Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to Custom Target Systems

Managing Custom Target Systems Setting up Script Controlled Data Provisioning in a Custom Target System Base Data for Custom Target Systems Setting up a Custom Target System Container Structures in a Custom Target System User Accounts in a Custom Target System Groups in a Custom Target System Entering Permissions Controls Reports about Custom Target Systems Appendix: Configuration Parameters for Managing Custom Target Systems

Additional Tasks for Managing Groups

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Overview of Groups

Use this task to obtain an overview of the most important information about a group.

To obtain an overview of a group

  1. Select the category Custom target systems | <target system> | Groups.
  2. Select the group in the result list.
  3. Select Group overview in the task view.

Adding Groups to Groups

Adding Groups to Groups

Use this task to add a group to another group. Only groups from the same target system can be assigned.

To assign groups directly to a group

  1. Select the category Custom target systems | <target system> | Groups.
  2. Select the group in the result list.
  3. Select Assign groups in the task view.
  4. Assign child groups of the selected group in Add assignments.

    - OR -

    Remove assignments to groups in Remove assignments.

  5. Save the changes.

Effectiveness of Group Memberships

Effectiveness of Group Memberships

Table 32: Configuration Parameter for Conditional Inheritance
Configuration parameter Active Meaning

QER\Structures\Inherite\GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. The database has to be recompiled after changes have been made to the parameter.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
  • One Identity Manager does not check whether membership of an excluded group is permitted in another group.

The effect of the assignments is mapped in the tables UNSAccountBInUNSGroupB and BaseTreeHasUNSGroupB through the column XIsInEffect.

Example of the effect of group memberships
  • Group A is defined with permissions for triggering requests in a target system. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the department "Marketing", group B through "Finance" and group C through the business role "Control group".

Clara Harris has a user account in this target system. She primarily belongs to the department "marketing". The business role "Control group" and the department "Finance" are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 33: Specifying excluded groups (table UNSGroupBExclusion)
Effective Group Excluded Group
Group A
Group B Group A
Group C Group B
Table 34: Effective Assignments
Employee Member in Role Effective Group
Ben King Marketing Group A
Jan Bloggs Marketing, finance Group B
Clara Harris Marketing, finance, control group Group C
Jenny Basset Marketing, control group Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. That means that the employee is authorized to trigger request and to check invoices. If this should not be allowed, define further exclusion for group C.

Table 35: Excluded groups and effective assignments
Employee Member in Role Assigned Group Excluded Group Effective Group

Jenny Basset

 

Marketing Group A  

Group C

 

Control group Group C Group B

Group A

Prerequisites
  • The configuration parameter "QER\Inherite\GroupExclusion" is enabled.
  • Mutually exclusive groups belong to the same target system or the same target system type.

NOTE: Groups, which are mutually exclusive, are determined within a target system type independently of the target system. The features must be taken into account in the definition of exclusion.

To exclude a group

  1. Select the category Custom target systems | <target system> | Groups.
  2. Select a group in the result list.
  3. Select Exclude groups in the task view.
  4. Assign the groups that are mutually exclusive to the selected group in Add assignments.

    - OR -

    Remove the conflicting groups that are no longer mutually exclusive in Remove assignments.

  5. Save the changes.
Related Documents