Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Adding/Removing Primary Administrators

Subject

Upon the installation of the solution (more precisely when the primary controller is initialized), a user account that has full administrative rights is declared. This is the EAM Primary Administrator. It is a super-administrator and can therefore manage all the objects in the directory.

The EAM console allows you to add other primary administrators if required.

Description

Compared to an administrator who has been given full rights, a Primary Administrator has the following additional rights:

  • Define other primary administrators.
  • Use the option that checks that only the cards of an inventory are assignable (File>Configuration>Options tab).
  • Modify the description file of the authentication methods.
  • Modify the default values.
  • Modify the SA Server configuration.
  • Modify the unblocking PIN message.
  • Configure the emergency access mode.
Before starting

You are logged on as a primary administrator.

Procedure

  1. In the File menu, click Configuration.
    • The Configuration window appears.
  1. Click the Primary administrators tab.

  1. Use the Add and Remove buttons to give/remove the super-administrator rights to users registered in the directory.

IMPORTANT: If your EAM solution is combined to the One Identity User Provisioning services, the administrators of the Policy Manager console are listed in the Auxiliary primary administrators area. Do not remove them.

Managing Security Profiles

Subject

The security profiles are generated upon the installation of the EAM Controller. These objects are required to manage the target objects, which are users, access points and applications.

Depending on your administration perimeter, you can use the default security profiles, or create, modify, delete your own profiles, as described in this section.

Before starting

To optimize network traffic, you can use the update management feature. By default, the EAM workstations retrieve periodically the whole SSO configuration. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configurations.

To enable/disable the update management feature, in the EAM Console File menu, select Manage updates.

NOTE: When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.

In this section:

Managing time slices

Definition

Time slices are security objects that define the periods during which the target objects can be accessed or are inhibited.

Target objects

Time slices are required to define the following target objects:

  • User security profiles.
  • Access point security profiles.
  • Applications.

In this section:

Creating/Modifying Time Slices

Before starting

To perform the tasks described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration right: "Schedule: Creation/Modification".
Procedures

Creating Time Slices

  1. In the tree structure of the Directory panel, right-click the organizational unit that must contain your time slice and select New\Timeslice.
    • The time slice configuration tab appears.
  1. Fill in the window as described in Section Configuring Time Slices and click Apply.
    • The time slice appears in the directory tree structure.
Modifying Time Slices

NOTE: If you modify a time slice already used by target objects, your modifications apply to all the target objects associated with this security object.
  1. In the tree structure of the Directory panel, select the time slice to modify.
    • The time slice Configuration tab appears.
  1. Fill in the window as described in Section Configuring Time Slices and click Apply.
    • The time slice is modified.
Related Documents