Criteria for employee assignment are defined in the
Search criteria are evaluated when employees are automatically assigned to user accounts. Furthermore, you can create a suggestion list for assignments of employees to user accounts based on the search criteria and make the assignment directly.
NOTE: When the employees are assigned to user accounts on the basis of search criteria, user accounts are given the default manage level of the account definition entered in the user account's target system. You can customize user account properties depending on how the behavior of the manage level is defined.
It is not recommended to make assignment to administrative user accounts based on search criteria. Use the task Change master data to assign employees to administrative user account for the respective user account.
|NOTE: One Identity Manager supplies a default mapping for employee assignment. Only carry out the following steps when you want to customize the default mapping.|
To specify criteria for employee assignment
|Apply to||Column on Employee||Column on User Account|
|LDAP user accounts||Central user account (CentralAccount)||Login name (UserID)|
You can create a suggestion list in the "Assignments" view for assignments of employees to user accounts based on the search criteria. User accounts are grouped in different views for this.
|Suggested assignments||This view lists all user accounts to which One Identity Manager can assign an employee. All employees are shown who were found using the search criteria and can be assigned.|
|Assigned user accounts||This view lists all user accounts to which an employee is assigned.|
|Without employee assignment||This view lists all user accounts to which no employee is assigned and for which no employee was found using the search criteria.|
TIP: By double-clicking on an entry in the view, you can view the user account and employee master data.
To apply search criteria to user accounts
All possible assignments based on the search criteria are found in the target system for all user accounts. The three views are updated.
To assign employees directly over a suggestion list
The selected user accounts are assigned to the employees found using the search criteria.
– OR –
This assigns the selected user accounts to the employees shown in the "Employee" column.
To remove assignments
The assigned employees are deleted from the selected user accounts.
For more detailed information about defining search criteria, see the One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Base Module Administration Guide.
|QER\Person\TemporaryDeactivation||This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.|
The way you
User accounts managed through account definitions are
User accounts managed through user account definitions are
To lock a user account when the configuration parameter is disabled
To lock a user account, which is not linked to an employee
For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Base Module Administration Guide.
|NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account created through this account definition, is deleted.|
To delete a user account
To restore user account
By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative delay on the table LDAPAccount in the Designer.
You can collect user accounts, contacts, computers and groups into groups that can be used to regulate access to resources in the LDAP directory. In One Identity Manager, you can set up new groups or to edit already existing groups.
To add users to groups, you assign the groups directly to users. This can be assignments of groups to departments, cost centers, location, business roles or to the IT Shop.
To edit group master data
- OR -
Click in the result list toolbar.