Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Assigning Account Definitions to System Roles

Assigning Account Definitions to System Roles

Installed Modules: System Roles Module

NOTE: Account definitions with the option Only use in IT Shop can only by assigned to system roles that also have this option set.

To add account definitions to a system role

  1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

  2. Select an account definition in the result list.
  3. Select Assign system roles in the task view.
  4. Assign system roles in Add assignments.

    - OR -

    Remove assignments to system roles in Remove assignments.

  5. Save the changes.
Related Topics

Adding Account Definitions in the IT Shop

Adding Account Definitions in the IT Shop

A account definition can be requested by shop customers when it is assigned to an IT Shop shelf. To ensure it can be requested, further prerequisites need to be guaranteed.

  • The account definition must be labeled with the IT Shop option.
  • The account definition must be assigned to a service item.
  • If the account definition is only assigned to employees using IT Shop assignments, you must also set the option Only for use in IT Shop. Direct assignment to hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign account definitions to IT Shop shelves if login is role-based. Target system administrators are not authorized to add account definitions in the IT Shop.

To add an account definition to the IT Shop

  1. Select the category Active Directory | Basic configuration data | Account definitions (non role-based login).

    - OR -

    Select the category Entitlements | Account definitions (role-based login).

  2. Select an account definition in the result list.
  3. Select Add to IT Shop in the task view.
  4. Assign the account definition to the IT Shop shelf in Add assignments
  5. Save the changes.

To remove an account definition from individual IT Shop shelves

  1. Select the category Active Directory | Basic configuration data | Account definitions (non role-based login).

    - OR -

    Select the category Entitlements | Account definitions (role-based login).

  2. Select an account definition in the result list.
  3. Select Add to IT Shop in the task view.
  4. Remove the account definition from the IT Shop shelves in Remove assignments.
  5. Save the changes.

To remove an account definition from all IT Shop shelves

  1. Select the category Active Directory | Basic configuration data | Account definitions (non role-based login).

    - OR -

    Select the category Entitlements | Account definitions (role-based login).

  2. Select an account definition in the result list.
  3. Select Remove from all shelves (IT Shop) in the task view.
  4. Confirm the security prompt with Yes.
  5. Click OK.

    The account definition is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this account definition are canceled in the process.

For more detailed information about request from company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Related Topics

Assigning Account Definitions to a Target System

Assigning Account Definitions to a Target System

The following prerequisites must be fulfilled if you implement automatic assignment of user accounts and employees resulting in administered user accounts (state "Linked configured"):

  • The account definition is assigned to the target system.
  • The account definition has the default manage level.

User accounts are only linked to the employee (state "Linked") if no account definition is given. This is the case on initial synchronization, for example.

To assign the account definition to a target system

  1. Select the domain in the category Active Directory | Domains.
  2. Select Change master data in the task view.
  3. Select the account definition for user accounts from Account definition (initial).
  4. Select the account definition for contacts from Contact definition (initial).
  5. Select the account definition for e-mail contacts from E-mail contact definition (initial).
  6. Select the account definition for e-mail users from E-mail user definition (initial).
  7. Save the changes.
Detailed information about this topic

Deleting an Account Definition

You can delete account definitions if they are not assigned to target systems, employees, hierarchical roles or any other account definitions.

NOTE: If an account definition is deleted, the user accounts arising from this account definition are deleted.

To delete an account definition

  1. Remove automatic assignments of the account definition from all employees.
    1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Change master data in the task view.
    4. Disable the option Automatic assignment to employees on the General tab.
    5. Save the changes.
  2. Remove direct assignments of the account definition to employees.
    1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Assign to employees in the task view.
    4. Remove employees from Remove assignments.
    5. Save the changes.
  3. Remove the account definition's assignments to departments, cost centers and locations.
    1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Assign organizations.
    4. Remove the account definition's assignments to departments, cost centers and locations in Remove assignments.
    5. Save the changes.
  4. Remove the account definition's assignments to business roles.
    1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Assign business roles in the task view.

      Remove business roles from Remove assignments.

    4. Save the changes.
  5. If the account definition was requested through the IT Shop, it must be canceled and removed from all IT Shop shelves. For more detailed information, see the One Identity Manager IT Shop Administration Guide.
  6. Remove the account definition assignment as required account definition for another account definition. As long as the account definition is required for another account definition, it cannot be deleted. Check all the account definitions.
    1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Change master data in the task view.
    4. Remove the account definition from the Required account definition menu.
    5. Save the changes.
  7. Remove the account definition's assignments to target systems.
    1. Select the domain in the category Active Directory | Domains.
    2. Select Change master data in the task view.
    3. Remove the assigned account definitions on the General tab.
    4. Save the changes.
  8. Delete the account definition.
    1. Select the category Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Click , to delete the account definition.
Related Documents