Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to Exchange Online

Managing Exchange Online Environments Setting up Exchange Online Synchronization Base Data for Managing Exchange Online Appendix: Configuration Parameters for Managing Exchange Online Appendix: Default Project Template for Exchange Online Appendix: Editing System Objects

Adding Account Definitions in the IT Shop

Adding Account Definitions in the IT Shop

A account definition can be requested by shop customers when it is assigned to an IT Shop shelf. To ensure it can be requested, further prerequisites need to be guaranteed.

  • The account definition must be labeled with the IT Shop option.
  • The account definition must be assigned to a service item.
  • If the account definition is only assigned to employees using IT Shop assignments, you must also set the option Only for use in IT Shop. Direct assignment to hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign account definitions to IT Shop shelves if login is role-based. Target system administrators are not authorized to add account definitions in the IT Shop.

To add an account definition to the IT Shop

  1. Select the category Azure Active Directory | Basic configuration data | Account definitions (non role-based login).

    - OR -

    Select the category Entitlements | Account definitions (role-based login).

  2. Select an account definition in the result list.
  3. Select Add to IT Shop in the task view.
  4. Assign the account definition to the IT Shop shelf in Add assignments
  5. Save the changes.

To remove an account definition from individual IT Shop shelves

  1. Select the category Azure Active Directory | Basic configuration data | Account definitions (non role-based login).

    - OR -

    Select the category Entitlements | Account definitions (role-based login).

  2. Select an account definition in the result list.
  3. Select Add to IT Shop in the task view.
  4. Remove the account definition from the IT Shop shelves in Remove assignments.
  5. Save the changes.

To remove an account definition from all IT Shop shelves

  1. Select the category Azure Active Directory | Basic configuration data | Account definitions (non role-based login).

    - OR -

    Select the category Entitlements | Account definitions (role-based login).

  2. Select an account definition in the result list.
  3. Select Remove from all shelves (IT Shop) in the task view.
  4. Confirm the security prompt with Yes.
  5. Click OK.

    The account definition is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this account definition are canceled in the process.

For more detailed information about request from company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Related Topics

Assigning Account Definitions to a Target System

The following prerequisites must be fulfilled if you implement automatic assignment of user accounts and employees resulting in administered user accounts (state "Linked configured"):

  • The account definition is assigned to the target system.
  • The account definition has the default manage level.

User accounts are only linked to the employee (state "Linked") if no account definition is given. This is the case on initial synchronization, for example.

To assign the account definition to a target system

  1. Select the tenant in the category Azure Active Directory | Tenants.
  2. Select Change master data in the task view.
  3. Select the account definition for user accounts from Account definition (initial).
  4. Select the account definition for e-mail contacts from E-mail contact definition (initial).
  5. Select the account definition for e-mail users from E-mail user definition (initial).
  6. Save the changes.
Related Topics

Deleting an Account Definition

You can delete account definitions if they are not assigned to target systems, employees, hierarchical roles or any other account definitions.

NOTE: If an account definition is deleted, the user accounts arising from this account definition are deleted.

To delete an account definition

  1. Remove automatic assignments of the account definition from all employees.
    1. Select the category Azure Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Change master data in the task view.
    4. Disable the option Automatic assignment to employees on the General tab.
    5. Save the changes.
  2. Remove direct assignments of the account definition to employees.
    1. Select the category Azure Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Assign to employees in the task view.
    4. Remove employees from Remove assignments.
    5. Save the changes.
  3. Remove the account definition's assignments to departments, cost centers and locations.
    1. Select the category Azure Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Assign organizations.
    4. Remove the account definition's assignments to departments, cost centers and locations in Remove assignments.
    5. Save the changes.
  4. Remove the account definition's assignments to business roles.
    1. Select the category Azure Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Assign business roles in the task view.

      Remove business roles from Remove assignments.

    4. Save the changes.
  5. If the account definition was requested through the IT Shop, it must be canceled and removed from all IT Shop shelves. For more detailed information, see the .One Identity Manager IT Shop Administration Guide
  6. Remove the account definition assignment as required account definition for another account definition. As long as the account definition is required for another account definition, it cannot be deleted. Check all the account definitions.
    1. Select the category Azure Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Select Change master data in the task view.
    4. Remove the account definition from the Required account definition menu.
    5. Save the changes.
  7. Remove the account definition's assignments to target systems.
    1. Select the tenant in the category Azure Active Directory | Tenants.
    2. Select Change master data in the task view.
    3. Remove the assigned account definitions on the General tab.
    4. Save the changes.
  8. Delete the account definition.
    1. Select the category Azure Active Directory | Basic configuration data | Account definitions | Account definitions.

    2. Select an account definition in the result list.
    3. Click , to delete the account definition.

Target System Managers

For more detailed information about implementing and editing application roles, see the One Identity Manager Application Roles Administration Guide.

Implementing Application Roles for Target System Managers
  1. The One Identity Manager administrator assigns employees to be target system managers.
  2. These target system managers add employees to the default application role for target system managers.

    The default application role target system managers are entitled to edit all Exchange Online objects in One Identity Manager.

  3. Target system managers can authorize more employees as target system managers, within their scope of responsibilities and create other child application roles and assign individual tenants.
Table 14: Default Application Roles for Target System Managers
User Task

Target SystemClosed Managers

 

Target system managers must be assigned to the application role Target systems | Exchange Online or a sub application role.

Users with this application role:

  • Assume administrative tasks for the target system.
  • Create, change or delete target system objects, like user accounts or groups.
  • Edit password policies for the target system.
  • Prepare groups for adding to the IT Shop.
  • Configure synchronization in the Synchronization EditorClosed and defines the mapping for comparing target systems and One Identity Manager.
  • Edit the synchronization's target system types and outstanding objects.
  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

To initially specify employees to be target system administrators

  1. Log in to the Manager as One Identity Manager administrator (application role Base role | Administrators)
  2. Select the category One Identity Manager Administration | Target systems | Administrators.
  3. Select Assign employees in the task view.
  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers.

  1. Log yourself into the Manager as target system administrator (application role Target systems | Administrator).
  2. Select the category One Identity Manager Administration | Target systems | Exchange Online.
  3. Select Assign employees in the task view.
  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Login to the Manager as target system manager.
  2. Select the application role in the category Azure Active Directory | Basic configuration data | Target system managers.
  3. Select Assign employees in the task view.
  4. Assign the employees you want and save the changes.

To define target system managers for individual tenants.

  1. Login to the Manager as target system manager.
  2. Select the category Azure Active Directory | Tenants.
  3. Select the tenant from the result list.
  4. Select Change master data in the task view.
  5. Select the application role on the General tab in the Target system manager (Exchange Online) menu.

    - OR -

    Click next to the Target system manager (Exchange Online) menu to create a new application role.

    • Enter the application role name and assign the parent application role Target system | Exchange Online.
    • Click OK to add the new application role.
  6. Save the changes.
  7. Assign the application role to employees, who are authorized to edit the tenant in One Identity Manager.
Related Topics
Related Documents