Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Rules for Finding Valid Permissions for Tables and Columns

When a system user is used to log into the system, the currently effective permissions for the objects are determined based on the permissions groups. The following rules are used to determine the resulting permissions:

  • Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.
  • The number of objects is determined first for hierarchical permissions groups. Column permissions are decided afterwards. In some cases, this results in more permissions than are defined on individual permissions groups.
  • A system user receives a permission when ar least one of its permissions groups has the permission (directly or inherited).
  • The limiting permissions conditions for all the system user‘s permissions groups are grouped together and used to determine a valid condition for each permission for viewing, editing, inserting and deleting an object.
  • Fixed viewing permissions for the database system files are granted by the system, which are sufficient for logging a system user into One Identity Manager tools.
  • A system user with read-only permissions only obtains viewing permissions to objects irrespective of any other permissions.
  • If permissions are granted on a table for inserting, editing or deleting, viewing permissions are implicit.
  • If permissions are granted on a column for inserting, editing or deleting, viewing permissions are implicit.
  • If permissions are granted for a table, then viewing permissions are implicitly granted on the primary key column of the table.
  • If viewing permissions are granted on a primary key column as a minimum, then viewing permissions are implicitly granted for references table, the primary key column and the columns that are necessary on the referenced table for viewing according to the defined display pattern.
  • Permissions for database views of type "proxy" are also valid for underlying tables.
  • Database view of type "ReadOnly" only have viewing permissions irrespective of any other permissions.
  • If a table or column is disabled due to preprocessor conditions, permissions are not determined for those tables and columns. The table or column is considered not to exist.
  • If a permissions group is disabled due to preprocessor conditions, permissions are not taken into account for this permissions group. The permissions group is considered not to exist.
Example of Permissions Grouping using Permissions Groups

The following example shows how to group permissions if the user is directly assigned in permissions groups and the permissions groups are not connected hierarchically.

A system user obtains permissions to the table ADSAccount through different permissions groups.

Permissions group Viewable Editable Insertable Deletable
A 1 1 1 1
B 0 0 0 0

In addition, it is granted permissions to the table LDAPAccount through these permissions groups.

Permissions group Viewable Editable Insertable Deletable
A 1 0 0 0
B 1 1 1 0

Therefore, the system user has effectively the following permissions:

Table Viewable Editable Insertable Deletable
ADSAccount 1 1 1 1
LDAPAccount 1 1 1 0
Example of Limiting Conditions

A system user obtains viewing permissions to the table Person through different permissions groups:

Permissions group Viewing Condition Column Viewing Permissions
A Lastname
B Lastname like 'B%' Lastname, Firstname, Entrydate
C Lastname like 'Be%' Lastname, Firstname, Gender
D Lastname like 'D%' Lastname

This results in the following permissions for the individual employee objects.

Person.Lastname Visible Columns
Smith Lastname
Bishop Lastname, Firstname, Entrydate
Bennett Lastname, Firstname, Gender
Dummy Lastname

Working with the Permissions Editor

Working with the Permissions Editor

Use the Permissions Editor to grant permissions groups the permissions for accessing the tables and columns in the One Identity Manager’s schema. The editor is started from the program "Designer" and opens in the document view. Only additional Permissions Editor functions are described in the following.

Menu Items

The following items are added to the menu bar when the editor starts.

Table 120: Meaning of Items in the Menu Bar
Menu Menu Item Meaning Key Combination
Permissions New Creates table or column permissions for the selected permissions group or system user. Ins
Delete Deletes table or column permissions for the selected permissions group or system user. Del
Copy Copies table (column) permissions from the selected permissions group or system user. Ctrl + C
Paste Inserts copied table (column) permissions into the selected permissions group. Ctrl + V
Copy all permissions Copies all table (column) permissions from the selected permissions group. Ctrl + Shift + C
Paste all permissions Inserts all copied table (column) permissions into the selected permissions group. Ctrl + Shift + V
Refresh view Refreshes permissions display.
Options Sort permissions Sorts the view. Tables and columns with permissions are shown first.
Use display values The display names of the columns and tables are shown. If this option is not set, the table and column names from the One Identity Manager schema are shown.
Show all tables Shows all database model tables.
Show non-system tables Only shows tables from the application data model.
Show system tables Only shows tables from the system data model.
Show disabled tables Shows/hides disabled tables.
Define filter... Opens a dialog window for creating an ad hoc filter.
Manage filters... Opens a dialog window for creating permanent filters.
View Properties Shows/hides the edit view.
Object permissions Shows/hides the objects permissions.
Help Permissions management help Opens the help on this topic.
Permissions Editor help Opens the editor help.
Table 121: Meaning of Toolbar Icons
Icon Meaning
Creates table or column permissions for the selected permissions group or system user.
Deletes table or column permissions for the selected permissions group or system user.
Refreshes permissions display.
Copies table (column) permissions from the selected permissions group or system user.
Inserts copied table (column) permissions into the selected permissions group.
Copies all table (column) permissions from the selected permissions group.
Inserts all copied table (column) permissions into the selected permissions group.
Starts the wizard for defining custom filters. On completion the tables are shown according to the filter. For more information, see Using User Defined Filters for Searching.
Sorts the view. Tables and columns with permissions are shown first.
The display names of the columns and tables are shown. If the option is not enabled, the technical names according to the One Identity Manager schema are shown.
Shows disabled tables.

Views in the Permissions Editor

Views in the Permissions Editor

The Permissions Editor has several views for displaying and editing access permissions for permissions groups.

Table 122: Permissions Editor Views
View Description
Edit and simulated permissions view This view contains two permissions views. In one, the permissions of a permissions group are edit in the tables and columns of the data model and in the other, the current permissions situation is established by the permissions simulation. For more information, see Functions in the Permissions Edit View.
Resulting permissions view All the permissions groups that have permissions for a selected table or column are displayed with their own permissions. The permissions in this view cannot be edited. This shows which of the permissions groups selected in the simulation have which permissions. Effective permissions are also displayed.
Edit individual permissions view This view is in addition to the edit permissions view. You can make further changes to table or column permissions of permissions groups and user account in this view.
Related Documents