Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Adding a System User to Permissions Groups

NOTE: You cannot manually add system users to permissions groups for role-based login. Dynamic system users are calculated for role-based login.

When you add a system user to the permissions groups, you allocate permissions for the One Identity Manager database model at the same time and make a user interface available to the user. The system user's effective permissions that are found are not saved in the One Identity Manager schema, but are determined when logging into One Identity Manager tools and then they are loaded.

The permissions group memberships for a system user are shown in the hierarchical view of the User & Permissions Group Editor. Direct and the inherited permissions group memberships are shown for the system user depending on the program settings (menu item Options | Display permissions group inheritance).

Figure 25: System User Permissions Group Memberships

Table 119: Meaning of Icons in the Hierarchical Display
Icon Meaning
The selected system user is not assigned to this permissions group.
The selected system user is assigned to this permissions group.
The selected system user is indirectly assigned to this permissions group.
The selected system user is directly and indirectly assigned to this permissions group.

To assign a system user to permissions groups

  1. Select Permissions | System users in the Designer.
  2. Select a system user and start the User & Permissions Group Editor with the Edit system user task.
  3. Select the required permissions group in the hierarchical view. By clicking on the icon you add or delete the selected system user to or from a permissions group.

NOTE: The permissions group "QBM_BaseRights" defines basic permissions that are sufficient for logging a system user in to the administration tools. This permissions group is always assigned implicitly.

NOTE: The system user "viadmin" has all the permissions predefined by and the entire user interface. The system user "viadmin" also implicitly has all the permissions and user interface components from custom permissions groups.

NOTE: Administrative system users are automatically added to all non role-based permissions groups.

Related Topics

Dynamic system user

Different role-based authentication modules are available for role-based login on One Identity Manager tools. First, the employee memberships in application roles are determined during log in with role-based authentication. Assignments of permissions group to application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

NOTE: If nobody logs in for a long time using role-based authentication using dynamic system users, you should delete these system users on performance grounds.

To delete system users

  • Set the configuration parameter "Common\DynamicUserLifetime" in the Designer and enter a maximum retention time (in days) for dynamic system users.

    System users, whose retention time has expired, are deleted from the database in the process of daily maintenance work.

NOTE: A new dynamic system user is created if an employee logs in using role-based authentication at a later date.

Related Topics

Which Employees Use System Users?

You cannot change assignments in this view. Employees obtain a system user direct through their master data or dynamically through their One Identity Manager applications roles.

To display which employees are assigned to a system user

  1. Select Permissions | System users in the Designer.
  2. Select a system user and start the User & Permissions Group Editor with the Edit system user task.
  3. Select the menu View | One Identity Manager employees.

    You cannot change assignments in this view.

Editing Permissions for One Identity Manager Schema Tables and Columns

Editing Permissions for One Identity Manager Schema Tables and Columns

You grant One Identity Manager schema tables and columns permissions for permissions groups. You are not permitted to edit predefined permissions groups. Use the User & Permissions Group Editor to set up your own permissions groups.

To edit tables or columns

  1. Select the category Permissions in the Designer.
  2. Start the Permissions Editor using the task Edit permissions.
  3. Select the permissions group you want to edit in the Permissions group menu in the Permissions Editor toolbar.
  4. Edit the table or column permissions.
    • To add new permissions, select New in the context menu.

      When new permissions are added, the tick boxes for the permissions are not set by default. That means, the corresponding permissions are withdrawn. You need to set the tick box to enable the permissions.

    • To delete all table or column permissions, select Delete in the context menu .
    • Deselect the tick box to delete single permissions.
  5. To specify more conditions for table permissions
    • Open the single permissions view from the View | Properties menu, go to the Permissions filter tag and enter the condition.

    • Use the SQL check button to test the condition. This checks the syntax. The number of objects that comply is returned.

IMPORTANT: Permissions are always edited for permissions group you selected in the Permissions group menu. If you want to issue more permissions for permissions groups, select them in the menu first and then edit the permissions.

To copy permissions

  1. Select the category Permissions in the Designer.
  2. Start the Permissions Editor using the task Edit permissions.
  3. Select the permissions group you want to edit in the Permissions group menu in the Permissions Editor toolbar.
  4. Select the table or column from which you want to take the permissions in the Permissions Editor.
  5. Use Copy in the context menu to copy the permissions owned by the selected table for this table or column.
  6. Select the table or column for which you want to create the permissions.
  7. Use Paste in the context menu to insert the copied permissions in the the table for the selected permissions group.

NOTE: To copy all permissions groups for a table or column, use the context menu item Copy all permissions and Paste all permissions. It does not matter which permissions group you select, in this case.

To display permissions for a table or column

  1. Select the category Permissions in the Designer.
  2. Start the Permissions Editor using the task Edit permissions for table <table name>.
  3. Select the table or column for which you want to show the permissions in the Permissions Editor.
  4. Select the Object permissions view.

    The view "Summary of all permissions for" displays all permissions groups that own permissions on the table or column by is an extension of the edit permissions view. The permissions in this view cannot be edited.

    TIP: A condition is displayed in full by clicking on it.

    TIP: Use the context menu Select in Permissions Editor to display all permissions in the selected group in the Permissions Editor.

Detailed information about this topic
Related Topics
Related Documents