Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to SharePoint

Managing SharePoint Environments Setting Up SharePoint Farm Synchronization Basic Data for Managing SharePoint SharePoint Farms SharePoint Web Applications SharePointSite Collections and Sites SharePoint User Accounts SharePoint Roles and Groups
SharePoint Groups SharePoint Roles and Permission Levels
Permissions for SharePoint Web Applications Reports about SharePoint Site Collections Appendix: Configuration Parameters for Managing SharePoint Appendix: Default Project Template for SharePoint

Managing SharePoint Environments

Managing SharePoint Environments

Components and access rights from SharePoint 2010 and SharePoint 2013 can be mapped in the One Identity Manager. The aim of this is to guarantee company employees access to the SharePoint site. To achieve this, information about the following SharePoint components is loaded into the One Identity Manager database.

  • The farm, as highest level in the SharePoint's logical architecture

    The SharePoint farm is configured as base object for synchronizing with the One Identity Manager database.

  • All web applications set up inside the farm with their user policies and permitted permissions
  • All site collections for these web applications with their user accounts and groups
  • All sites added in site collections in a hierarchical structure (but not their content)
  • All permission levels and SharePoint roles that define permissions on individual sites

SharePoint roles, groups and user accounts are mapped in the context of the SharePoint components they are set up for. These objects provide One Identity Manager users access rights to various sites in SharePoint. You can use the different One Identity Manager mechanisms for linking employees with their SharePoint user accounts for this. The following objects are provisioned:

  • SharePoint user accounts and their relations to SharePoint roles and groups
  • SharePoint groups and their assignments to user accounts and roles
  • SharePoint roles and their site permissions

The SharePoint supports classic Windows authentication as well as claims-based authentication for One Identity Manager server login. Every SharePoint user account able to log in with classic Windows authentication, is either assigned to a One Identity Manager or an Active Directory user account or an LDAP or Active Directory group in LDAP. Prerequisite for this, is that the associated Active Directory or LDAP systems respectively, are mapped in the One Identity Manager database. You can maintain information about authentication systems used by SharePoint in the One Identity Manager.

For every SharePoint user account connected to Active Directory or LDAP also can be assigned to an employee stored in the One Identity Manager database. This makes it possible to maintain employee memberships in SharePoint roles and groups. Employees can inherit SharePoint permissions through SharePoint role and groups assignments. Apart from this it is possible to request permissions from the IT Shop. Permissions assigned to an employee can be monitored over compliance rules.

The SharePoint Module is based on SharePoint Foundation 2010 or SharePoint Foundation 2013 Class Libraries respectively.

Architecture Overview

Architecture Overview

The SharePoint connector is used for synchronization and provisioning SharePoint. The connector communicates directly with a SharePoint farm's SharePoint servers.

Figure 1: Connector Paths for Communicating with SharePoint

The One Identity Manager Service, SharePoint connector and the Synchronization Editor must be installed on one of the SharePoint farm's servers. This server is known as the synchronization server in the following. All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database, are processed by the synchronization server.

Detailed information about this topic

One Identity Manager Users for Managing an SharePoint

One Identity Manager Users for Managing an SharePoint

The following users are used in SharePoint system administration with One Identity Manager.

Table 1: user
User Task
Target system administrators

Target system administrators must be assigned to the application role Target system | Administrators.

Users with this application role:

  • Administrate application roles for individual target systems types.
  • Specify the target system manager.
  • Set up other application roles for target system managers if required.
  • Specify which application roles are conflicting for target system managers
  • Authorize other employee to be target system administrators.
  • Do not assume any administrative tasks within the target system.
Target system managers

Target system managers must be assigned to the application role Target systems | SharePoint or a sub application role.

Users with this application role:

  • Assume administrative tasks for the target system.
  • Create, change or delete target system objects, like user accounts or groups.
  • Edit password policies for the target system.
  • Prepare system entitlements for adding to the IT Shop.
  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.
  • Edit the synchronization's target system types and outstanding objects.
  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.
Administrators for the IT Shop

Administrators must be assigned to the application role Request & Fulfillment | IT Shop | Administrators.

Users with this application role:

  • Assign system authorizations to IT Shop structures.

Product owner for the IT Shop

The product owners must be assigned to the application roles Request & Fulfillment | IT Shop | Product owners or an application role below that.

Users with this application role:

  • Approve through requests.
  • Edit service items and service categories under their management.
Administrators for organizations

Administrators must be assigned to the application role Identity Management | Organizations | Administrators.

Users with this application role:

  • Assign system entitlements to departments, cost centers and locations.
Business roles administrators

Administrators must be assigned to the application role Identity Management | Business roles | Administrators.

Users with this application role:

  • Assign system authorizations to business roles.

Claims-Based Authentication

Claims-Based Authentication

One Identity Manager supports claims-based authentication as well as classical Windows authentication for logging on to the SharePoint server. Information about the SharePoint provider and authentication modes are stored in the database for this purpose. Existing SharePoint providers for claims-based authentication are loaded into the database during synchronization. Registered providers are stored for each web application.

Every user account stores which authentication mode the user with this user account uses to log in. The default authentication mode depends on whether claims-based authentication is permitted with the associated web applications.

The authentication mode is required to add user accounts to One Identity Manager. The user account login name for claims-based authentication contains a prefix that depends on which authentication mode is used. These prefixes are maintained with the authentication modes.

Related Topics
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents