Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Permitting assignments of identities, devices, workdesks, and company resources to roles

The default method for assigning company resources is through secondary assignment. For this, identities, devices, and workdesks as well as company resources are added to roles through secondary assignment.

Use role classes to specify how and if identities, devices, workdesks, and company resource are permitted as secondary assignments to roles. Role classes form the basis of mapping hierarchical roles in One Identity Manager. Role classes are used to group similar roles together. The following role classes are available by default in the One Identity Manager:

  • Department

  • Cost center

  • Location

  • Application role

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignments allowed: This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignments allowed: Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers, or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in the IT Shop, dynamic roles, or system roles.

Example:

To assign identities directly to a department in the Manager, enable the Assignment allowed and the Direct assignment allowed options on the Identities entry in the Department role class.

If identities can only obtain membership in a department through the IT Shop, enable the Assignment allowed option but not the Direct assignment allowed option on the Identities entry in the Department role class. A corresponding assignment resource must be available in the IT Shop.

NOTE: Identity, device, workdesk ,and company resource assignments are predefined for departments, cost centers, location, and application roles. The configuration of application role assignments cannot be changed.

To configure assignments to roles of a role class

  1. In the Manager, select role classes in the Organizations > Basic configuration data > Role classes category.

  2. Select the Configure role assignments task.

  3. Use the Allow assignments column to specify whether assignment is generally allowed.

    NOTE: You can only reset the Assignment allowed option if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.

  4. Use the Allow direct assignments column to specify whether a direct assignment is allowed.

    NOTE: You can only reset the Direct assignment allowed option if there are no direct assignments of the respective objects to roles of this role class.

  5. Save the changes.

Blocking inheritance using roles

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the Block inheritance option do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.

  • In bottom-up inheritance, the role labeled with the Block inheritance option inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance for departments, cost centers, or locations

  1. In the Manager, in the Organizations category, select a department, cost center or location.

  2. Select the Change main data task.

  3. Set the Block inheritance option.

  4. Save the changes.

NOTE: In the case of application roles, inheritance can only be discontinued for custom application roles. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Related topics

Preventing identities, devices, or workdesks from inheriting individual roles

Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.

To prevent inheritance for departments, cost centers, or locations

  1. In the Manager, in the Organizations category, select a department, cost center or location.

  2. Select the Change main data task.

  3. Set one or more of the following options:

    • To prevent identities from inheriting, set the Identities do not inherit option.

    • To prevent devices from inheriting, set the Devices do not inherit option.

    • To prevent workdesks from inheriting, set the Workdesks do not inherit option.

  4. Save the changes.

NOTE: This option cannot be configured for application roles. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Related topics

Preventing inheritance to individual identities, devices, or workdesks

Inheritance of company resources can be prevented for single identities, devices, or workdesks. For example, you can use this behavior after importing to correct the imported data first and then apply inheritance afterward.

To prevent an identity from inheriting

  1. In the Manager, select the identity in the Identities category.

  2. Select the Change main data task.

  3. Set the No inheritance option.

    The identity does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.

  4. Save the changes.

To prevent an device from inheriting

  1. In the Manager, select the device in the Devices & Workdesks > Devices category.

  2. Select the Change main data task.

  3. Set the No inheritance option.

    The device does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.

  4. Save the changes.

To prevent a workdesk from inheriting

  1. In the Manager, select the workdesk in the Devices & Workdesks > Workdesks category.

  2. Select the Change main data task.

  3. Set the No inheritance option.

    The workdesk does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.

  4. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating