Chat now with support
Chat with Support

Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Assigning Employees, Devices and Workdesks to Departments, Cost Centers and Locations

Assign employees, devices and workdesks to departments, cost centers and locations. Employees, devices and workdesks can obtain their company resources through these organizations.

To add employees, devices and workdesks to a hierarchical role

  1. Select the category Organizations | <Role class>.
  2. Select the role in the result list.
  3. Select the appropriate task.
    • Assign Employees
    • Assigning Devices
    • Assign workdesks
  4. Assign the objects in Add assignments.

    - OR -

    Remove the objects in Remove assignments.

  5. Save the changes.

TIP: Use dynamic roles to assign employees, devices and workdesks to departments, cost centers and locations automatically.
Related Topics

Assigning Company Resources to Departments, Cost Centers and Locations

The default method of assigning employees, devices and workdesks is indirect assignment. This allocates an employee, a device or a workdesk to departments, cost centers or locations. The total of assigned company resources for an employee, a device or workdesk is calculated from their position within the hierarchy, the direction of inheritance and the company resources assigned to these roles.

Indirect assignment is divided into:

  • Secondary Assignment

    You make a secondary assignment by classifying an employee, a device or a workdesk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles.

    		 IMPORTANT: Whether secondary assignment of company resources is possible depends on the role classes.

    If an employee, device or a workdesk fulfill the requirements of a dynamic role, the object is added dynamically to the corresponding company structure and can obtain company resources through it.

  • Primary Assignment

    You make a primary assignment by referencing a department, cost center or location through a foreign key to the employee, device and workdesk objects. Primary assignment inheritance can be enable through configuration parameters.

You must assign company resources to departments, cost centers or locations so that employees, devices and workdesks can inherit company resources. The following table shows the possible company resources assignments.

 Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 21: Possible Assignments of Company Resources to Roles
Company Resource Available in Module

Resources

always

Account definitions Target System Base Module

Groups of custom target systems

Target System Base Module

Active Directory groups

Active Directory Module

SharePoint groups

SharePoint Module

SharePoint roles

SharePoint Module

LDAP groups

LDAP Module

Notes groups

IBM Notes Module

SAP groups

SAP R/3 User Management module Module

SAP profiles

SAP R/3 User Management module Module

SAP roles

SAP R/3 User Management module Module

Structural profiles

SAP R/3 Structural Profiles Add-on Module

BI analysis authorizations

SAP R/3 Analysis Authorizations Add-on Module

System roles

System Roles Module

Subscribable reports

Report Subscription Module

Applications

Application Management Module

Azure Active Directory groups

Azure Active Directory Module

Azure Active Directory administrator roles

Azure Active Directory Module

Azure Active Directory subscriptions

Azure Active Directory Module

Disabled Azure Active Directory service plans

Azure Active Directory Module

Unix groups

Unix Based Target Systems Module

To add company resources to a hierarchical role

  1. Select the category Organizations | <Role class>.
  2. Select the role in the result list.
  3. Select the task to assign the corresponding company resource.
  4. Assign company resources in Add assignments.

    - OR -

    Remove company resource in Remove assignments.

  5. Save the changes.
Detailed information about this topic
Related Topics

Setting Up IT Operating Data

In order for an employee to create user accounts with the manage level "Full managed", the necessary IT operating data must be determined. The operating data required to automatically supply an employee with IT resources is shown in the departments, locations, cost centers, and business roles. An employee is assigned to one primary location, one primary department, one primary cost center or one primary business role. The necessary IT operating data is ascertained from these assignments and used in creating the user accounts. Default values are used if valid IT operating data cannot be found over the primary roles.

You can also specify IT operating data directly for a specific account definition.

Example:

Normally, each employee in department A obtains a default user account in the domain A. In addition, certain employees in department A obtain administrative user accounts in the domain A.

Create an account definition A for the default user account of the domain A and an account definition B for the administrative user account of domain A. Specify the property "Department" in the IT operating data formatting rule for the account definitions A and B in order to determine the valid IT operating data.

Specify the effective IT operating data of department A for the domain A. This IT operating data is used for standard user accounts. In addition, specify the effective account definition B IT operating data for department A. This IT operating data is used for administrative user accounts.

To specify IT operating data

  1. Select the category Organizations | <Role class>.
  2. Select the role in the result list.

  3. Select Edit IT operating data in the task view and enter the following data.

    Table 22: IT Operating Data
    Property Description
    Organization/Business role Department, cost center, location or business role for which the IT operating data is valid.
    Effects on IT operating data application scope. The IT operating data can be used for a target system or a defined account definition.

    To specify an application scope

    1. Click next to the text box.
    2. Select the table under Table, which maps the target system or the table TSBAccountDef for an account definition.
    3. Select the concrete target system or concrete account definition under Effects on.
    4. Click OK.
    Column User account property for which the value is set.

    Columns using the script template TSB_ITDataFromOrg in their template are listed. For more detailed information, see the One Identity Manager Target System Base Module Administration Guide.

    Value Concrete value which is assigned to the user account property.
  4. Save the changes.

The IT operating data necessary in the One Identity Manager default configuration for automatically creating or changing employee user accounts and mailboxes in the target system is itemized in the following table.

 Note: IT operating data is dependent on the target system and is contained in One Identity Manager modules. The data is not available until the modules are installed.
Table 23: Target System Dependent IT Operating Data
Target system type IT Operating Data

Active Directory

Container

Home server

Profile Server

Terminal home server

Terminal profile server

Groups can be inherited

Identity

Privileged user account

Microsoft Exchange

Mailbox database

LDAP

Container

Groups can be inherited

Identity

Privileged user account

IBM Notes

Server

Certificate

Template for mail file

Identity

SharePoint

Authentication mode

Groups can be inherited

Identity

Privileged user account

Custom target systems

Container (per target system)

Groups can be inherited

Identity

Privileged user account

Azure Active Directory

Groups can be inherited

Identity

Privileged user account

Change password the next time you log in

Cloud target system Container (per target system)
Groups can be inherited

Identity

Privileged user account

Unix-based target system

 

 

 

 Login shell
Groups can be inherited

Identity

Privileged user account

Exchange Online

Groups can be inherited

G Suite

Organizational unit

Groups can be inherited

Privileged user account

Change password the next time you log in

Related Topics
  • One Identity Manager Target System Base Module Administration Guide

Modifying IT Operating Data

Modifying IT Operating Data

If IT operating data changes, you must transfer these changes to the existing user accounts. To do this, templates must be rerun on the affected columns. Before you can run the templates, you can check what the effect of a change to the IT operating data has on the existing user accounts. You can decide whether the change is transferred to the database in the case of each affected column in each affected database.

Prerequisites

  • The IT operating data of a department, cost center or a location was changed.

    - OR -

  • The default values in the IT operating data template were modified for an account definition.

NOTE: If the assignment of an employee to a primary department, cost center or to a primary location changes, the templates are automatically executed.

To execute the template

  1. Select the category <target system type> | Basic configuration data | Account definitions | Account definitions.

  2. Select an account definition in the result list.
  3. Select Execute templates in the task view

    This displays a list of all user account, which are created through the selected account definition and whose properties are changed by modifying the IT operating data.

    Old value Current value of the object property.
    New value Value applied to the object property after modifying the IT operating data.
    Selection Specifies whether the modification is applied to the user account.
  4. Mark all the object properties in the selection column that will be given the new value.
  5. Click Apply.

    The templates are applied to all selected user accounts and properties.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating