Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Permanently Deactivating Employees

Employees can be disabled permanently when, for example, they leave the company. It might be necessary, to remove access to this employee’s entitlements in connected target systems and their company resources.

Effects of permanent disabling of an employee are:

  • The employee cannot be assigned to employees as a manager.
  • The employee cannot be assigned to roles as a supervisor.
  • The employee cannot be assigned to attestation policies as an owner.
  • There is no inheritance of company resources through roles, if the additional option No inheritance is set for an employee.
  • Employee user accounts are locked or deleted and then removed from group memberships.

Trigger permanent disabling through:

  • The task Disable employee permanently

    This task ensures that the option Permanently disabled is set and leaving date and the last day of work are set to the current date.

  • Leave date reached

    NOTE: Configure and enable the schedule "Lock accounts of employees that have left the company" in the Designer. This schedule regularly checks the leaving date and sets the option Permanently disabled on reaching the date.

    NOTE: The task Re-enable employee ensures that the employee is re-enabled.
  • Certification status "Denied"

    An employee is permanently disabled when their certification status is set to "Denied" either through attestation or manually. If the employee's certification status is changed to "certified", the employee is activated again.

    NOTE: This function is only available if the Attestation Module is installed.
Related Topics

Re-enable an Employee

Employees who are permanently deactivated can be re-enabled if they were not disabled by certification.

To re-enable an employee

  1. Select the category Employees | Inactive employees.
  2. Select the employee in the result list.
  3. Select Re-enable employee in the task view.

    An alert appears.

  4. Confirm the security prompt with Yes if the employee should be enabled. Otherwise close the alert with No.

    The option Disabled permanently is enabled on the employee’s master data form. The leaving date and last working day are deleted.

  5. Save the changes.
Related Topics

Deferred Deletion of Employees

Deferred Deletion of Employees

When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by the One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.

By default, employees are finally deleted from the database after 30 days. During this period it is possible to re-enable the employee. A restore is not possible once the delete delay has expired. You can configure an alternative deletion delay on the table Person in the Designer.

Related Topics

Assigning Company Resources to Employees

One Identity Manager uses different assignment types to assign company resources.

  • Indirect Assignment

    In the case of indirect assignment of company resources, employees, devices and workdesks are arranged in departments, cost centers, locations, business roles or application roles. The total of assigned company resources for an employee, device or workdesk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods a difference between primary and secondary assignment is taken into account.

  • Direct Assignment

    Direct assignment of company resources results from the assignment of a company resource to an employee, device or a workdesk, for example. Direct assignment of company resources makes it easier to react to special requirements.

  • Assigning through Dynamic Roles

    Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Employees, devices and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices or workdesks fulfill these conditions. The means the role memberships change dynamically. For example, company resources can be assigned dynamically to all employees in a department in this way; if an employee leaves the department they immediately lose the resources assigned to them.

  • Assigning through IT Shop Requests

    Assignment through the IT Shop is a special case of indirect assignment. Add employees to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the employees after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.

The following table shows the possible company resources assignments to employees.

Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 45: Possible Assignments of Company Resources to Employees
Company Resource Direct assignment permitted Indirect assignment permitted Comment

Resources

+ +

 

System roles

+ +

 

Subscribable reports

+ +

 

Applications

+ +
Account definitions + +  

Groups of custom target systems

- +

All the employee's user accounts are added to the associated application group, which permit application inheritance.

Active Directory groups

- +

All the employee's Active Directory user accounts and Active Directory contacts are added to Active Directory groups, which permit group inheritance.

SharePoint groups

- +

All the employee's SharePoint user accounts are added to SharePoint groups.

SharePoint roles

- +

All the employee's SharePoint user accounts are added to SharePoint roles.

LDAP groups

- +

All the employee's LDAP user accounts, which permit group inheritance, are added to LDAP groups.

Notes groups

- +

All the employee's Notes user accounts are added to Notes groups.

SAP groups

+ +

All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP groups.

SAP profiles

+ +

All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP profiles.

SAP roles

+ +

All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP roles.

Structural profiles

- +

All the employee's SAP user accounts, which are in the same SAP clients, are added to structural profiles.

BI analysis authorizations

- +

All the employee's BI user accounts, which are in the same system, obtain BI analysis authorizations.

E-Business Suite entitlements

- +

All the employee's E-Business Suite user accounts, which are in the same E-Business Suite system and for which group inheritance is permitted, are added to E-Business Suite groups.

Azure Active Directory groups

- +

All the employee's Azure Active Directory user accounts, which permit group inheritance, are added to Azure Active Directory groups.

Azure Active Directory administrator roles

- +

All the employee's Azure Active Directory user accounts, which permit group inheritance, are added to Azure Active Directory administrator roles.

Azure Active Directory subscriptions

-

+

All the employee's Azure Active Directory user accounts, which permit group inheritance, are given Azure Active Directory subscriptions.

Disabled Azure Active Directory service plans

-

+

All the employee's Azure Active Directory user accounts, which permit group inheritance, are given Azure Active Directory service plans.

Unix groups

-

+

All the employee's Unix user accounts, which permit group inheritance, are added to Unix groups.

Detailed information about this topic
Related Topics
Related Documents