Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to the Universal Cloud Interface

Managing Universal Cloud Interface Environments Setting up Synchronization with a Cloud Application in the Universal Cloud Interface Base Data for Managing Universal Cloud Interface Cloud Target Systems Container Structures in a Cloud Target System Cloud User Accounts Cloud Groups Cloud Permissions Controls Provisioning Object Changes Reports about Objects in Cloud Target Systems Appendix: Configuration Parameters for Managing Cloud Target Systems Appendix: Default Project Template for Cloud Application in the Universal Cloud Interface

Locking and Unlocking User Accounts

Locking and Unlocking User Accounts

Table 40: Configuration Parameter for Disabling User Accounts
Configuration parameter Meaning
QER\Person\TemporaryDeactivation This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.

The way you disable user accounts depends on how they are managed.

Scenario:
  • The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. User accounts with the manage level "Full managed" are disabled depending on the account definition settings. For user accounts with another manage level, modify the column template CSMUser.AccountDisabled accordingly.

Scenario:
  • The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the configuration parameter "QER\Person\TemporaryDeactivation".

  • If the configuration parameter is set, the employee’s user accounts are disabled if the employee is permanently or temporarily disabled.
  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock a user account when the configuration parameter is disabled

  1. Select the category Cloud Target Systems | <target system> | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Set the option Account is disabled on the General tab.
  5. Save the changes.
Scenario:
  • User accounts not linked to employees.

To lock a user account, which is not linked to an employee

  1. Select the category Cloud Target Systems | <target system> | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Set the option Account is disabled on the General tab.
  5. Save the changes.
Related Topics

For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target SystemClosed Base Module Administration Guide.

Deleting User Accounts

Deleting User Accounts

You can delete a user account from the result list or the menu base. After the deletion has been confirmed, the user account is deleted from the One Identity Manager database.

Configuring Deferred Deletion

By default, user accounts are finally deleted from the database after 30 days. During this period you have the option to reactivate the user accounts. A restore is not possible once the delete delay has expired. You can configure an alternative deletion delay on the table CSMUser in the Designer.

To delete a user account

  1. Select the category Cloud Target Systems | <target system> | User accounts.
  2. Select the user account in the result list.
  3. Click in the result list toolbar.
  4. Confirm the security prompt with Yes.

Once you have deleted a user account, it is also deleted in the Universal Cloud Interface Module through the provisioning process and then in the cloud application. The deletion is logged as a pending change. You can see whether the user account has been deleted in the cloud application from the process status for the pending change. The same applies if memberships of user accounts in groups are deleted.

User accounts are not allowed to be deleted in certain cloud applications. These user accounts cannot be deleted in the Manager, only disabled. You can configure the appropriate behavior in the cloud target system.

To prevent user accounts from being deleted

  1. Select the category Cloud Target Systems | Basic configuration data | Cloud target systems.
  2. Select a target system in the result list. Select Change master data in the task view.
  3. Set the option User account deletion not permitted.
  4. Save the changes.
Detailed information about this topic

Cloud Groups

Cloud Groups

Groups map the objects that control access to cloud resources though the cloud application. A user account obtains access permissions to cloud resources through its group memberships.

To edit group master data

  1. Select the category Cloud Target Systems | <target system> | Groups.
  2. Select the group in the result list and run Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit a group's master data.
  4. Save the changes.
Detailed information about this topic

Entering Master Data for a Group

Entering Master Data for a Group

Table 41: Configuration Parameters for Setting up User Accounts
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Enter the following master data for a group.

Table 42: Entering Master Data for a Group

Property

Description

Name

Group identifier

Container

Container in which to create the group.

Target SystemClosed The group's cloud target system

Distinguished name

Distinguished name of the group.

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Group name Additional name for the group.
Email address Group's email address
Account manager Manager responsible for the group.

To specify an account manager

  1. Click next to the text box.
  2. Under Table, select the table which maps the account manager.
  3. Select the manager under Account manager.
  4. Click OK.
IT Shop

Specifies whether the group can be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group can still be assigned directly to hierarchical roles.

For more detailed information, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group may not be assigned directly to hierarchical roles.

Service item Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This property is only visible when the configuration parameter QER\CalculateRiskIndex is set.

For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Notes category Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Use this menu to allocate one or more categories to the group.

For more detailed information, see the .One Identity Manager Target System Base Module Administration Guide

Description

Spare text box for additional explanation.

Group type Name of the group type. This is only required if different group types are recognized in the cloud application.
Resource type Type of resource, for example, Group.
Detailed information about this topic
Related Documents