Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Administration Modes - Presentation

Administration Modes - Presentation

One Identityprovides the two following administration modes:

The administration mode is selected at installation time.

In this section:

The Classic Administration Mode

Definition

In classic administration mode, administration rights are classified into eight predefined administration profiles that you apply to users so that they can perform their administration tasks in EAM Console.

These administration profiles cannot be modified.

NOTE: To change from the classic administration mode to the advanced administration mode, see One IdentityEAM Installation Guide.
The list of existing administration profiles and their corresponding administration rights (available in advanced administration mode) is given in Appendix Correspondence between profiles and administration rights.
Delivered Administration Profiles

One Identity delivers the following administration profiles:

Administration Profile Name

Description

Access administrator

Allows the administrator to authorize a user to use an application.

Application administrator

Allows the administrator to manage applications and Technical References.

Access point administrator

Allows the administrator to authorize applications and users on access points.

Security policy administrator

Allows the administrator to manage tokens' inventory and change the following security objects:

Time slices.

Password Format Control Policies (PFCP).

Password Generation Policies (PGP).

User security profiles.

Access point security profiles.

Application security profiles

Smart card administrator

Allows the administrator to manage smart cards.

User administrator

Allows the administrator to manage users.

Infrastructure administrator

Allows the administrator to manage the PKA authentication and the representative objects.

File Encryption administrator

DEPRECATED.

SSO account administrator

Allows the administrator to manage secondary accounts.

Auditor

Allows the administrator to manage the audit.

Helpdesk operator

Allows the administrator to reassign recoverable accounts to the user and to change the user's authentication methods without the user losing his SSO data.

Authorize propagation of administration rights

Allows the administrator to delegate his/her administration rights. This delegation is restricted to the administrator's rights and visibility.

The Advanced Administration Mode

Definition

In advanced administration mode, the administration profiles are not limited to eight categories: you can create your own administration profiles by selecting the administration rights that compose them.

Possible administration rights

The list of administration rights available in advanced administration mode (and their corresponding administration profiles in classic administration mode) is given in Correspondence between profiles and administration rights.

Administration Role Inheritance

The administration role inheritance principle can be represented by the following tree structure:

The root of the tree structure is the "IT Security Manager" (or primary administrator): it corresponds to a specific user created in the LDAP directory during the installation of the solution. It is a super-administrator who can manage all the objects in the directory and who has all the rights relating to the general configuration of the product.

For security reasons, upon the first start of the EAM Console, he must authenticate using a Security Module or a pass phrase, depending on the protection mode that has been selected during the installation (for more information on the protection modes, see Authenticating to EAM Console and Managing Protection Modes).

Then, it is possible to define as many administrators as required, and assign for each one an administration role (which will be made up of one or several administration profiles and which will have a specific role scope).

Administration roles are inherited in the following way:

  • Delegate: the administrator copies his/her administrator role to assign it to another user registered in the directory.
  • Transfer: the administration role of the selected user is transferred to another user (who must not have administration rights yet). This new user replaces the previous administrator.
  • Delete: the administration role of the selected user is deleted. If the deleted administration role is a parent role, the parent administrator of the deleted administrator becomes the parent administrator.

NOTE: In advanced administration mode, the "User administration profile: administration rights manager" administration right allows an administrator to delegate his administration rights or to delete rights to/from an administrator for whom he/she is not the parent administrator.
Related Documents