There is certain functionality in One Identity Manager administration tools that is only available to specific users. This includes exporting data from the Manager, calling the SQL Editor in the Designer or running consistency checks, for example. Furthermore, you can control execution of methods, scripts or processes through program functionality.
Program functions are not assigned to single users but to permissions groups. All users that are assigned to these groups can user the program function.
To make a program function available to users
If a method definition is assigned a program function (table QBMMethodHasFeature), the user can only run this method if the necessary program function is granted to him. An error occurs if the user does not own this program function and tries to run it.
To make a method definition available to users using a program function
If a script is assigned a program function (table QBMScriptHasFeature), the user can only run this script if the necessary program function is granted to him. An error occurs if the user does not own this program function and tries to run it.
To make a script available to users using a program function
In One Identity Manager, how events for stored processes are triggered is linked with the permissions concept. Users can only trigger events on objects like this if they own edit permissions for them. This can lead to table users, who only have viewing permissions, not being able to trigger additional events for processes.
In this case, it is possible, to connect called object events to a program function. An object event (table QBMEvent) can be associated to an event of a process (column JobEventGen.UID_QBMEvent).
If the object event is assigned a program function (table QBMEventHasFeature), users who are granted the program function, can trigger the associated object events and therefore the processes, regardless of their permissions.
To allow triggering a process through a program function
You can display object properties and permissions in the One Identity Manager tools.
To show extended object properties
On the General tab you can see the object‘s general properties, for example, ID, status or primary key.
All the object columns are displayed in a grid on the Properties tab with the values. You can choose between a simple column view and the advanced view with additional data for column definitions.
|No viewing permissions.|
|No edit permissions.|
On the Access permissions tab, you can see which permissions are valid for an object based on permissions groups. The first entry shows the basic permissions for the table. The permissions for this particular object are displayed beneath that. The other entries show the column permissions. By double-clicking on a table, an object or a column entry all the permissions groups are displayed that are used to determine the permissions.
Figure 26: Displaying Object Permissions
|Permissions have been removed by the object layer|
|Permissions limited by conditions.|
To get more information about the current user
Name of system user
|Authenticated by||Name of the authentication module used for logging in.|
|Employee UID (UserUID)||Unique ID for the current user’s employee if an employee related authentication module is used to log in.|
The system user has only has read permissions. Modification to data are not possible.
|Dynamic user||The current user uses a dynamic system user. Dynamic system users are applied when a role-based authentication module is used.|
|Remarks||More details about the system user in use.|
|Permissions group||Permissions groups that are assigned to the system user. Which user interface and editing permissions apply depend on the permissions groups.|
|Program functions||Program functions assigned to the system user The menu items and functions available depend on the program functions.|
Certain components of the One Identity Manager’s graphical user interface are stored in the One Identity Manager schema and can be tailored to suit customer requirements. Menu items in the navigation structure, interface forms, and task definitions can be configured in this way.
Menu items, interface forms and task definitions are assigned to permissions groups. The user's effective components of the user interface depend on the authentication module used for logging in to the One Identity Manager tools. If a user logs in to a One Identity Manager tool, a system user is found and the available menu items, interface forms, task definitions, and individual program functions are identified depending on the permission groups to which this system user belongs and the adapted user interface is loaded.
Data is displayed as objects in the user interface. User interface objects are meta-objects. You provide a selection of configurable elements, which describes how the data stored in the database is perceived. These objects enable data to be distinguished by specific properties. They provide an additional control function for configuring the user interface. Hence, interface forms and tasks are linked to object definitions which means that different forms and tasks are displayed in the user interface depending on which object is selected.
You can only modify the supplied user interface components to a certain extent and they are overwritten by schema installation. You can integrate components of the default user interface into your own user defined user interface. If necessary you can disable individual components of the default user interface to stop them from being displayed. The system users provided are not effected by this limitation. Components labeled as disabled remain so after by schema installation.
Captions are used in the user interface to create user friendly names for different components of the user interface such as menu items, tasks and column names. You can maintain multi-language display text in the One Identity Manager which enables you to display captions in different languages.
The default One Identity Manager installation is supplied in the languages "English - United States [en-US]" and "German - Germany [de-DE]". You can add other languages to the user interface and display text if required. In this case, you should translate the text before One Identity Manager goes live. There is a Language Editor in the Designer to help you do this. A special control element is provided in the One Identity Manager tools which aids multi-language input.
A user interface is always set up for one application. The One Identity Manager’s default version supplies applications and predefined navigation menus for the "Manager", "Designer" and "Launchpad".