Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

LDAP Group Master Data

LDAP Group Master Data

Enter the following master data:

Table 41: General Master Data
Property Description

Distinguished name

Distinguished name of the group. The distinguished name is determined by template from the name of the group and the container and cannot be edited.

Name

Group identifier

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Domain

Domain in which to create the group.

Container

Container in which to create the group.

Administrator The group administrator.

Service item

Service item data for requesting the group through the IT Shop.

Business unit Business unit to which the group is assigned.
See Also Link to another LDAP object.
Structural object class

Structural object class representing the object type. By default, containers in One Identity Manager are added with the object class "GROUPOFNAMES".

Object class

List of classes defining the attributes for this object. By default, containers in One Identity Manager are added with the object class "GROUPOFNAMES". However, you can add object classes and auxiliary classes in the input field that are used by other LDAP and X.500 directory services.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This property is only visible when the configuration parameter QER\CalculateRiskIndex is set.

For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Use this menu to allocate one or more categories to the group.

Description

Spare text box for additional explanation.

Condition LDAP filter for finding memberships in a dynamic groups.
Dynamic group Specifies whether this is a dynamic group.

IT Shop

Specifies whether the group can be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group may not be assigned directly to hierarchical roles.

Related Topics

Assigning LDAP Groups to LDAP User Accounts and LDAP Computers

Assigning LDAP Groups to LDAP User Accounts and LDAP Computers

You can assign groups directly and indirectly to user account, workdesks and devices. Employees (workdesks, devices) and groups are grouped into hierarchical roles in the case of indirect assignment. The number of groups assigned to an employee (workdesk or device) From the position within the hierarchy and is calculated from the position within the hierarchy and inheritance direction.

If you add an employee to roles and that employee owns a user account, the user account is added to the group. Prerequisites for indirect assignment of employees to user accounts are:

  • Assignment of employees and groups is permitted for role classes (department, cost center, location or business role).
  • The user accounts are marked with the option Groups can be inherited.

If you add a device to roles, the computer, which references the device, is added to the group. Prerequisites for indirect assignment to computers are:

  • Assignment of devices and groups is permitted for role classes (department, cost center, location or business role).
  • The computer is connected to a device labeled as PC or server.
  • The configuration parameter "TargetSystem\LDAP\HardwareInGroupFromOrg" is set.

If a device owns a workdesk and you add the workdesk to roles, the computer, which references this device, is also added to all groups of the workdesk's roles. Prerequisites for indirect assignment to computers through workdesks are:

  • Assignment of workdesks and groups is permitted for role classes (department, cost center, location or business role).
  • The computer is connected to a device labeled as PC or server. This device owns a workdesk.

Furthermore, groups can be assigned to employees through IT Shop requests. Add employees to a shop as customers so that groups can be assigned through IT Shop requests. All groups are assigned to this shop can be requested by the customers. Requested groups are assigned to the employees after approval is granted.

Detailed information about this topic

Assigning LDAP Groups to Departments, Cost Centers and Locations

Assigning LDAP Groups to Departments, Cost Centers and Locations

Assign the group to departments, cost centers and locations so that the group can be assigned to user accounts, contacts and computers through these organizations.

To assign a group to departments, cost centers or locations (non role-based login)

  1. Select the category LDAP | Groups.
  2. Select the group in the result list.
  3. Select Assign organizations.
  4. Assign organizations in Add assignments.

    • Assign departments on the Departments tab.
    • Assign locations on the Locations tab.
    • Assign cost centers on the Cost center tab.

    - OR -

    Remove the organizations from Remove assignments.

  5. Save the changes.

To assign groups to a department, cost center or location (role-based login)

  1. Select the category Organizations | Departments.

    - OR -

    Select the category Organizations | Cost centers.

    - OR -

    Select the category Organizations | Locations.

  2. Select the department, cost center or location in the result list.
  3. Select Assign LDAP groups.
  4. Assign groups in Add assignments.

    - OR -

    Remove assignments to groups in Remove assignments.

  5. Save the changes.
Related Topics

Assigning LDAP Groups to Business Roles

Assigning LDAP Groups to Business Roles

Installed Modules: Business Roles Module

Assign the group to business roles so that it is assigned to user accounts, contacts and computers through this business role.

To assign a group to a business role (non role-based login)

  1. Select the category LDAP | Groups.
  2. Select the group in the result list.
  3. Select Assign business roles in the task view.
  4. Assign business roles in Add assignments.

    - OR -

    Remove business roles from Remove assignments.

  5. Save the changes.

To assign groups to a business role (non role-based login)

  1. Select the category Business roles | <Role class>.
  2. Select the business role in the result list.
  3. Select Assign LDAP groups.
  4. Assign groups in Add assignments.

    - OR -

    Remove assignments to groups in Remove assignments.

  5. Save the changes.
Related Topics
Related Documents