Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Miscellaneous Employee Master Data

Miscellaneous Employee Master Data

Enter the following general master data for an employee. This data applies to the target system login, identities, One Identity Manager login data and employee import data.

Table 39: Miscellaneous Master Data

Property

Description

Central user account

One Identity Manager user identifier. In the One Identity Manager default installation, the central user account is made up of the first and the last name of the employee. An employee’s central user account affects the composition of user accounts in each target system. The central user account is still used for logging into the One Identity Manager tools.

Central SAP user account

Name used to form the user account name in the SAP R/3 target system. In the One Identity Manager default installation, the central user account is made up of the first and the last name of the employee.

NOTE: This property is only available if the SAP R/3 User Management module Module is installed.

Central password and password confirmation

Password for logging in to the target system. An employee's central password is formed from the target system specific user accounts by respective configuration.

Query and reply for central password

Question-answer combination to be used with mutual aid to reset the employee's central password.

Default email address

The default email address is used to setup mail boxes for an employee in separate target systems. This data is absolutely necessary for automatically creating mailboxes. In the default version of the One Identity Manager, the default email address is composed of the employee’s central user account and the default mail domain of the active target system.

Identity

Employee's identity type.

Table 40: Permitted values for the identity.

Value

Description

Primary identity

Employee's default identity. The employee has a default user account.

Organizational identity

Virtual employee (sub identity) for mapping different roles to an employee in the organization. The sub identity has a secondary user account. If you select this identity, you must also select a main identity.

Personalized admin identity

Virtual employee (sub identity) that has an administrative user account. If you select this identity, you must also select a main identity.

Sponsored identity

Identity linked to a user account that is used, for example, for training purposes.

Shared identity

Identity linked to an administrative user account that is used by different people.

Service identity

Identity that is linked to a service account.

Main identity

Allocate a main identity here if the employee is managed as a sub-identity in the One Identity Manager. A subidentity allows you to set up special cases in One Identity Manager. If an employee has several user accounts in one target system that must be assigned to different groups, create a separate subidentity for each user account with a link to the main identity.

Dummy employee

You can use a dummy employee for maintaining identities for test or training purposes in order to treat them as identities but referring to a special status.

Actual employee

Assign the dummy employee to an existing employee.

X500 dummy

Specifies whether the employee is managed as an X500 dummy in the One Identity Manager. If an employee has several X500 entries that differ in properties, you can also use a "Dummy" employee. Label the employee with the option X500 dummy in this case and configure a link to the real X500 employee.

X500 person

Assign the X500 dummy employee to an existing employee.

Starling 2FA user ID User ID for multi-factor authentication. For more detailed information about multi-factor authentication, see the One Identity Manager IT Shop Administration Guide.

System user

System user with which the employee can log in to the One Identity Manager administration tools. The login data is analyzed by the authentication module in use.

Logins Logins with which the employee can log in to the One Identity Manager administration tools. Enter the login in the form: Domain\User. This information is required if the authentication modules "user account" or "user account (role-based) are used for logging in to One Identity Manager tools.

Password and password confirmation

Password with which the employee logs in to the One Identity Manager tools.

User account name (mainframe)

If an employee is permitted access to the mainframe with their user account, enter the login name here.

Notebook user

Just for information.

Company car

Just for information.

Login permitted on terminal server

Specifies whether this employee is permitted to log in on the terminal server with their user account.

Remote access permitted

Specifies whether the employee can dial into the network with their user account.

Import data source

Target system or data source respectively, from which the employee was imported. This property is also set by scripts for automatically assigning employees to user accounts.

Distinguished name

Distinguished name of the imported employee. This property should be set by the import.

Canonical name

Fully qualified name of the imported employee. This property should be set by the import.

Related Topics

Employee's Central User Account

Employee's Central User Account

Table 41: Configuration Parameter for Forming the Central User Accounts
Configuration Parameter Meaning

QER\Person\CentralAccountGlobalUnique

This configuration parameter specifies how the central user account is mapped.

If this configuration parameter is set, the central user account for an employee is formed uniquely in relation to the central user accounts of all employees and the user account names of all permitted target systems.

If the configuration parameter is not set, it is only formed uniquely related to the central user accounts of all employees.

The employee’s central user account is used to form the user account login name in the active system. The central user account is still used for logging into the One Identity Manager tools. In the One Identity Manager default installation, the central user account is made up of the first and the last name of the employee. If only one of these is known, then it is used for the central user account. The One Identity Manager checks to see if a central user account with that value already exists. If this is the case, an incremental number is added to the end of the value.

Table 42: Example of Forming of Central User Accounts
First name Last name Central user account
Clara   CLARA
  Harris HARRIS
Clara Harris CLARAH
Clara Harrison CLARAH1

Employee's Central Password

Employee's Central Password

Table 43: Configuration Parameters for the Central Password
Configuration parameter Active Meaning

QER\Person\UseCentralPassword

This configuration parameter specifies whether the employee's central password is used in the user accounts. The employee’s central password is automatically mapped to the employee’s user account in all permitted target systems. This excludes privileged user accounts, which are not updated.

QER\Person\UseCentralPassword\PermanentStore

This configuration parameter controls the storage period for central passwords. If the parameter is set, the employee’s central password is permanently stored. If the parameter is not set, the central password is only used for publishing to existing target system specific user accounts and is subsequently deleted from the One Identity Manager database.

The central password can be used to log on to target systems. The behavior for this is controlled by the following configuration parameters.

  • Set the configuration parameter "QER\Person\UseCentralPassword" in the Designer.

    If the configuration parameter "QER\Person\UseCentralPassword" is set, the employee's central password is automatically mapped to an employee's user account in each of the target systems. This excludes privileged user accounts, which are not updated.

  • Use the configuration parameter "QER\Person\UseCentralPassword\PermanentStore" in the Designer to specify whether an employee’s central password is permanently saved in the One Identity Manager database or only until the password has been published in the target system.

The password policy "Employee central password policy" is used to format the central password.

IMPORTANT: Ensure that the password policy "Employee central password policy" does not violate the target system specific password requirements.

Related Topics

Change Password Question

Change Password Question

Employees can use mutual aid to reset their central password. Prerequisite is a question-answer pair which is stored for changing the central password.

To enter a question-answer combination

  1. Log on to the Manager
  2. Open you own employee data.
  3. Select Change security question in the task view.
  4. Confirm the security prompt with OK.
  5. Enter a question and a reply.

IMPORTANT: Make a note of your reply. You need this if you want to reset you central password using mutual aid.
Related Topics
Related Documents