One Identityprovides the two following administration modes:
The administration mode is selected at installation time.
In this section:
In classic administration mode, administration rights are classified into eight predefined administration profiles that you apply to users so that they can perform their administration tasks in EAM Console.
These administration profiles cannot be modified.
|
NOTE: To change from the classic administration mode to the advanced administration mode, see One IdentityEAM Installation Guide. The list of existing administration profiles and their corresponding administration rights (available in advanced administration mode) is given in Appendix Correspondence between profiles and administration rights. |
One Identity delivers the following administration profiles:
Administration Profile Name |
Description |
Allows the administrator to authorize a user to use an application. | |
Application administrator |
Allows the administrator to manage applications and Technical References. |
Allows the administrator to authorize applications and users on access points. | |
Allows the administrator to manage tokens' inventory and change the following security objects: Time slices. Password Format Control Policies (PFCP). Password Generation Policies (PGP). User security profiles. Access point security profiles. Application security profiles | |
Allows the administrator to manage smart cards. | |
User administrator |
Allows the administrator to manage users. |
Infrastructure administrator |
Allows the administrator to manage the PKA authentication and the representative objects. |
DEPRECATED. | |
SSO account administrator |
Allows the administrator to manage secondary accounts. |
Allows the administrator to manage the audit. | |
Allows the administrator to reassign recoverable accounts to the user and to change the user's authentication methods without the user losing his SSO data. | |
Allows the administrator to delegate his/her administration rights. This delegation is restricted to the administrator's rights and visibility. |
In advanced administration mode, the administration profiles are not limited to eight categories: you can create your own administration profiles by selecting the administration rights that compose them.
The list of administration rights available in advanced administration mode (and their corresponding administration profiles in classic administration mode) is given in Correspondence between profiles and administration rights.
The administration role inheritance principle can be represented by the following tree structure:
The root of the tree structure is the "IT Security Manager" (or primary administrator): it corresponds to a specific user created in the LDAP directory during the installation of the solution. It is a super-administrator who can manage all the objects in the directory and who has all the rights relating to the general configuration of the product.
For security reasons, upon the first start of the EAM Console, he must authenticate using a Security Module or a pass phrase, depending on the protection mode that has been selected during the installation (for more information on the protection modes, see Authenticating to EAM Console and Managing Protection Modes).
Then, it is possible to define as many administrators as required, and assign for each one an administration role (which will be made up of one or several administration profiles and which will have a specific role scope).
Administration roles are inherited in the following way:
|
NOTE: In advanced administration mode, the "User administration profile: administration rights manager" administration right allows an administrator to delegate his administration rights or to delete rights to/from an administrator for whom he/she is not the parent administrator. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy