|
NOTE: You cannot manually add system users to permissions groups for role-based login. Dynamic system users are calculated for role-based login. |
When you add a system user to the permissions groups, you allocate permissions for the One Identity Manager database model at the same time and make a user interface available to the user. The system user's effective permissions that are found are not saved in the One Identity Manager schema, but are determined when logging into One Identity Manager tools and then they are loaded.
The permissions group memberships for a system user are shown in the hierarchical view of the User & Permissions Group Editor. Direct and the inherited permissions group memberships are shown for the system user depending on the program settings (menu item Options | Display permissions group inheritance).
Figure 25: System User Permissions Group Memberships
Icon | Meaning |
---|---|
The selected system user is not assigned to this permissions group. | |
The selected system user is assigned to this permissions group. | |
The selected system user is indirectly assigned to this permissions group. | |
The selected system user is directly and indirectly assigned to this permissions group. |
To assign a system user to permissions groups
|
NOTE: The permissions group "QBM_BaseRights" defines basic permissions that are sufficient for logging a system user in to the administration tools. This permissions group is always assigned implicitly. |
|
NOTE: The system user "viadmin" has all the permissions predefined by and the entire user interface. The system user "viadmin" also implicitly has all the permissions and user interface components from custom permissions groups. |
|
NOTE: Administrative system users are automatically added to all non role-based permissions groups. |
Different role-based authentication modules are available for role-based login on One Identity Manager tools. First, the employee memberships in application roles are determined during log in with role-based authentication. Assignments of permissions group to application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.
|
NOTE: If nobody logs in for a long time using role-based authentication using dynamic system users, you should delete these system users on performance grounds. |
To delete system users
System users, whose retention time has expired, are deleted from the database in the process of daily maintenance work.
|
NOTE: A new dynamic system user is created if an employee logs in using role-based authentication at a later date. |
You cannot change assignments in this view. Employees obtain a system user direct through their master data or dynamically through their One Identity Manager applications roles.
To display which employees are assigned to a system user
You cannot change assignments in this view.
You grant One Identity Manager schema tables and columns permissions for permissions groups. You are not permitted to edit predefined permissions groups. Use the User & Permissions Group Editor to set up your own permissions groups.
To edit tables or columns
When new permissions are added, the tick boxes for the permissions are not set by default. That means, the corresponding permissions are withdrawn. You need to set the tick box to enable the permissions.
Use the SQL check button to test the condition. This checks the syntax. The number of objects that comply is returned.
|
IMPORTANT: Permissions are always edited for permissions group you selected in the Permissions group menu. If you want to issue more permissions for permissions groups, select them in the menu first and then edit the permissions. |
To copy permissions
|
NOTE: To copy all permissions groups for a table or column, use the context menu item Copy all permissions and Paste all permissions. It does not matter which permissions group you select, in this case. |
To display permissions for a table or column
The view "Summary of all permissions for" displays all permissions groups that own permissions on the table or column by is an extension of the edit permissions view. The permissions in this view cannot be edited.
|
TIP: A condition is displayed in full by clicking on it. |
|
TIP: Use the context menu Select in Permissions Editor to display all permissions in the selected group in the Permissions Editor. |
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy