Chat now with support
Chat with Support

Identity Manager 9.1.2 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning employees, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded employees Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Employee administration
One Identity Manager users for employee administration Basic data for employee main data Employee's central user account Employee's default email address Employee's central password Mapping multiple employee identities Password policies for employees Creating and editing employees Disabling and deleting employees Deleting all employee related data Limited access to One Identity Manager Changing the certification status of employees Assigning company resources to employees Displaying the origin of employees' roles and entitlements Analyzing role memberships and employee assignments Displaying the employees overview Displaying and deleting employees' Webauthn security keys Determining the language for employees Determining employees working hours Manually assigning user accounts to employees Entering calls for employees Assigning extended properties to employees Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing employees Configuration parameters for managing devices and workdesks

Employee's central password

An employee's central password can be used for logging into the target systems and for logging in to One Identity Manager. Depending on the configuration, an employee's central password is replicated to their user accounts and their system user password.

  • To publish the change in an employee's central user password to all existing user accounts of the employee, check in the Designer if the QER | Person | UseCentralPassword configuration parameter is set. If not, set the configuration parameter.

  • To copy an employee's central password to their system user password for logging in, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword configuration parameter is set. If not, set the configuration parameter.

  • If an employee’s system user account must be unlocked if the central password is given, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword | UnlockByCentralPassword configuration parameter is set. If not, set the configuration parameter.

NOTE:

  • The Employee central password policy password policy is applied to an employee's central password. Ensure that the password policy does not violate the target system's specific password policies.

  • Use the QER | Person | UseCentralPassword | CheckAllPolicies configuration parameter to specify whether the employee’s central password is tested against all the target system’s password policies in which the employee has user accounts. This test is only carried out in the Password Reset Portal.

  • An employee's central password is published to a user account only if the user account's target system is synchronized by the One Identity Manager.

  • If a target system is read-only, an employee's central password is not propagated to user accounts in that target system.

  • An employee's central password is not replicated to privileged user accounts of the employee.

  • If a password cannot be changed due to an error, the employee receives a corresponding email notification.

  • To replicate an employee's central password to a password column of a customer-specific user account table, in the Designer, define a ViewAddOn for the QERVPersonCentralPwdColumn view. The database view returns the password column of the user account tables. The user account table must have a reference to the employee (UID_Person) and a XMarkedForDeletion column. For more information about modifying the One Identity Manager schema, see the One Identity Manager Configuration Guide.

  • If you want to map additional user-specific features, overwrite the QER_Publish_CentralPassword script. For more information about editing scripts, see the One Identity Manager Configuration Guide.

  • The central password, the system user password, and the user account passwords can be changed by using the Password Reset Portal. For more information, see the One Identity Manager Web Designer Web Portal User Guide and the One Identity Manager Web Application Configuration Guide.

Related topics

Mapping multiple employee identities

Table 30: Configuration parameter for representing multiple identities

Configuration parameter

Effect when set

Person | MasterIdentity | UseMasterForAuthentication

Specifies whether the main identity should be used to log in to One Identity Manager tools using an employee-linked authentication module.

If this parameter is set, the main identity is used for employee-linked authentication. If this parameter is set, the subidentity is used for employee-linked authentication.

For more information about One Identity Manager authentication modules and about editing system users, see the One Identity Manager Authorization and Authentication Guide.

Under certain circumstances, it may be necessary for employees to have different identities for their work – for example, identities that result from different contracts at different branches. These identities can differ in their affiliation to departments, or cost centers, or in their access permissions for example. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in One Identity Manager to represent each of the identities and to group them at a central location.

In target systems, different types of user accounts are available to provide the employees with different permissions. An employee can have different identities to use multiple user accounts with different types. In order to improve the assignment of authorizations to the target systems, the sub-identities of the employees are split into different identity types. This classification corresponds to the user account types.

Main identity
  • A main identity represents a real person.

  • A main identity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.

  • The employee main data of a main identity is shown in One Identity Manager.

  • A main identity can have several subidentities.

Subidentity
  • A subidentity is a virtual employee.

  • A subidentity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.

  • A subidentity is always assigned to a main identity.

  • Employee main data of a subidentity is displayed in One Identity Manager. This can be copied from the main identity data using the appropriate templates.

  • Enter a main identity for the subidentity using Main identity on the employee’s main data form.

TIP: If an employee works with several identities, but only one of these is currently known in the One Identity Manager, then you should:

  • Create a main identity for this employee

  • Assign the identity known until now as a subidentity

  • Create new subidentities for the additional identities

In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.

Related topics

Employee identity types

To differentiate the different identities of an employee, use the following identity types.

Table 31: Identity types

Value

Description

Primary identity

Employee's default identity. The employee has a default user account.

Organizational identity

Virtual employee (subidentity) for mapping different roles to an employee in the organization. The sub-identity has a user account of the Organizational identity type.

Also enter a main identity.

Personalized admin identity

Virtual employee (subidentity) that belongs to a user account of the Personalized administrator identity type.

Also enter a main identity.

Sponsored identity

Pseudo employee associated with a user account of the Sponsored identity type.

Assign a manager to the employee.

Shared identity

Pseudo employee associated with an administrative user account of the Shared identity type.

Assign a manager to the employee.

Service identity

Pseudo employee associated with a user account of the Service identity type.

Assign a manager to the employee.

Machine identity

Pseudo employee for mapping machine identities.

The primary identity, the organizational identity, and the personal admin identity are different identities under which the same actual employee can run their different tasks within the company.

Employees with a personal admin identity or an organizational identity are set up as sub-identities. These subidentities are then linked to user accounts, enabling you to assign the required permissions to the different user accounts.

The sponsored identity, the shared identity, and the service identity represent pseudo employees that are used to provide the linked user accounts with permissions in the respective target systems. The classification of pseudo employees to hierarchical roles or as customers in the IT Shop enables the assignment of permissions to the user accounts. Requests in the IT Shop can be triggered only by the manager of these pseudo employees. When evaluating reports, attestations, or compliance checks, check whether pseudo employees need to be considered separately.

Related topics

Password policies for employees

One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.

Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating