Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Availability of Certain Functionality

There is certain functionality in One Identity Manager administration tools that is only available to specific users. This includes exporting data from the Manager, calling the SQL Editor in the Designer or running consistency checks, for example. Furthermore, you can control execution of methods, scripts or processes through program functionality.

Program functions are not assigned to single users but to permissions groups. All users that are assigned to these groups can user the program function.

To make a program function available to users

  1. Select the category Permissions | Program functions in the Designer.
  2. Select the program function and assign it to a permissions group.
    • Select View | Select table relations... and enable the table DialogGroupHasFeature. This shows the tab Permissions groups for assigning permissions groups.
Assignment to Method Definitions

If a method definition is assigned a program function (table QBMMethodHasFeature), the user can only run this method if the necessary program function is granted to him. An error occurs if the user does not own this program function and tries to run it.

To make a method definition available to users using a program function

  1. Connect the task definition with the program function.
    1. Select the category Permissions | Program functions in the Designer.
    2. Select the program function and assign the method definition to it.
      • Select the menu item View | Select table relations... and enable the table DialogMethodHasFeature. Use the Methods tab displayed in the edit view to assigned the method definition.
  2. Assign a permissions group to the program function.
Assignment to Scripts

If a script is assigned a program function (table QBMScriptHasFeature), the user can only run this script if the necessary program function is granted to him. An error occurs if the user does not own this program function and tries to run it.

To make a script available to users using a program function

  1. Connect the script with the program function.
    1. Select the category Permissions | Program functions in the Designer.
    2. Select the program function and assign the script.
      • Select the View | Select table relations... in the menu and enable the table DialogScriptHasFeature. You can assign the script on the Script tab displayed in the edit view.
  2. Assign a permissions group to the program function.
Assignment to Events

In One Identity Manager, how events for stored processes are triggered is linked with the permissions concept. Users can only trigger events on objects like this if they own edit permissions for them. This can lead to table users, who only have viewing permissions, not being able to trigger additional events for processes.

In this case, it is possible, to connect called object events to a program function. An object event (table QBMEvent) can be associated to an event of a process (column JobEventGen.UID_QBMEvent).

If the object event is assigned a program function (table QBMEventHasFeature), users who are granted the program function, can trigger the associated object events and therefore the processes, regardless of their permissions.

To allow triggering a process through a program function

  1. Link an object event with the program function.
    1. Select the category Permissions | Program functions in the Designer.
    2. Select the program function and assign the object event to it.
      1. Select View | Select table relations... in the menu and enable the table QBMEventHasFeature. The Object events tab is displayed in the edit view.
  2. Assign a permissions group to the program function.

Related Topics

Displaying Permissions for an Object

You can display object properties and permissions in the One Identity Manager tools.

To show extended object properties

  • Select the object and open the Properties... from the context menu.

On the General tab you can see the object‘s general properties, for example, ID, status or primary key.

All the object columns are displayed in a grid on the Properties tab with the values. You can choose between a simple column view and the advanced view with additional data for column definitions.

Table 129: Icon used for Column Properties
Icon Meaning
Compulsory field.
No viewing permissions.

No edit permissions.

On the Access permissions tab, you can see which permissions are valid for an object based on permissions groups. The first entry shows the basic permissions for the table. The permissions for this particular object are displayed beneath that. The other entries show the column permissions. By double-clicking on a table, an object or a column entry all the permissions groups are displayed that are used to determine the permissions.

Figure 26: Displaying Object Permissions

Table 130: Icon used for Permissions
Icon Meaning
Permissions exist.
Permissions have been removed by the object layer
Permissions limited by conditions.

Displaying the Current User's Permissions

To get more information about the current user

  • Double-click the icon in the status bar to display more user information.
Table 131: Extra Information about the Current User
Property Meaning
System user

Name of system user

Authenticated by Name of the authentication module used for logging in.
Employee UID (UserUID) Unique ID for the current user’s employee if an employee related authentication module is used to log in.
Read-only

The system user has only has read permissions. Modification to data are not possible.

Dynamic user The current user uses a dynamic system user. Dynamic system users are applied when a role-based authentication module is used.
Remarks More details about the system user in use.
Permissions group Permissions groups that are assigned to the system user. Which user interface and editing permissions apply depend on the permissions groups.
Program functions Program functions assigned to the system user The menu items and functions available depend on the program functions.

Working with the User Interface

Certain components of the One Identity Manager’s graphical user interface are stored in the One Identity Manager schema and can be tailored to suit customer requirements. Menu items in the navigation structure, interface forms, and task definitions can be configured in this way.

Menu items, interface forms and task definitions are assigned to permissions groups. The user's effective components of the user interface depend on the authentication module used for logging in to the One Identity Manager tools. If a user logs in to a One Identity Manager tool, a system user is found and the available menu items, interface forms, task definitions, and individual program functions are identified depending on the permission groups to which this system user belongs and the adapted user interface is loaded.

Data is displayed as objects in the user interface. User interface objects are meta-objects. You provide a selection of configurable elements, which describes how the data stored in the database is perceived. These objects enable data to be distinguished by specific properties. They provide an additional control function for configuring the user interface. Hence, interface forms and tasks are linked to object definitions which means that different forms and tasks are displayed in the user interface depending on which object is selected.

You can only modify the supplied user interface components to a certain extent and they are overwritten by schema installation. You can integrate components of the default user interface into your own user defined user interface. If necessary you can disable individual components of the default user interface to stop them from being displayed. The system users provided are not effected by this limitation. Components labeled as disabled remain so after by schema installation.

Captions are used in the user interface to create user friendly names for different components of the user interface such as menu items, tasks and column names. You can maintain multi-language display text in the One Identity Manager which enables you to display captions in different languages.

The default One Identity Manager installation is supplied in the languages "English - United States [en-US]" and "German - Germany [de-DE]". You can add other languages to the user interface and display text if required. In this case, you should translate the text before One Identity Manager goes live. There is a Language Editor in the Designer to help you do this. A special control element is provided in the One Identity Manager tools which aids multi-language input.

A user interface is always set up for one application. The One Identity Manager’s default version supplies applications and predefined navigation menus for the "Manager", "Designer" and "Launchpad".

Detailed information about this topic
Related Documents