Chat now with support
Chat with Support

Identity Manager 9.2.1 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Address data for identities

Enter the following data for an identity, which describes the identity's location in the company.

Table 30: Address data

Property

Description

Primary location

Location to which the identity is primarily assigned. The identity can obtain company resources through this assignment if One Identity Manager is configured respectively.

Furthermore, IT operating data for user accounts and mailboxes can be determined though the location.

Phone

Identity's telephone number.

Mobile phone

Identity's mobile number.

Fax

Identity's fax number.

Display in phone book

Specifies whether the identity are shown in the telephone book.

Street

Street or road.

Building

Building

Office mailbox

Office mailbox.

Zip code

Zip code.

City

City.

Country

Country. You require this to determine the identity's language and working hours. This data is usually stored with the identity's location or department data. You can also enter it directly by the identity. This setting is also used for Web Portal's display.

State

State. You require this to determine the identity's language and working hours. This data is usually stored with the identity's location or department data. You can also enter it directly by the identity.

Floor

Floor.

Room

Room.

Image

You can import a picture of the identity into the database. To do this, use the button next to the picture box to browse the image to be displayed.

Related topics

Miscellaneous main data of identities

Enter the following miscellaneous main data of an identity. This data applies to the target system login, identity types, One Identity Manager login data, and identity import data.

Table 31: Miscellaneous main data

Property

Description

Central user account

The identity’s central user account is used to form the user account login name in the active system. The central user account is still used for logging into the One Identity Manager tools.

In One Identity Manager default installation, the central user account is made up of the first and the last name of the identity.

Central SAP user account

Name used to form the user account name in the SAP R/3 target system. In the One Identity Manager default installation, the central user account is made up of the first and the last name of the identity.

NOTE: This property is only available if the SAP R/3 User Management Module is installed.

E-Business Suite user account

Name used to form the user account name in the Oracle E-Business Suite target system. In the One Identity Manager default installation, the E-Business Suite user account is formed from the identity's central user account.

NOTE: This property is only available if the Oracle E-Business Suite Module is installed.

E-Business Suite ID

Unique ID for the HR person, the AP customer, the AP supplier or the AR parties in the Oracle E-Business Suite.

NOTE: This property is only available if the Oracle E-Business Suite Module is installed.

E-Business Suite personnel number

Personnel number of the HR person in the Oracle E-Business Suite.

NOTE: This property is only available if the Oracle E-Business Suite Module is installed.

Central password and password confirmation

An identity's central password can be used for logging into the target systems and for logging in to One Identity Manager. Depending on the configuration, an identity's central password is replicated to their user accounts and their system user password.

Use the Password Reset Portal to change the central password. For more information, see the One Identity Manager Web Designer Web Portal User Guide.

Decentralized identity and confirmation

Identifier of the decentralized identity to identify the identity. This identifier can be used to log in to One Identity Manager.

Default email address

Default email address for setting up the identity's mailboxes in the individual target systems. This data is absolutely necessary for automatically creating mailboxes. In the One Identity Manager default installation, the default email address is composed of the identity’s central user account and the default mail domain of the active target system.

Identity type

Type of the identity. To map the different purposes, you can differentiate identities by identity type.

Permitted values are Primary identity, Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity, Service identity, and Machine identity.

If the identity type is Organizational identity or Personalized administrator identity, assign a main identity.

If the identity type is Sponsored identity Shared identity, Service identity, or Machine identity, enable the Virtual identity option and assign a Manager. Only the manager can initiate requests in the IT Shop for these identities.

Main identity

Reference to the main identity.

If the identity type is Organizational identity or Personalized administrator identity, assign a main identity.

Virtual identity

Specifies whether the identity represents a real identity or a virtual identity. A virtual identity does not represent a real person.

If the identity type is Sponsored identity Shared identity, Service identity, or Machine identity, enable this option.

Real identity

If the identity is marked as virtual, You can assign an identity here that is not labeled as a virtual identity. For example, this can be an identity that represents a real person.

Virtual X500 identity

Specifies whether the identity is managed as an virtual X500 identity in One Identity Manager. If an identity has several X500 entries with different properties, you can also use virtual identities here. Label the identity with the option Virtual X500 identity for the user case and configure a link to the real X500 identity.

X500 identity

A virtual X500 identity have a real X500 identity assigned to it.

Logins

Logins with which the identity can log in to the One Identity Manager. Enter the login in the form: Domain\User.

This information is required if the authentication modules User account and User account (role-based) are used for logging in to One Identity Manager tools. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

System users

System user with which the identity can log in to the One Identity Manager administration tools. The login data is analyzed by the authentication module in use. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

System user password and password confirmation

Identity's system user password. Password with which the identity logs in to the One Identity Manager tools.

Use the Password Reset Portal to change the system user password. For more information, see the One Identity Manager Web Portal User Guide.

User account name (mainframe)

If an identity is permitted access to the mainframe with their user account, enter the login name here.

Notebook user

Specifies whether the identity uses a notebook.

Company car

Specifies whether the identity uses a company car.

Login permitted on terminal server

Specifies whether this identity is permitted to log in on the terminal server with their user account.

Remote access permitted

Specifies whether the identity can dial in to the network with their user account.

Resetting the password through the help desk is permitted.

Specifies whether the password can be reset with the help the help desk. If this option is enabled, the password of the identity can be reset in the Operations Support Web PortalFor more information, see the One Identity Manager Operations Support Web Portal User Guide.

Help desk staff member

Specifies whether the identity can handle help desk tickets. For more information about the help desk, see One Identity Manager Help Desk Module User Guide.

NOTE: This option is only available if the Helpdesk Module is installed.

Import data source

Target system or data source respectively, from which the identity's data was imported. This property is also set by scripts for automatically assigning identities to user accounts.

Distinguished name

Distinguished name of the imported identity. This property should be set by the import.

Canonical name

Fully qualified name of the imported identity. This property should be set by the import.

Related topics

Assigning company resources to identities

One Identity Manager uses different assignment types to assign company resources.

  • Indirect assignment

    In the case of indirect assignment of company resources, identities, devices, and workdesks are arranged in departments, cost centers, locations, business roles, or application roles. The total of assigned company resources for an identity, device, or workdesk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods a difference between primary and secondary assignment is taken into account.

  • Direct assignment

    Direct assignment of company resources results from the assignment of a company resource to an identity, device, or workdesk, for example. Direct assignment of company resources makes it easier to react to special requirements.

  • Assignment by dynamic roles

    Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Identities, devices, and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which identities, devices, or workdesks fulfill these conditions. This means the role memberships change dynamically. For example, company resources can be assigned dynamically to all identities in a department in this way; if an identity leaves the department they immediately lose the resources assigned to them.

  • Assigning through IT Shop requests

    Assignment through the IT Shop is a special case of indirect assignment. Add identities to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the identities after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.

The following table shows the possible company resources assignments to identities.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.

Table 32: Possible assignments of company resources to identities
Company Resource Direct assignment permitted Indirect assignment permitted Comment

Resources

+ +

 

System roles

+ +

 

Subscribable reports

+ +

 

Software

+ +

 

Account definitions + +  

Groups of custom target systems

- +

All the identity's user accounts of the custom target systems, which permit group inheritance, are assigned to the groups.

System entitlements of custom target systems

- +

All the identity's custom target system user accounts, which permit system entitlement inheritance, are assigned to the custom target system entitlements.

Active Directory groups

- +

All the identity's Active Directory user accounts and Active Directory contacts of the identity, which permit group inheritance, are assigned to the Active Directory groups.

SharePoint groups

- +

All the identity's SharePoint user accounts, which permit group inheritance, are assigned to the SharePoint groups.

SharePoint roles

- +

All the identity's SharePoint user accounts, which permit group inheritance, are assigned to the SharePoint roles.

LDAP groups

- +

All the identity's LDAP user accounts, which permit group inheritance, are assigned to the LDAP groups.

Notes groups

- +

All the identity's Notes user accounts, which permit group inheritance, are assigned to the Notes groups.

SAP groups

+ +

All the identity's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the SAP groups.

SAP profiles

+ +

All the identity's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the SAP profiles.

SAP roles

+ +

All the identity's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the SAP roles.

Structural profiles

- +

All the identity's SAP user accounts, which are in the same SAP client and for which group inheritance is permitted, are assigned to the structural profiles.

BI analysis authorizations

- +

All the identity's BI user accounts, which permit group inheritance, are assigned to the BI analysis authorizations.

E-Business Suite permissions

- +

All the identity's E-Business Suite user accounts, which are in the same E-Business Suite system and for which group inheritance is permitted, are assigned to the E-Business Suite groups.

Azure Active Directory groups

- +

All the identity's Azure Active Directory user accounts, which permit group inheritance, are assigned to the Azure Active Directory groups.

Azure Active Directory administrator roles

- +

All the identity's Azure Active Directory user accounts, which permit group inheritance, are assigned to the Azure Active Directory administrator roles.

Azure Active Directory subscriptions

-

+

All the identity's Azure Active Directory user accounts, which permit group inheritance, are assigned to the Azure Active Directory subscriptions.

Disabled Azure Active Directory service plans

-

+

All the identity's Azure Active Directory user accounts, which permit group inheritance, are assigned to the disabled Azure Active Directory service plans.

Unix groups

-

+

All the identity's Unix user accounts, which permit group inheritance, are assigned to the Unix groups.

PAM user groups

-

+

All the identity's PAM user accounts, which permit group inheritance, are assigned to the PAM user groups.

SharePoint Online groups

-

+

All the identity's SharePoint Online user accounts, which permit group inheritance, are assigned to the SharePoint Online groups.

SharePoint Online roles

-

+

All the identity's SharePoint Online user accounts, which permit group inheritance, are assigned to the SharePoint Online roles.

Google Workspace products and SKUs

-

+

All the identity's Google Workspace user accounts, which permit group inheritance, are assigned to the Google Workspace products and SKUs.

Google Workspace groups

-

+

All the identity's Google Workspace user accounts, which permit group inheritance, are assigned to the Google Workspace groups.

Cloud groups

- +

All the identity's cloud user accounts, which permit group inheritance, are assigned to the cloud groups.

Cloud system entitlements

- +

All the identity's cloud user accounts, which permit system entitlement inheritance, are assigned to the cloud system entitlements.

OneLogin roles

-

+

All the identity's OneLogin user accounts that permit group inheritance, are assigned to OneLogin roles.

Detailed information about this topic
Related topics

Assigning identities to departments, cost centers, and locations

Assign the identity to departments, cost centers, and locations so identities obtain their company resources through these organizations. To assign company resources to departments, cost centers, and locations, use the appropriate organization tasks.

To assign an identity to departments, cost centers, and locations (secondary assignment; default method)

  1. In the Manager, select the Identities > Identities category.

  2. Select the identity in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign an identity to departments, cost centers, and locations (primary assignment)

  1. In the Manager, select the Identities > Identities category.

  2. Select the identity in the result list.

  3. Select the Change main data task.

  4. Adjust the following main data on the Organizational tab.

    • Primary department

    • Primary cost center

    • Primary location

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating