Assigning Employees, Devices and Workdesks to Business Roles
In order for employees, devices and workdesks to inherit company resources, you must assign the objects to roles.
To add employees, devices and workdesks to a business role
- Select the category Business roles | <Role class>.
- Select the business role in the result list.
- Select the appropriate task:
- Assign employees
- Assign devices
- Assign workdesks
- Assign the objects in Add assignments.
- OR -
Remove the objects in Remove assignments.
- Save the changes.
|
|
TIP: Use dynamic roles to assign employees, devices and workdesks to business roles automatically. |
Related Topics
- Permit Assignments of Employees, Devices, Workdesks and Company Resources
- Assigning Business Roles to Company Resources
- Creating Dynamic Roles
Assigning Business Roles to Company Resources
The default method of assigning employees, devices and workdesks is indirect assignment. This allocates an employee, a device or a workdesk to
Indirect assignment is divided into:
- Secondary Assignment
You make a secondary assignment by classifying an employee, a device or a workdesk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles.
IMPORTANT: Whether secondary assignment of company resources is possible depends on the role classes. If an employee, device or a workdesk fulfill the requirements of a dynamic role, the object is added dynamically to the corresponding company structure and can obtain company resources through it.
- Primary Assignment
You make a primary assignment by referencing
You must assign company resources to
|
|
Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed. |
| Company Resource | Available in Module |
|---|---|
|
Resources |
always |
| Account definitions | Target System Base Module |
|
Groups of custom target systems |
Target System Base Module |
|
Active Directory groups |
Active Directory Module |
|
SharePoint groups |
SharePoint Module |
|
SharePoint roles |
SharePoint Module |
|
LDAP groups |
LDAP Module |
|
Notes groups |
IBM Notes Module |
|
SAP groups |
SAP R/3 User Management module Module |
|
SAP profiles |
SAP R/3 User Management module Module |
|
SAP roles |
SAP R/3 User Management module Module |
|
Structural profiles |
SAP R/3 Structural Profiles Add-on Module |
|
BI analysis authorizations |
SAP R/3 Analysis Authorizations Add-on Module |
|
System roles |
System Roles Module |
|
Subscribable reports |
Report Subscription Module |
|
Applications |
Application Management Module |
|
Azure Active Directory groups |
Azure Active Directory Module |
|
Azure Active Directory administrator roles |
Azure Active Directory Module |
|
Azure Active Directory subscriptions |
Azure Active Directory Module |
|
Disabled Azure Active Directory service plans |
Azure Active Directory Module |
|
Unix groups |
Unix Based Target Systems Module |
To add company resources to a hierarchical role
- Select the category Business roles | <Role class>.
- Select the role in the result list.
- Select the task to assign the corresponding company resource.
- Assign company resources in Add assignments.
- OR -
Remove company resource in Remove assignments.
- Save the changes.
Detailed information about this topic
- Basics for Assigning Company Resources
- Permit Assignments of Employees, Devices, Workdesks and Company Resources
Related Topics
- Possible Company Resource Assignments
- Assigning Employees, Devices and Workdesks to Business Roles
- Creating Dynamic Roles
Analyzing Role Memberships and Employee Assignments
The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Example
- If the report is created for a resource, all roles are determined in which there are employees with this resource.
- If the report is created for a group, all roles are determined in which there are employees with this group.
- If the report is created for a compliance rule, all roles are determined in which there are employees with this compliance rule.
- If the report is created for a department, all roles are determined in which employees of the selected department are also members.
- If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.
To display detailed information about assignments
- To display the report, select the base object from the navigation or the result list and select the report Overview of all assignments.
- Use the
Used by button in the report's toolbar to select the role class (department, location, business role or IT Shop structure) for which you determine if roles exist in which there are employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click
to open the legend.
- Double-click a control to show all child roles belonging to the selected role.
- By clicking the
button in a role's control, you display all employees in the role with the base object.
- Use the small arrow next to
Figure 13: Toolbar for Report "Overview of all assignments"
| Icon | Meaning |
|---|---|
| |
Show the legend with the meaning of the report control elements |
 |
Saves the current report view as a graphic. |
| |
Selects the role class used to generate the report. |
|
|
Displays all roles or only the affected roles. |
Setting Up IT Operating Data
In order for an employee to create user accounts with the manage level "Full managed", the necessary IT operating data must be determined. The operating data required to automatically supply an employee with IT resources is shown in the departments, locations, cost centers, and business roles. An employee is assigned to one primary location, one primary department, one primary cost center or one primary business role. The necessary IT operating data is ascertained from these assignments and used in creating the user accounts. Default values are used if valid IT operating data cannot be found over the primary roles.
You can also specify IT operating data directly for a specific account definition.
Example:
Normally, each employee in department A obtains a default user account in the
Create an account definition A for the default user account of the
Specify the effective IT operating data of department A for the
To specify IT operating data
- Select the category Business roles | <Role class>.
- Select the role in the result list.
-
Select Edit IT operating data in the task view and enter the following data.
Table 16: IT Operating Data Property Description Organization/Business role Department, cost center, location or business role for which the IT operating data is valid. Effects on IT operating data application scope. The IT operating data can be used for a target system or a defined account definition. To specify an application scope
- Click
next to the text box.
- Select the table under Table, which maps the target system or the table TSBAccountDef for an account definition.
- Select the concrete target system or concrete account definition under Effects on.
- Click OK.
Column User account property for which the value is set. Columns using the script template TSB_ITDataFromOrg in their template are listed.
Value Concrete value which is assigned to the user account property. - Click
- Save the changes.
The IT operating data necessary in the One Identity Manager default configuration for automatically creating or changing employee user accounts and mailboxes in the target system is itemized in the following table.
|
|
Note: IT operating data is dependent on the target system and is contained in One Identity Manager modules. The data is not available until the modules are installed. |
| Target system type | IT Operating Data |
|---|---|
|
Active Directory |
Container |
|
Home server | |
|
Profile Server | |
|
Terminal home server | |
|
Terminal profile server | |
| Groups can be inherited | |
|
Identity | |
| Privileged user account | |
|
Microsoft Exchange |
Mailbox database |
|
LDAP |
Container |
| Groups can be inherited | |
|
Identity | |
| Privileged user account | |
|
IBM Notes |
Server |
|
Certificate | |
|
Template for mail file | |
|
Identity | |
|
SharePoint |
Authentication mode |
| Groups can be inherited | |
|
Identity | |
| Privileged user account | |
|
Custom target systems |
Container (per target system) |
| Groups can be inherited | |
|
Identity | |
| Privileged user account | |
|
Azure Active Directory |
Groups can be inherited |
|
Identity | |
| Privileged user account | |
|
Change password the next time you log in | |
| Cloud target system | Container (per target system) |
| Groups can be inherited | |
|
Identity | |
| Privileged user account | |
|
Unix-based target system
|
Login shell |
| Groups can be inherited | |
|
Identity | |
| Privileged user account | |
|
Exchange Online |
Groups can be inherited |
|
G Suite |
Organizational unit |
|
Groups can be inherited | |
|
Privileged user account | |
|
Change password the next time you log in | |