Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to Cloud Applications

Synchronizing Cloud Applications through the Universal Cloud Interface Setting up Synchronization with a Cloud Application Base Data for Managing Cloud Applications Cloud Applications Container Structures in a Cloud Application User Accounts in a Cloud Application Groups in a Cloud Application Permissions Controls in a Cloud Application Provisioning Object Changes Managing Provisioning Processes in the Web Portal Additional Information for Experts Appendix: Default Project Template for Cloud Applications

Synchronizing Cloud Applications through the Universal Cloud Interface

Synchronizing Cloud Applications through the Universal Cloud Interface

One Identity Manager supports the implementation of Identity and Access Governance demands in IT environments, which are often a mix of traditional, internally hosted applications and modern cloud applications. Users and entitlements from cloud applications can be mapped in One Identity Manager.

Data protection policies, such as the General Data Protection Regulation, require agreement as to which employee data can be stored in cloud applications. If the system environment is configured appropriately, One Identity Manager guarantees that cloud applications and their administrators have no access to any employee master data or Identity and Access Governance processes respectively. For this reason, cloud applications are managed in two separate modules, which can be installed in separate databases if necessary.

The Universal Cloud Interface Module provides the interface through which users and permissions can be transferred from cloud applications to a One Identity Manager database. SynchronizationClosed with the cloud applications is configured and executed at this stage. Each cloud application is mapped as its own base object in One Identity Manager. The user data is saved as user accounts, groups and permissions controls and can be organized into containers. They cannot be edited in One Identity Manager. There is no connection made to identities (employees).

Identities are connected in the Cloud Systems Management Module; user accounts, groups and permissions controls can be created and edited. Data is exchanged between the Universal Cloud Interface and Cloud System Management modules by synchronization. ProvisioningClosed processes ensure that object changes are transferred from the Cloud Systems Management Module to the Universal Cloud Interface Module.

Automated interfaces for provisioning changes from the Universal Cloud Interface Module to the cloud application can (on technical grounds) or should (due to too few changes) not be applied to certain cloud applications. In this case, changes can be manually provisioned.

Because only data that must be available in the cloud application is saved in the Universal Cloud Interface Module, the module can be installed in a separate database. This database may be outside the company's infrastructure.

The cloud solution One Identity Connect For Cloud provides a simple and comprehensive solution for integrating cloud applications and for meeting the requirements of hybrid solution scenarios.

Architecture Overview

One Identity Manager knows two methods for exchanging data with a cloud application.

  • Automatic synchronization and provisioning

    The One Identity Manager SCIM connector is responsible for synchronizing a cloud application with the One Identity Manager database and for provisioning object changes from the One Identity Manager database to a cloud application. This default method ensures that target system and database data is regularly compared and therefore remains consistent.

  • Manual provisioning

    Automated interfaces for provisioning changes from the to the cloud application can or should not be applied to certain cloud applications. Changes can be manually provisioned for cloud application like this. You can configure synchronization with the SCIM connector for exchanging data between the cloud application and the One Identity Manager database. If One Identity Manager cannot obtain read access to the cloud application, you can set up data exchange through the CSV connectorClosed, for example.

    With the method, you carry the risk of inconsistent data and loss of data if manual processes are not carried out. This method is, therefore, not recommended.

Figure 1: Architecture for synchronization

To access cloud applications, the SCIM connector is installed on a synchronization server. The SCIM connector can communicate with cloud applications, which understand the System for Cross-domain Identity Management (SCIM) specification. The synchronization server ensures data is compared between the One Identity Manager database and the cloud application.

Figure 2: SynchronizationClosed topology

Detailed information about this topic

One Identity Manager Users for Managing Cloud Applications

One Identity Manager Users for Managing Cloud Applications

The following users are used for setting up and managing cloud applications.

Table 1: Users
User Task

Administrators

Administrators must be assigned to the application Universal Cloud Interface | Administrators or a sub application role.

Users with this application role:

  • Manage application roles for the Universal Cloud Interface.
  • Set up other application roles as required.
  • Configure synchronization in the Synchronization EditorClosed and define the mapping for comparing tcloud applications and One Identity Manager.
  • Edit cloud application in the Manager.
  • Edit pending, manual provisioning processes in the Web Portal and obtain statistics.
  • Obtain information about the cloud objects in the Web Portal and the Manager.

Operators

Operators must be assigned to the application role Universal Cloud Interface | Operators or a sub application role.

Users with this application role:

  • Edit pending, manual provisioning processes in the Web Portal and obtain statistics.

Auditors

Auditors must be assigned to the application role Universal Cloud Interface | Auditors or a sub application role.

Users with this application role:

  • Can view manual provisioning processes in the Web Portal and obtain statistics.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.

Setting up Synchronization with a Cloud Application

Setting up Synchronization with a Cloud Application

One Identity Manager supports synchronization with cloud applications, which understand the System for Cross-domain Identity Management (SCIM) in the version 2.0 specification. One Identity Manager provides a project template that you can use to set up synchronization for the cloud applications.

To load cloud application objects into the One Identity Manager database for the first time.

  1. Supply a user with sufficient permissions for accessing the cloud application.
  2. Install and configure a synchronization server and declare the server as Job serverClosed in One Identity Manager.
  3. Create a synchronization project with the Synchronization EditorClosed.
Detailed information about this topic
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents