Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Connecting to SharePoint

Managing SharePoint environments Setting up SharePoint farm synchronization Basic data for managing a SharePoint environment SharePoint farms SharePoint web applications SharePoint site collections and sites SharePoint user accounts SharePoint roles and groups
SharePoint groups SharePoint roles and permission levels
Permissions for SharePoint web applications Reports about SharePoint objects Configuration parameters for managing a SharePoint environment Default project template for SharePoint

Creating an account definition

To create or edit an account definition

  1. In the Manager, select the SharePoint > Basic configuration data > Account definitions > Account definitions category.

  2. Select an account definition in the result list. Select the Change main data task.

    -OR-

    Click in the result list.

  3. Enter the account definition's main data.
  4. Save the changes.

Main data for an account definition

Enter the following data for an account definition:

Table 11: Main data for an account definition

Property

Description

Account definition

Account definition name.

User account table

Table in the One Identity Manager schema that maps user accounts.

Target system

Target system to which the account definition applies.

Required account definition

Specifies the required account definition. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is assigned automatically.

TIP: You can enter this account definition for the associated Active Directory or LDAP domain here. In this case, an Active Directory or LDAP user account is created for the identity first. If this exists, the SharePoint user account is added.

Implement this behavior on a custom basis. Customize TSB_PersonHasAccountDef_AutoCreate_SPSUser to do this.

Description

Text field for additional explanation.

Manage level (initial)

Manage level to use by default when you add new user accounts.

Risk index

Value for evaluating the risk of assigning the account definition to identities. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For more information, see the One Identity Manager Risk Assessment Administration Guide.

Service item

Service item through which you can request the account definition resource in the IT Shop. Assign an existing service item or add a new one.

IT Shop

Specifies whether the account definition can be requested through the IT Shop. This account definition can be requested through the Web Portal and allocated by defined approval processes. The resource can also be assigned directly to identities and roles outside the IT Shop.

Only for use in IT Shop

Specifies whether the account definition can only be requested through the IT Shop. This account definition can be requested through the Web Portal and allocated by defined approval processes. The account definition cannot be directly assigned to roles outside the IT Shop.

Automatic assignment to identities

Specifies whether the account definition is automatically assigned to all internal identities. To automatically assign the account definition to all internal identity, use the Enable automatic assignment to identities The account definition is assigned to every identity that is not marked as external. Once a new internal identity is created, they automatically obtain this account definition.

To automatically remove the account definition assignment from all identities, use the Disable automatic assignment to identities. The account definition cannot be reassigned to identities from this point on. Existing account definition assignments remain intact.

Retain account definition if permanently disabled

Specifies the account definition assignment to permanently deactivated identities.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition if temporarily disabled

Specifies the account definition assignment to temporarily deactivated identities.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on deferred deletion

Specifies the account definition assignment on deferred deletion of identities.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on security risk

Specifies the account definition assignment to identities posing a security risk.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Resource type

Resource type for grouping account definitions.

Spare field 01 - spare field 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked identity. If the option is set, the user account inherits groups through hierarchical roles, in which the identity is a member, or through IT Shop requests.

  • If you add an identity with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an identity has requested group membership in the IT Shop and the request is granted approval, the identity's user account only inherits the group if the option is set.

Roles can be inherited

Specifies whether the user account can inherit SharePoint roles through the linked identity. If the option is set, the user account inherits the roles through hierarchical roles, in which the identity is a member, or through IT Shop requests.

Creating manage levels

Specify the manage level for an account definition for managing user accounts. The user account’s manage level specifies the extent of the identity’s properties that are inherited by the user account. This allows an identity to have several user accounts in one target system, for example:

  • Default user account that inherits all properties from the identity.

  • Administrative user account that is associated to an identity but should not inherit the properties from the identity.

One Identity Manager supplies a default configuration for manage levels:

  • Unmanaged: User accounts with the Unmanaged manage level are linked to the identity but they do no inherit any further properties. When a new user account is added with this manage level and an identity is assigned, some of the identity's properties are transferred initially. If the identity properties are changed at a later date, the changes are not passed onto the user account.

  • Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned identity. When a new user account is created with this manage level and an identity is assigned, the identity's properties are transferred in an initial state. If the identity properties are changed at a later date, the changes are passed onto the user account.

NOTE: The Full managed and Unmanaged manage levels are analyzed in templates. You can customize the supplied templates in the Designer.

You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.

Specify how an identity's temporary deactivation, permanent deactivation, deletion, and security risks affect its user accounts and group memberships at each manage level. For more information about manage levels, see the One Identity Manager Target System Base Module Administration Guide.

  • Identity user accounts can be locked when they are disabled, deleted, or rated as a security risk so that permissions are immediately withdrawn. If the identity is reinstated at a later date, the user accounts are also reactivated.

  • You can also define group membership inheritance. Inheritance can be discontinued if desired when, for example, the identity’s user accounts are disabled and therefore cannot be members in groups. During this time, no inheritance processes should be calculated for this identity. Existing group memberships are deleted.

IMPORTANT: The Unmanaged manage level is assigned automatically when you create an account definition and it cannot be removed.

To assign manage levels to an account definition

  1. In the Manager, select the SharePoint > Basic configuration data > Account definitions > Account definitions category.

  2. Select an account definition in the result list.

  3. Select the Assign manage level task.

  4. In the Add assignments pane, assign the manage level.

    TIP: In the Remove assignments pane, you can remove assigned manage levels.

    To remove an assignment

    • Select the manage level and double-click .

  5. Save the changes.

To edit a manage level

  1. In the Manager, select the SharePoint > Basic configuration data > Account definitions > Manage levels category.

  2. Select the manage level in the result list. Select Change main data.

    - OR -

    Click in the result list.

  3. Edit the manage level's main data.

  4. Save the changes.

Main data for manage levels

Enter the following data for a manage level.

Table 12: Main data for manage levels
Property Description

Manage level

Name of the manage level.

Description

Text field for additional explanation.

IT operating data overwrites

Specifies whether user account data formatted from IT operating data is automatically updated. Permitted values are:

  • Never: Data is not updated. (Default)

  • Always: Data is always updated.

  • Only initially: Data is only determined at the start.

Retain groups if temporarily disabled

Specifies whether user accounts of temporarily deactivated retain their group memberships.

Lock user accounts if temporarily disabled *)

Specifies whether user accounts of temporarily deactivated identities are locked.

Retain groups if permanently disabled

Specifies whether user accounts of permanently deactivated identities retain group memberships.

Lock user accounts if permanently disabled *)

Specifies whether user accounts of permanently deactivated identities are locked.

Retain groups on deferred deletion

Specifies whether user accounts of identities marked for deletion retain their group memberships.

Lock user accounts if deletion is deferred*)

Specifies whether user accounts of identities marked for deletion are locked.

Retain groups on security risk

Specifies whether user accounts of identities posing a security risk retain their group memberships.

Lock user accounts if security is at risk*)

Specifies whether user accounts of identities posing a security risk are locked.

Retain groups if user account disabled

Specifies whether disabled user accounts retain their group memberships.

NOTE:*) SharePoint user accounts cannot be locked!

When an identity is disabled, deleted, or rated as a security risk their SharePoint user accounts remain enabled. For logging into a SharePoint site collection, you need to know if the user account referenced as an authentication object is locked or disabled. To prevent a disabled, deleted, or security risk identity logging into a SharePoint site collection, manage the user accounts linked as authentication objects using account definitions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating