Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

Changing the Manage Level of an LDAP User Account

Changing the Manage Level of an LDAP User Account

The default manage level is applied if you create user accounts using automatic employee assignment. You can change a user account manage level later.

To change the manage level for a user account

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Select the manage level in the Manage level menu on the tab General.
  5. Save the changes.
Related Topics

Assigning LDAP Groups Directly to LDAP User Accounts

Assigning LDAP Groups Directly to LDAP User Accounts

Groups can be assigned directly or indirectly to a user account. Indirect assignment is carried out by allocating the employee and groups in hierarchical roles, like departments, cost centers, locations or business roles. If the employee has a user account in LDAP, the groups in the role are inherited by this user account.

To react quickly to special requests, you can assign groups directly to the user account.

NOTE: User accounts cannot be manually added to dynamic groups. Memberships in a dynamic group are determined through the condition of the dynamic group.

To assign groups directly to user accounts

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Select Assign groups in the task view.
  4. Assign groups in Add assignments.

    The view- OR -

    Remove groups from Remove assignments.

  5. Save the changes.
Related Topics

Assigning Extended Properties to an LDAP User Account

Assign Extended Properties to an LDAP User Account

Extended properties are meta objects that cannot be mapped directly in the One Identity Manager, for example, operating codes, cost codes or cost accounting areas.

To specify extended properties for a user account

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Select Assign extended properties in the task view.
  4. Assign extended properties in Add assignments.

    - OR -

    Remove assignments to extended properties in Remove assignments.

  5. Save the changes.

For more detailed information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

Automatic Assignment of Employees to LDAP User Accounts

Automatic Assignment of Employees to LDAP User Accounts

Table 37: Configuration Parameters for Automatic Employee Assignment
Configuration parameter Meaning

TargetSystem\LDAP\PersonAutoFullsync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

TargetSystem\LDAP\PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem\LDAP\
PersonAutoDisabledAccounts

This configuration parameters specifies whether employees are automatically assigned to disable user accounts. User accounts do not obtain an account definition.

When you add a user account, an existing employee can be assigned automatically or added if necessary. In the process, the employee master data is created based for existing user master data. This mechanism can follow on after a new user account has been created manually or through synchronization. Define criteria for finding employees to apply to automatic employee assignment. If a user account is linked to an employee through the current mode, the user account is given, through an internal process, the default manage level of the account definition entered in the user account's target system. You can customize user account properties depending on how the behavior of the manage level is defined.

If you run this procedure during working hours, automatic assignment of employees to user accounts takes place from that moment onwards. If you disable the procedure again later, the changes only affect user accounts added or updated after this point in time. Existing employee assignment to user accounts remain intact.

NOTE: It is not recommended to assign employees using automatic employee assignment in the case of administrative user accounts. Use the task Change master data to assign employees to administrative user account for the respective user account.

Run the following tasks to assign employees automatically.

  • If employees can be assigned by user accounts during synchronization, set the parameter "TargetSystem\LDAP\PersonAutoFullsync" in the Designer and select the required mode.
  • If employees can be assigned by user accounts outside synchronization, set the parameter "TargetSystem\LDAP\PersonAutoDefault" in the Designer and select the required mode.
  • Use the configuration parameter "TargetSystem\LDAP\PersonAutoDisabledAccounts" to specify whether employees can be automatically assigned to disabled user accounts. User accounts do not obtain an account definition.
  • Assign an account definition to the domain. Ensure the manage level to be used is entered as default automation level.
  • Define the search criteria for employees assigned to the domain.

NOTE:

The following applies for synchronization:

  • Automatic employee assignment takes effect if user accounts are added or updated.

The following applies outside synchronization:

  • Automatic employee assignment takes effect if user accounts are added.

NOTE: Following synchronization, employees are automatically created for user accounts in the default installation. If there are no account definitions for the domain at the time of synchronization, user accounts are linked to employees. However, account definitions are not assigned. The user accounts are, therefore, in a "Linked" state.

To select user accounts through account definitions

  1. Create an account definition.
  2. Assign an account definition to the domain.
  3. Assign the account definition and manage level to the user accounts in a "linked" state.
    1. Select the category LDAP | User accounts | Linked but not configured | <Domain>.
    2. Select the task Assign account definition to linked accounts.

For more detailed information about assigning employees automatically, see the One Identity Manager Target SystemClosed Base Module Administration Guide.

Related Topics
Related Documents