Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for Connecting to SharePoint Online

Mapping a SharePoint Online environment in One Identity Manager Synchronizing a SharePoint Online environment
Setting up initial synchronization with a SharePoint Online tenant SharePoint Online synchronization features Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing SharePoint Online user accounts and employees Managing assignments of SharePoint Online groups and roles Mapping of SharePoint Online objects in One Identity Manager
SharePoint Online tenants SharePoint Online user accounts SharePoint Online groups SharePoint Online permission levels SharePoint Online site collections SharePoint Online sites SharePoint Online roles Setting up SharePoint Online site collections and sites Reports about SharePoint Online objects
Handling of SharePoint Online objects in the Web Portal Basic data for managing a SharePoint Online environment Troubleshooting a SharePoint Online connection Configuration parameters for managing SharePoint Online Default project template for SharePoint Online Editing system objects

Managing assignments of SharePoint Online groups and roles

User accounts inherit SharePoint Online permissions through SharePoint Online roles and SharePoint Online groups. SharePoint Online groups are always defined for one site collection in this way. SharePoint Online roles are defined for sites. They are assigned to groups, and the user accounts that are members of these groups inherit SharePoint Online permissions through them. SharePoint Online roles can also be assigned directly to user accounts. User account permissions on individual sites in a site collection are restricted through the SharePoint Online roles that are assigned to it.

In SharePoint Online, the users can have different entitlements that are mapped in One Identity Manager as follows:

  • Entitlement for the use of SharePoint Online groups (O3SGroup table)

  • Entitlement for the use of SharePoint Online roles (O3SRLAsgn)

Terms
  • A SharePoint Online Role is the permission level linked to a fixed site.

  • The assignment of user account or groups to a SharePoint Online role is called a role assignment.

  • Entitlement assignments refer to the assignment of the various entitlements to user accounts. These include:

    • Group assignments to user accounts (O3SUserInGroup table)

    • Role assignments to user accounts (O3SUserHasRLAsgn table)

Detailed information about this topic

Assigning SharePoint Online entitlements to SharePoint Online user accounts

In One Identity Manager, SharePoint Online entitlements can be assigned directly or indirectly to employees.

In the case of indirect assignment, employees and entitlements are organized in hierarchical roles. The number of entitlements assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If the employee has a SharePoint Online user account, the entitlements are assigned to this user account.

Entitlements can also be assigned to employees through IT Shop requests. To enable the assignment of entitlements using IT Shop requests, employees are added as customers in a shop. All entitlements assigned to this shop as products can be requested by the customers. After approval is granted, requested entitlements are assigned to the employees.

You can use system roles to group entitlements together and assign them to employees as a package. You can create system roles that contain only SharePoint Online entitlements. You can also group any number of company resources into a system role.

To react quickly to special requests, you can also assign the entitlements directly to user accounts.

For more information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of SharePoint Online entitlements to SharePoint Online user accounts

In the case of indirect assignment, employees, groups SharePoint Online, and SharePoint Online roles are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. When assigning SharePoint Online groups and SharePoint Online roles indirectly, check the following settings and modify them if necessary.

Prerequisites for indirect assignment of SharePoint Online groups to SharePoint Online user accounts
  1. Assignment of employees and SharePoint Online groups is permitted for role classes (departments, cost centers, locations, or business roles).

  2. The SharePoint Online user account does not have the Groups can be inherited option set.

  3. The SharePoint Online user account is labeled with the Groups can be inherited option.

  4. The SharePoint Online user account is linked to an employee.

  5. The SharePoint Online user account and the SharePoint Online groups belong to the same site collection.

Prerequisites for indirect assignment of SharePoint Online roles to SharePoint Online user accounts
  • Assignment of employees and SharePoint Online roles is permitted for role classes (departments, cost centers, locations, or business roles).

  • The SharePoint Online user account does not have the Groups can be inherited option set.

  • The SharePoint Online user account is labeled with the Groups can be inherited option.

  • The SharePoint Online user account is linked to an employee.

  • The SharePoint Online user account and the SharePoint Online roles belong to the same site collection.

NOTE: If a SharePoint Online role refers to a permission level for which the Hidden option is set, no business roles and organizations can be assigned. These SharePoint Online roles can be neither directly nor indirectly assigned to user accounts or groups.

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of employees not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Assigning SharePoint Online entitlements to departments, cost centers, and locations

Assign groups and roles to departments, cost centers, and locations in order to assign them to user accounts through these organizations.

To assign a permission to a department, cost center or location (non role-based login):

  1. In the Manager, select one of the following categories:

    • SharePoint Online > Groups

    • SharePoint Online > Roles

  2. Select the entitlements in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign permissions to a department, cost center or location (role-based login)

  1. In the Manager, select the Organizations > Departments category.

    - OR -

    In the Manager, select the Organizations > Cost centers category.

    - OR -

    In the Manager, select the Organizations > Locations category.

  2. Select the department, cost center, or location in the result list.

  3. Select one of the following tasks.

    • Assign SharePoint Online groups

    • Assign SharePoint Online roles

  4. In the Add assignments pane, assign the entitlements.

    TIP: In the Remove assignments pane, you can remove assigned entitlements.

    To remove an assignment

    • Select the entitlement and double-click .
  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating