Chat now with support
Chat with Support

Identity Manager 8.0 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee Administration
One Identity Manager Users for Employee Administration Basic Configuration Data for Employees Entering Employee Master Data Employee's Central User Account Employee's Central Password Employee's Default Email Address Disabling and Deleting Employees Assigning Company Resources to Employees Origin of an Employee's Roles and Entitlements Analyzing Role Memberships and Employee Assignments Mapping Multiple Employee Identities Limited Access to One Identity Manager Additional Tasks for Managing Employees Determining an Employee‘s Language Determining an Employee‘s Working Hours Employee Reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration Parameters for Managing Departments, Cost Centers and Locations Appendix: Configuration Parameters for Managing Applications Appendix: Configuration Parameters for Managing Devices and Workdesks Appendix: Authentication Modules for Logging into the One Identity Manager

Customized Extension of Application Role Write Permissions

Customized Extension of Application Role Write Permissions

For role-based login, the application roles require a link to a permissions group in which write permissions for One Identity Manager are defined. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.

Different role-based authentication modules are available for role-based login on One Identity Manager tools. First, the employee memberships in application roles are determined during log in with role-based authentication. Assignments of permissions group to application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

Some of the default application roles are already assigned permissions groups. The permissions groups have write permissions to tables and columns and are equipped with menu items, forms, methods and program functions for editing application data with the Manager and the Web Portal.

You can assign customized permissions groups to application roles so that the write permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.

NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.

Proceed as follows:

  1. Create a new permissions group in the Designer.

    NOTE: Set the option Only use for role-based authentication.
  2. Set up dependencies for the new permissions group to the default permissions group for the application role.

    The default permissions group must be assigned as a subgroup. This means that the new permissions group inherits the properties.

  3. Allocate additional write permissions for menu items, forms, tables and columns.
  4. Assign the permissions group to the application role in the Manager.

If a user logs into the Manager or the Web Portal with this type of altered application role they get, in additional to the default permissions for this application role, the custom defined edit permissions.

For detailed information about creating permissions groups and editing entitlements, see the One Identity Manager Configuration Guide.

Related Topics
Related Documents