Chat now with support
Chat with Support

Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Permit Assignments of Employees, Devices, Workdesks and Company Resources

The default method for assigning company resources is through secondary assignment. For this, employees, devices and workdesks as well as company resources are added to roles through secondary assignment.

Use role classes to specify how and if employees, devices, workdesks and company resource are permitted as secondary assignments to roles. Role classes form the basis of mapping from hierarchical roles in the One Identity Manager. Role classes are used to group similar roles together. The following role classes are available by default in the One Identity Manager:

  • Department
  • Cost center
  • Location
  • Application Role

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignment allowed

    This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignment allowed

    Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in the IT Shop or dynamic roles.
Example

To assign employees in Manager directly to a department, set the option Assignment allowed and the option Direct assignment allowed on the role class "department" for the entry "employees".

If employees can only obtain membership in a department through the IT Shop, set the option Assignment allowed but not the option Direct assignment allowed on the role class "department" for the entry "employees". A corresponding assignment resource must be available in the IT Shop.

NOTE: Employee, device, workdesk and company resource assignments are predefined for departments, cost centers, location and application roles.

To configure secondary assignment to roles of a role class

  1. Select the role class under Basic configuration data | Role classes.
  2. Select the task Configure role assignments.
  3. Use the column Allow assignments to specify whether assignment is generally allowed.

    NOTE: You can only reset the option Assignment allowed if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.
  4. Use the column Allow direct assignments to specify whether a direct assignment is allowed.

    NOTE: You can only reset the option Direct assignment allowed if there are no direct assignments of the respective objects to roles of this role class.
  5. Save the changes.

Using Roles to Limit Inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the option Block inheritance do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.
  • In bottom-up inheritance, the role labeled with the option Block inheritance inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance

  1. Open the role's master data form.

  2. Set the option Block inheritance.
  3. Save the changes.

Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.

To prevent a role from inheriting

  1. Open the role's master data form.

  2. Set the option
    • Employees do not inherit
    • Devices do not inherit

      - OR -

    • Workdesks do not inherit
  3. Save the changes.

Inheritance of company resources can be done in the same way for single employees, devices or workdesks. You can use this behavior to correct data after importing employees before and then apply inheritance.

To prevent an employee from inheriting

  1. Open the employee's master data form.

  2. Set the option No inheritance.

    The employee does not inherit company resources through roles.

    NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent an device from inheriting

  1. Open the device's master data form.

  2. Set the option No inheritance.

    The device does not inherit company resources through roles.

    NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent a workdesk from inheriting

  1. Open the workdesk's master data form.

  2. Set the option No inheritance.

    The workdesk does not inherit company resources through roles.

    NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned.
  3. Save the changes.
Related Topics

Inheritance Exclusion: Specifying Conflicting Roles

Inheritance Exclusion: Specifying Conflicting Roles

You can define conflicting roles to prevent employees, devices or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, you specify which application roles, departments, cost centers and locations need to be mutually exclusive. This means you may not assign these roles to one and the same employee (device, workdesk).

NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same employee (device, workdesk). Definitions made on parent or child roles do not affect the assignment.
Example

Cost center B is named as conflicting role to cost center A. Jenna Miller and Hans Peters are members of cost center A. Louise Lotte is a member of cost center B. Hans Peters cannot be assigned to cost center B. Apart from that, One Identity Manager prevents Jenna Miller and Louise Lotte from being assigned to cost center A.

Figure 12: Members in Conflicting Roles

To configure inheritance exclusion

  • Set the configuration parameter "QER\Structures\ExcludeStructures" in the Designer and compile the database.
Related Topics

Managing Departments, Cost Centers and Locations

Departments, cost centers, locations, and business roles are each mapped to their own hierarchy under the heading "Organizations". This is due to their special significance for daily work schedules in many companies. Various company resources can be assigned to organizations, for example, authorizations in different SAP systems or applications. You can add employees to single roles as members. Employees obtain their company resources through these assignments when the One Identity Manager is appropriately configured.

Detailed information about this topic
Related Documents