Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Adding Active Directory Groups to Active Directory Groups

Adding Active Directory Groups to Active Directory Groups

Use this task to add a group to another group.

To assign groups directly to a group

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Select Assign groups in the task view.
  4. Assign child groups of the selected group in Add assignments.

    - OR -

    Remove assignments to groups in Remove assignments.

  5. Save the changes.
Related Topics

Effectiveness of Group Memberships

Effectiveness of Group Memberships

Table 72: Configuration Parameter for Conditional Inheritance
Configuration parameter Active Meaning

QER\Structures\Inherite\GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. The database has to be recompiled after changes have been made to the parameter.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
  • One Identity Manager does not check whether membership of an excluded group is permitted in another group.

The effect of the assignments is mapped in the tables ADSAccountInADSGroup and BaseTreeHasADSGroup through the column XIsInEffect.

Example of the effect of group memberships
  • Group A is defined with permissions for triggering requests in a domain. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the department "Marketing", group B through "Finance" and group C through the business role "Control group".

Clara Harris has a user account in this domain. She primarily belongs to the department "marketing". The business role "Control group" and the department "Finance" are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 73: Specifying excluded groups (table ADSGroupExclusion)
Effective Group Excluded Group
Group A
Group B Group A
Group C Group B
Table 74: Effective Assignments
Employee Member in Role Effective Group
Ben King Marketing Group A
Jan Bloggs Marketing, finance Group B
Clara Harris Marketing, finance, control group Group C
Jenny Basset Marketing, control group Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. That means that the employee is authorized to trigger request and to check invoices. If this should not be allowed, define further exclusion for group C.

Table 75: Excluded groups and effective assignments
Employee Member in Role Assigned Group Excluded Group Effective Group

Jenny Basset

 

Marketing Group A  

Group C

 

Control group Group C Group B

Group A

Prerequisites
  • The configuration parameter "QER\Inherite\GroupExclusion" is enabled.
  • Mutually exclusive groups belong to the same domain

To exclude a group

  1. Select the category Active Directory | Groups.
  2. Select a group in the result list.
  3. Select Exclude groups in the task view.
  4. Assign the groups that are mutually exclusive to the selected group in Add assignments.

    - OR -

    Remove the conflicting groups that are no longer mutually exclusive in Remove assignments.

  5. Save the changes.

Active Directory Group Inheritance Based on Categories

Active Directory Group Inheritance Based on Categories

Groups and be selectively inherited by user accounts and contacts in One Identity Manager. The groups and user accounts (contacts) are divided into categories in the process. The categories can be freely selected and are specified by a template. Each category is given a specific position within the template. The formatting rule contains tables which map the user accounts (contact) and the groups. Specify your categories for user account (contacts) in the table for user accounts (contacts). Enter your categories fro groups in the group table. Each table contains the category items "Position1" to "Position31".

Every user account (contact) can be assigned to one or more categories. Each group can also be assigned to one or more categories. The structural profile is inherited by the user account (contact) when at least one user account (contact) category item matches an assigned structural profile. If the group or user account (contact) is not in classified into categories, the group is also inherited by the user account (contact).

NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when assigning groups to user accounts and contacts.

Table 76: Category Examples
Category Position Categories for User Accounts Categories for Groups
1 Default user Default permissions
2 System user System user permissions
3 System administrator System administrator permissions

Figure 2: Example of inheriting through categories.

To use inheritance through categories

  • Define categories in the domain.
  • Assign categories to user accounts and contacts through their master data.
  • Assign categories to groups through their master data.
Related Topics

Assigning Active Directory Account Policies Directly to an Active Directory Group

Assigning Active Directory Account Policies Directly to an Active Directory Group

It is possible to define more account policies for the default domain's password policies if the domains have the functional level "Windows Server 2008 R2" or higher. This allows individual users and groups to be subjected to stricter account policies as intended for global groups.

To specify account policies for a group

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Select Assign account policies in the task view.
  4. Assign the account policies in Add assignments.

    - OR -

    Remove the account policies in Remove assignments.

  5. Save the changes.
Related Topics
Related Documents