Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

Editing Search Criteria for Automatic Employee Assignment

Criteria for employee assignment are defined in the domain. In this case, you specify which user account properties must match the employee’s properties such that the employee can be assigned to the user account. You can limit search criteria further by using format definitions. The search criteria are written in XML notation in the column "Search criteria for automatic employee assignment" (AccountToPersonMatchingRule) of the LDAPDomain table.

Search criteria are evaluated when employees are automatically assigned to user accounts. Furthermore, you can create a suggestion list for assignments of employees to user accounts based on the search criteria and make the assignment directly.

NOTE: When the employees are assigned to user accounts on the basis of search criteria, user accounts are given the default manage level of the account definition entered in the user account's target system. You can customize user account properties depending on how the behavior of the manage level is defined.

It is not recommended to make assignment to administrative user accounts based on search criteria. Use the task Change master data to assign employees to administrative user account for the respective user account.

NOTE: One Identity Manager supplies a default mapping for employee assignment. Only carry out the following steps when you want to customize the default mapping.

To specify criteria for employee assignment

  1. Select the category LDAP | Domains.
  2. Select the domain in the result list.
  3. Select Define search criteria for employee assignment in the task view.
  4. Specify which user account properties must match with which employee so that the employee is linked to the user account.
    Table 38: Default Search Criteria for User Accounts
    Apply to Column on Employee Column on User Account
    LDAP user accounts Central user account (CentralAccount) Login name (UserID)
  5. Save the changes.
Direct Assignment of Employees to User Accounts Based on a Suggestion List

You can create a suggestion list in the "Assignments" view for assignments of employees to user accounts based on the search criteria. User accounts are grouped in different views for this.

Table 39: Manual Assignment View
View Description
Suggested assignments This view lists all user accounts to which One Identity Manager can assign an employee. All employees are shown who were found using the search criteria and can be assigned.
Assigned user accounts This view lists all user accounts to which an employee is assigned.
Without employee assignment This view lists all user accounts to which no employee is assigned and for which no employee was found using the search criteria.

TIP: By double-clicking on an entry in the view, you can view the user account and employee master data.

To apply search criteria to user accounts

  • Click Reload.

    All possible assignments based on the search criteria are found in the target system for all user accounts. The three views are updated.

To assign employees directly over a suggestion list

  1. Click Suggested assignments.
    1. Click Select for all user accounts to be assigned to the suggested employee. Multi-select is possible.
    2. Click Assign selected.
    3. Confirm the security prompt with Yes.

      The selected user accounts are assigned to the employees found using the search criteria.

    – OR –

  2. Click No employee assignment.
    1. Click Select employee... for the user account to which you want to assign the employee. Select an employee from the menu.
    2. Click Select for all user accounts to which you want to assign the selected employees. Multi-select is possible.
    3. Click Assign selected.
    4. Confirm the security prompt with Yes.

      This assigns the selected user accounts to the employees shown in the "Employee" column.

To remove assignments

  1. Click Assigned user accounts.
    1. Click Select for all user accounts whose employee assignment you want to remove. Multi-select is possible.
    2. Click Delete selected.
    3. Confirm the security prompt with Yes.

      The assigned employees are deleted from the selected user accounts.

For more detailed information about defining search criteria, see the One Identity Manager Target SystemClosed Base Module Administration Guide.

Related Topics

Disabling LDAP User Accounts

Disabling LDAP User Accounts

Table 40: Configuration Parameter for Disabling User Accounts
Configuration parameter Meaning
QER\Person\TemporaryDeactivation This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.

The way you disable user accounts depends on how they are managed.

Scenario:
  • The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. User accounts with the manage level "Full managed" are disabled depending on the account definition settings. For user accounts with another manage level, modify the column template LDAPAccount.AccountDisabled accordingly.

Scenario:
  • The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the configuration parameter "QER\Person\TemporaryDeactivation".

  • If the configuration parameter is set, the employee’s user accounts are disabled if the employee is permanently or temporarily disabled.
  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock a user account when the configuration parameter is disabled

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Set the option Account is disabled on the General tab.
  5. Save the changes.
Scenario:
  • User accounts not linked to employees.

To lock a user account, which is not linked to an employee

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Set the option Account is disabled on the General tab.
  5. Save the changes.
Related Topics
  • Setting Up Account Definitions
  • Setting Up Manage Levels
  • Deleting and Restoring LDAP User Accounts
  • For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target SystemClosed Base Module Administration Guide.

Deleting and Restoring LDAP User Accounts

Deleting and Restoring LDAP User Accounts

NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account created through this account definition, is deleted.

To delete a user account

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Delete the user account.
  4. Confirm the security prompt with Yes.

To restore user account

  1. Select the category LDAP | User accounts.
  2. Select the user account in the result list.
  3. Click Undo delete in the result list toolbar.
Configuring Deferred Deletion

By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative delay on the table LDAPAccount in the Designer.

Related Topics

LDAP Groups

LDAP Groups

You can collect user accounts, contacts, computers and groups into groups that can be used to regulate access to resources in the LDAP directory. In One Identity Manager, you can set up new groups or to edit already existing groups.

To add users to groups, you assign the groups directly to users. This can be assignments of groups to departments, cost centers, location, business roles or to the IT Shop.

To edit group master data

  1. Select the category LDAP | Groups.
  2. Select the group in the result list and run Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit a group's master data.
  4. Save the changes.
Detailed information about this topic
Related Documents