target system managers. This application role is available if the target system module is installed.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare system entitlements to add to the IT Shop.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

Target system managers for Unified Namespace

Target system managers must be assigned to the Target systems | Unified Namespace application role or a child application role.

Users with this application role:

  • Obtain view of the objects in the connected target systems across all target systems.

  • Can create reports across all target systems.

If the users are also target system managers of the basic underlying target systems, you can manage these target systems through the Unified Namespace.

Application roles for Universal Cloud Interface

NOTE: Application roles are available if the Universal Cloud Interface Module is installed.

The following application roles are available for managing cloud systems.

Table 13: Application roles for Universal Cloud Interface
Application role Tasks

Cloud administrators

Cloud administrators must be assigned to the Universal Cloud Interface | Administrators application role or a child application role.

Users with this application role:

  • Manage application roles for the Universal Cloud Interface.

  • Set up other application roles as required.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing cloud applications and One Identity Manager.

  • Edit cloud application in the Manager.

  • Edit pending, manual provisioning processes in the Web Portal and obtain statistics.

  • Obtain information about the cloud objects in the Web Portal and the Manager.

Cloud operators

The cloud operators must be assigned to the Universal Cloud Interface | Operators application role or a child application role.

Users with this application role:

  • Edit pending, manual provisioning processes in the Web Portal and obtain statistics.

Cloud auditors

The cloud auditors must be assigned to the Universal Cloud Interface | Auditors application role or a child application role.

Users with this application role:

  • Can view manual provisioning processes in the Web Portal and obtain statistics.

Application role for Privileged Account Governance

NOTE: This application role is available if the module Privileged Account Governance Module is installed.

The following application role is available for managing asset and account owners

Table 14: Application role for Privileged Account Governance
Application role Description

Asset and account owners

Owners of privileged objects, such as PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups must be assigned to an application role under the Privileged Account Governance | Asset and account owners application role.

Users with this application role:

  • Make decisions about requesting access requests for privileged objects.

  • Attest the possible user access to these privileged objects.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating