Chat now with support
Chat with Support

Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Basics for Mapping Company Structures in One Identity Manager

Basics for Mapping Company Structures in One Identity Manager

One Identity Manager supplies employees in a company with company resources, for example, permissions or applications, according to their function. To do this, the company structures are represented in hierarchical role form in the One Identity Manager.

Roles are objects through which company resources can be assigned. Employees, devices and workdesks are assigned to roles as members. Members can obtain their company resources through these roles when the One Identity Manager is appropriately configured.

Company resource assignments are not made to individual employees, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

In One Identity Manager the following roles are defined for mapping company structures:

  • Departments, Cost Centers and Locations

    Departments, cost centers, locations, and business roles are each mapped to their own hierarchy under the heading "Organizations". This is due to their special significance for daily work schedules in many companies.

  • Business roles

    Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example.

    NOTE: This function is only available if the Business Roles Module is installed.
  • Application Roles

    Application roles are used to grant One Identity Manager object access rights to One Identity Manager users. For more detailed information, see the One Identity Manager Application Roles Administration Guide.

Detailed information about this topic

Hierarchical Role Structure Basics

Departments, cost centers, locations and application roles are arranged hierarchically. Assigned company resources are inherited by members through these hierarchies. Company resource assignments are not made to individual employees, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

Hierarchies can either be created following the top-down or the bottom-up model in the One Identity Manager. In the top-down model, roles are defined based on the area of activity and the company resources required to fulfill the activities are assigned to the roles. In the case of the bottom-up model, company resource assignments are analyzed and the roles result from this.

Detailed information about this topic

Direction of Inheritance within a Hierarchy

The direction of inheritance decides the distribution of company resources within a hierarchy. One Identity Manager knows basically two directions of inheritance:

  • Top-down inheritance

    The default structure within a company is realized through top-down inheritance in One Identity Manager. With its help, a company’s multilevel form can be represented with main departments and respective subdepartments.

  • Bottom-up inheritance

    Where as in "top-down" inheritance assignments are inherited in the direction of more detailed classifications, "bottom-up" inheritance operates in the other direction. This inheritance direction was introduced to map project groups in particular. The aim being, to provide someone coordinating several project groups with the company resources in use by each of the project groups.

The effect on the allocation of company resources is explained in the following example for assigning an application.

Example for Assigning Company Resources Top-Down

In the diagram above a section of a company’s structure is illustrated. Applications assigned to the respective departments are also entered. An employee in retail is assigned all the applications that are allocated to their department and all those on the full structure path. In this case that is internet software, address administration, mail, and text editing.

Figure 1: Assignment through Top-Down Inheritance

Example for Assigning Company Resources Bottom-Up

The next figure shows bottom-up inheritance based on a project framework. Applications assigned to the respective project groups are also entered. An employee from the project group "Project lead" receives applications from the project group as well as those from the projects groups below. In this case, it is project management, CASE tool, development environment, assembler tool and prototyping tool.

Figure 2: Assignment through Bottom-Up Inheritance

Discontinuing Inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The point at which the inheritance should be discontinued within a hierarchy is specified by the option Block inheritance. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the option Block inheritance do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.
  • In bottom-up inheritance, the role labeled with the option "Block inheritance" inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.
Example for Discontinuing Inheritance Top-Down

If the option Block inheritance is set for the department "Sales" in the top-down example, it results in sales employees being assigned address administration and employees in the retail department, address administration and internet software, but neither is assigned mail or text editing applications. Applications in the department "Overall organization" are, however, not assigned to retail and dealers.

Figure 3: Discontinuing Inheritance Top-Down

Example for Discontinuing Inheritance Bottom-Up

An employee from the project group "Programming" receives applications from the project group as well as those from the projects groups underneath. in this case, the development environment, assembler tool and the prototyping tool. If the project group "Programming" has labeled with the option Block inheritance, it no longer passes down inheritance. As a result, only the CASE tool is assigned to employees in the project group "Project lead" along with the application project management. Applications from the projects groups "Programming", "System programming" and "Interface design" are not distributed to the project lead.

Figure 4: Discontinuing Inheritance Bottom-Up

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents