Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Analyzing Role Memberships and Employee Assignments

The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Example
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group, all roles are determined in which there are employees with this group.
  • If the report is created for a compliance rule, all roles are determined in which there are employees with this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the report Overview of all assignments.
  • Use the Used by button in the report's toolbar to select the role class (department, location, business role or IT Shop structure) for which you determine if roles exist in which there are employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click to open the legend.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employee for tracking. This creates a new business role to which the employees are assigned.

Figure 13: Toolbar for Report "Overview of all assignments"

Table 46: Meaning of Icons in the Report Toolbar
Icon Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Mapping Multiple Employee Identities

Table 47: Configuration Parameter for Representing Multiple Identities
Configuration parameter Active Meaning

QER\Person\MasterIdentity

Preprocessor relevant configuration parameter for controlling the component parts for administrating several identities of one employee. Changes to the parameter require recompiling the database.

If this parameter is set, several logical employees can be handled in the database for one physical employee (for example, an employee has different identities and account characteristics at different branches).

QER\Person\MasterIdentity\UseMasterForAuthentication

This configuration parameter specifies whether the main identity should be used to log in to One Identity Manager tools through an employee linked authentication module.

If this parameter is set, the main identity is used for employee linked authentication. If the parameter is not set, the subidentity for employee-linked authentication is used.

It might be necessary for employees to have different identities for their work under certain circumstances – for example, identities that result from contracts at different branches. These identities can be differentiated through the membership of a department, cost center or through access permissions. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in the One Identity Manager to represent each of the identities and to group them at a central location.

Main Identity
  • A main identity represents a real person.
  • A main identity can be assigned user accounts and permissions in the One Identity Manager and it can place requests in the IT Shop.
  • A main identity can be referenced by several subidentities.
  • The employee master data for a main identity is entered in the One Identity Manager.
Subidentity
  • A subidentity is a virtual employee.
  • A subidentity can be assigned user accounts and permissions in the One Identity Manager and it can place requests in the IT Shop.
  • A subidentity is always linked to a main identity.
  • Employee master data for a subidentity is displayed in the One Identity Manager. This can be copied from the main identity data using the appropriate templates.
  • Enter a main identity for the subidentity using the pop-up menu Main identity on the employee’s master data form.

TIP: If an employee with multiple identities is being edited despite only one identity being currently known to the One Identity Manager, you should create a main identity for that employee.You should assign the previously know identity as a subidentity and create new subidentities for the other identities. In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.

Limited Access to One Identity Manager

Limited Access to One Identity Manager

Installed Modules: Attestation Module

User can log in through the Web Portal who only have temporary or limited access to the One Identity Manager. This functionality can be used, for example, if external employees, such as contract workers, should be provided with temporary access to the One Identity Manager. These employee can log in to the Web Portal as new workers. New employee objects are added for them in the One Identity Manager database.

If you make use of this functionality, take note of the following:

  • An employee with the following properties is created in One Identity Manager:
    Certification status new
    Certified enabled
    No inheritance enabled
  • If the configuration parameter "QER\Attestation\UserApproval" is set, the new employee is automatically attested.
  • To assign company resources to the employee or to ensure editing permissions in the One Identity Manager, implement custom processes.
Related Topics

Changing the Certification Status of an Employee

Changing the Certification Status of an Employee

Installed Modules: Attestation Module

Employee's certification status is set by default through certification and recertification procedures. You can manually change an employee's certification status if it is necessary to do so outside the regular recertification schedule.

Prerequisite

  • The configuration parameter "QER\Attestation\UserApproval" is set.

To change an employee's certification status manually

  1. To change the certification status of an active employee select the category Employees | Employees.

    - OR -

    To change certification status of a inactive employee, select the category Employees | Inactive.

  2. Select the employee in the result list.
  3. Select Change certification statusin the task view.
  4. Select the certification status you want from the Certification status menu.
  5. Click OK to accept the changes.

    The new certification status for the employee is displayed on the form.

    NOTE: The option Permanently disabled is updated with respect to the certification status. If an employee's certification status is set to "rejected" through attestation or manually, the employee is immediately permanently disabled. If the employee's certification status is changed to "certified", the employee is enabled again.
Related Topics
Related Documents