Chat now with support
Chat with Support

Identity Manager 8.0.1 - Target System Base Module Administration Guide

Basic Mechanisms for Employee and User Account Administration

The central component of the One Identity Manager is to map employees and their master data with permissions through which they have control over different target systems. For this purpose, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to employees. This gives an overview of the permissions for each employees in all of the connected target systems. One Identity Manager provides the possibility to manage user accounts and their permissions. You can provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.

Because requirements vary between companies, the One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following method for linking employees and their user accounts.

  • Employees can automatically obtain their user accounts through One Identity Manager account definitions.
  • When user accounts are inserted in the One Identity Manager, they can be automatically assigned to an existing employee or a new employee can be created if necessary.
  • Employee and user account data in the One Identity Manager can be manually entered and assigned to each other.

Employee and User Account Administration

The requirements of a company’s user administration are often different not only in the existing target system types, but also in the individual target systems of a target system type.

Requirements for user account administration might be, for example:

Target system type Active Directory with Microsoft Exchange

  • In domain A, a user account should be automatically created for each internal employee. The information for the container and home server are based on the department and the location of the person. Each user account in the domain is automatically allocated a Microsoft Exchange mailbox.
  • In domain B, the user accounts are administrated independently of the employee data. Microsoft Exchange mailboxes can only be allocated by requesting them in the IT shop.

Target system type IBM Notes

  • All members of the sales department are automatically allocated an IBM Notes mailbox. Members of other departments can request an IBM Notes mailbox. The attributes of the IBM Notes mailbox are determined depending on the member’s department.

Target system type SAP R/3

  • All members of the personnel department are automatically allocated a user account in an SAP Client 101.
  • The members of the purchasing department are automatically allocated a user account in the SAP Client 102 the moment they are assigned their appropriate role.
  • The user accounts for the SAP Client 103 are allocated exclusively through a request process.

One Identity Manager uses different mechanisms to assign user accounts to employees.

Initial Assignment of User Accounts

The user accounts are initially read into One Identity Manager from a target system through synchronization. In doing so, the existing employees can automatically be assigned to the user accounts. New employees can be created and assigned to user accounts if necessary. The criteria for these automatic assignments are defined on a company-specific basis. The extent of the attributes an employee inherits on their user account through account definitions can be changed after checking the user accounts. The loss of user accounts through system changes can therefore be avoided. User account verification can be carried out manually or by using scripts.

Assigning User Accounts during Work Hours

One Identity Manager uses special account definitions for allocating user accounts to employees during working hours. Account definitions can be created for each target system of the appointed target system type, for example, the different domains of an Active Directory environment or the individual clients of an SAP R/3 system. A priority is applied to the account definitions in order to ensure that a Microsoft Exchange mailbox, for instance, is only created when an Active Directory user account is available.

An employee can obtain a user account though the integrated inheritance mechanism by either direct assignment of account definitions to an employee, or by assignment of account definitions to departments, cost centers, locations or business roles. All company employees can be allocated special account definitions independent of their affiliation to the departments, cost centers, locations or business roles. It is possible to assign account definitions to the One Identity Manager as requestable items in the IT Shop. A department manager can then request user accounts from the Web Portal for his staff.

Treatment of User Accounts and Personal Data during Disabling

The handling of personal data, particularly during long-term or temporary absence of an employee, is dealt with differently in each company. Some companies never delete personal data, but just disabled it when the person leaves the company. Other companies delete the personal data but only after they are sure that all the user accounts have been deleted.

Handling Employees and User Accounts

The requirements of a company’s user administration are often different not only in the existing target system types, but also in the individual target systems of a target system type. Even within a target system, there may be different rules for different user groups. For example, different rules for allocating user accounts can apply in the individual domains within an Active Directory environment.

A requirement could look like the following, for example:

  • In domain A, the user accounts are administrated independently of employee data.
  • In domain B, the user accounts are linked to an employee. However, employee master data should not be transferred to the user accounts.
  • In domain C, a user account should be automatically created for each internal employee. The information for the container, home server and profile server are based on the employee's department and location.

In order to fulfill the individual requirements of user administration, users can be divided into categories:

  • Unlinked

    The user account is not linked to an employee.

  • Linked

    The user account is linked to an employee.

  • Linked configured

    The user accounts are linked to the employee. The effect of the link and the scope of the employee’s inherited properties on the user accounts can be configured through an account definition and its manage levels.

    One Identity Manager supplies a default configuration with the manage levels:

    • Unmanaged

      The user accounts are assigned to an employee but do not inherit other properties from the employee.

    • Full managed

      The user accounts are assigned to an employee and inherit the employee’s properties.

The following visual is designed to make user account transitions clearer. The default mechanisms integrated in One Identity Manager about employee and user account administration are shown.

Figure 1: Transition States for a User Account

Manually Adding a User Account
  • Case 1: In order to manage a user account independently from employee data, the user account is added manually and is not assigned to an employee. The user account is, therefore, not linked to an employee and has the state "Unlinked".
  • Case 2: If the user account is already manually linked to an employee , the user account goes into a "Linked" state.
  • Case 3: If an employee is already assigned when the user account is added and an account definition is assigned at the same time, the user account enters the "Linked configured" state. The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use.

Editing an Existing User Account
  • Case 4: If an existing user account is manually assigned to an employee, the state of the user account changes from "Unlinked" to "Linked".
  • Case 5: If an existing user account is manually assigned to an employee and an account definition is assigned at the same time, the state of the user account changes from "Unlinked" to "Linked configured". The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use.
  • Case 6: When the One Identity Manager goes live, you can create IT Shop requests for existing user accounts, which are linked with employees (state "linked"). This assigns an account definition and the user account enter the "Linked configured" state. The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use.
Changing the Manage Level
  • Cases 7 and 8: By changing the manage level an existing user account can change from the state "Linked configured: Unmanaged" to the state "Linked configured: Full managed" and the reverse. The manage level can only be changed for user accounts that are associated with an employee.
Removing Employee Assignments
  • Case 9: By deleting the employee entry in a linked user account, the state of the user accounts becomes "Unlinked".

Note: The employee entry cannot be removed from user accounts in the "Linked configured" state as long as the employee owns an account definition. Removing an employee's account definition results immediately in deleting the user accounts.
Handling User Accounts during Synchronization
  • Case 10: When a database is synchronized with a target system, the user accounts are always added without an associated employee and therefore, have an initial state of "Unlinked". An employee can be assigned afterwards. This can be done manually or through automated employee assignment using process handling.
Assigning Employees Automatically to Existing User Accounts
  • Case 11: One Identity Manager can automatically assign employees to user accounts in the "Unlinked" state. If the target system is assigned an account definition, this account definition is automatically assigned to the employees. The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use. Automatic employee assignment can follow on from adding or updating user accounts through synchronization or through manually adding a user account. For more information, see Automatic Assignment of Employees to User Accounts.
Automatically Creating User Account through Account Definitions
  • Case 12: Account definitions are implemented to automatically assign user accounts to employees during normal working hours. If an employee does not have a user account in the target system, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling. The manage level is modified to suit the default manage level and the user account has the state "Linked configured". The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use. For more information, see Account Definitions and Manage Levels .

Using Account Definitions to Create User Accounts

One Identity Manager has account definitions for automatically allocating user accounts to employees during working hours. You can create account definitions for every target system. If an employee does not have a user account in the target system, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling.

The data for the user accounts in the respective target system comes from the basic employee data. The assignment of the IT operating data to the employee’s user account is controlled through the primary assignment of the employee to a location, a department, a cost center, or a business role (template processing). Processing is done through templates. There are predefined templates for determining the data required for user accounts included in the default installation. You can customize templates as required.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents