In order for employees, devices and workdesks to inherit company resources, you must assign the objects to roles.
To add employees, devices and workdesks to a business role
- OR -
Remove the objects in Remove assignments.
|
TIP: Use dynamic roles to assign employees, devices and workdesks to business roles automatically. |
The default method of assigning employees, devices and workdesks is indirect assignment. This allocates an employee, a device or a workdesk to
Indirect assignment is divided into:
You make a secondary assignment by classifying an employee, a device or a workdesk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles.
|
IMPORTANT: Whether secondary assignment of company resources is possible depends on the role classes. |
If an employee, device or a workdesk fulfill the requirements of a dynamic role, the object is added dynamically to the corresponding company structure and can obtain company resources through it.
You make a primary assignment by referencing
You must assign company resources to
|
Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed. |
Company Resource | Available in Module |
---|---|
Resources |
always |
Account definitions | Target System Base Module |
Groups of custom target systems |
Target System Base Module |
Active Directory groups |
Active Directory Module |
SharePoint groups |
SharePoint Module |
SharePoint roles |
SharePoint Module |
LDAP groups |
LDAP Module |
Notes groups |
IBM Notes Module |
SAP groups |
SAP R/3 User Management module Module |
SAP profiles |
SAP R/3 User Management module Module |
SAP roles |
SAP R/3 User Management module Module |
Structural profiles |
SAP R/3 Structural Profiles Add-on Module |
BI analysis authorizations |
SAP R/3 Analysis Authorizations Add-on Module |
System roles |
System Roles Module |
Subscribable reports |
Report Subscription Module |
Applications |
Application Management Module |
Azure Active Directory groups |
Azure Active Directory Module |
Azure Active Directory administrator roles |
Azure Active Directory Module |
Azure Active Directory subscriptions |
Azure Active Directory Module |
Disabled Azure Active Directory service plans |
Azure Active Directory Module |
Unix groups |
Unix Based Target Systems Module |
To add company resources to a hierarchical role
- OR -
Remove company resource in Remove assignments.
The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.
To display detailed information about assignments
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click to open the legend.
Figure 13: Toolbar for Report "Overview of all assignments"
Icon | Meaning |
---|---|
Show the legend with the meaning of the report control elements | |
Saves the current report view as a graphic. | |
Selects the role class used to generate the report. | |
|
Displays all roles or only the affected roles. |
In order for an employee to create user accounts with the manage level "Full managed", the necessary IT operating data must be determined. The operating data required to automatically supply an employee with IT resources is shown in the departments, locations, cost centers, and business roles. An employee is assigned to one primary location, one primary department, one primary cost center or one primary business role. The necessary IT operating data is ascertained from these assignments and used in creating the user accounts. Default values are used if valid IT operating data cannot be found over the primary roles.
You can also specify IT operating data directly for a specific account definition.
Example:
Normally, each employee in department A obtains a default user account in the
Create an account definition A for the default user account of the
Specify the effective IT operating data of department A for the
To specify IT operating data
Select Edit IT operating data in the task view and enter the following data.
Property | Description |
---|---|
Organization/Business role | Department, cost center, location or business role for which the IT operating data is valid. |
Effects on | IT operating data application scope. The IT operating data can be used for a target system or a defined account definition.
To specify an application scope
|
Column | User account property for which the value is set.
Columns using the script template TSB_ITDataFromOrg in their template are listed. |
Value | Concrete value which is assigned to the user account property. |
The IT operating data necessary in the One Identity Manager default configuration for automatically creating or changing employee user accounts and mailboxes in the target system is itemized in the following table.
|
Note: IT operating data is dependent on the target system and is contained in One Identity Manager modules. The data is not available until the modules are installed. |
Target system type | IT Operating Data |
---|---|
Active Directory |
Container |
Home server | |
Profile Server | |
Terminal home server | |
Terminal profile server | |
Groups can be inherited | |
Identity | |
Privileged user account | |
Microsoft Exchange |
Mailbox database |
LDAP |
Container |
Groups can be inherited | |
Identity | |
Privileged user account | |
IBM Notes |
Server |
Certificate | |
Template for mail file | |
Identity | |
SharePoint |
Authentication mode |
Groups can be inherited | |
Identity | |
Privileged user account | |
Custom target systems |
Container (per target system) |
Groups can be inherited | |
Identity | |
Privileged user account | |
Azure Active Directory |
Groups can be inherited |
Identity | |
Privileged user account | |
Change password the next time you log in | |
Cloud target system | Container (per target system) |
Groups can be inherited | |
Identity | |
Privileged user account | |
Unix-based target system
|
Login shell |
Groups can be inherited | |
Identity | |
Privileged user account | |
Exchange Online |
Groups can be inherited |
G Suite |
Organizational unit |
Groups can be inherited | |
Privileged user account | |
Change password the next time you log in |
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy