Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Dynamic Role Master Data

Dynamic Role Master Data

Enter the following data for a dynamic role.

Table 26: Dynamic Role Master Data
Property Description

Role

Role (department, cost center, location, business role, IT Shop node, application node) referenced by the dynamic role. This data is preset with the selected role.

Object class

Object class that the dynamic role applies to. Select either "Employee", "Hardware" or "Workdesk".

NOTE: The combination of object class and role must be unique. It is not possible that two dynamic roles from the same object class to refer to one role.

Dynamic role

Name of the dynamic role.

Calculation schedule

Schedule, which triggers cyclical recalculation of the role membership. The task "default schedule dynamic role check" is already defined in the standard version of the One Identity Manager. All dynamic role memberships are checked using this schedule and recalculation requests are sent to the DBQueue Processor if necessary. Use the Designer to customize schedules or set up new ones to meet your requirements. For more information, see the One Identity Manager Configuration Guide.

Description

Spare text box for additional explanation.

Condition

The condition defines which objects of the object class become members of the selected role. The condition is defined as a valid Where clause for a database query and has to relate to the selected object class. You can enter the condition directly as an SQL query or use the wizard for entering database queries. Alternatively, you can enter conditions for employee objects with the filter designer.

IMPORTANT: If the condition includes a large number of objects to assign, calculating memberships can place a heavy load on the DBQueue Processor and consequently on the database server.

NOTE: If you add comments to the condition using the comment characters ‘--’, ‘//’ or ‘%’, the DBQueue Processor cannot interpret the dynamic roles correctly. The calculation will be aborted. Always use /* ... */ to enclose comments!
Related Topics

Test Condition of a Dynamic Role

Test Condition of a Dynamic Role

You should test which objects fulfill the given condition before you save a dynamic role.

NOTE: This task is only visible when the dynamic role condition is displayed as SQL query.

To test the SQL condition

  1. Select the role for which the dynamic role was created.
  2. Open the role's overview form.
  3. Select the form element "dynamic roles" and click on the dynamic role.
  4. Select Change master data in the task view.
  5. Click (Edit SQL) on the form.

    This displays the condition as SQL query.

  6. Select Test condition in the task view.

    All the objects found by the condition are displayed on the master data form in the Test result field.

Calculating Role Memberships

Table 27: Configuration Parameters for Calculating Dynamic Roles
Configuration parameter Meaning

QER\Structures\DynamicGroupCheck

This configuration parameter controls the generation of calculation tasks for dynamic roles. If the configuration parameter is not set, the subparameters do not apply.

QER\Structures\DynamicGroupCheck\
CalculateImmediatelyPerson

If the parameter is set, a calculation task for modifications to employees or employee level objects is queued immediately in the DBQueue Processor. If the parameter is not set, the calculation tasks are queued the next time the schedule is planned to run.

QER\Structures\DynamicGroupCheck\
CalculateImmediatelyHardware

If the parameter is set, a calculation task for modifications to employees or employee level objects is queued immediately in the DBQueue Processor. If the parameter is not set, the calculation tasks are queued the next time the schedule is run.

QER\Structures\DynamicGroupCheck\
CalculateImmediatelyWorkdesk

If the parameter is set, a calculation task for modifications to workdesks or workdesk level objects is queued immediately in the DBQueue Processor. If the parameter is not set, the calculation tasks are started the next time the schedule is planned to run.

In order to calculate role memberships, the One Identity Manager tests every dynamic role to ensure that:

  • There is at least one object that satisfies the condition but is not assigned to the role
  • There is at least one object that does not satisfy the condition but is assigned to the role

If one of the conditions is fulfilled, a request to add or delete memberships is sent to the DBQueue Processor. When the dynamic roles are tested, employee objects that are marked for deletion are:

  • Not added to roles through dynamic roles even if the miscellaneous condition is fulfilled.
  • Removed from the role even if the miscellaneous condition should be fulfilled

Tasks for recalculating memberships are set up depending on the configuration parameter settings by:

  • Cyclical checking using a schedule

    The task "default schedule dynamic role check" is already defined in the standard version of the One Identity Manager. All dynamic role memberships are checked using this schedule and recalculation requests are sent to the DBQueue Processor if necessary. Checks are made at predefined intervals. Use the Designer to customize schedules or set up new ones to meet your requirements. For more information, see the One Identity Manager Configuration Guide.

  • Immediately an object has changed

    Memberships are immediately checked by the DBQueue Processor and changed is necessary when object properties are changed. To use this function, set the configuration parameters "QER\Structures\DynamicGroupCheck\CalculateImmediatelyPerson", "QER\Structures\DynamicGroupCheck\ CalculateImmediatelyHardware" and "QER\Structures\DynamicGroupCheck\ CalculateImmediatelyWorkdesk" in the Designer.

Related Topics

Additional Tasks for Dynamic Roles

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Related Documents