The central component of the One Identity Manager is to map employees and their master data with permissions through which they have control over different target systems. For this purpose, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to employees. This gives an overview of the permissions for each employees in all of the connected target systems. One Identity Manager provides the possibility to manage user accounts and their permissions. You can provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.
Because requirements vary between companies, the One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following method for linking employees and their user accounts.
The requirements of a company’s user administration are often different not only in the existing target system types, but also in the individual target systems of a target system type.
Requirements for user account administration might be, for example:
Target system type Active Directory with Microsoft Exchange
Target system type IBM Notes
Target system type SAP R/3
One Identity Manager uses different mechanisms to assign user accounts to employees.
The user accounts are initially read into One Identity Manager from a target system through synchronization. In doing so, the existing employees can automatically be assigned to the user accounts. New employees can be created and assigned to user accounts if necessary. The criteria for these automatic assignments are defined on a company-specific basis. The extent of the attributes an employee inherits on their user account through account definitions can be changed after checking the user accounts. The loss of user accounts through system changes can therefore be avoided. User account verification can be carried out manually or by using scripts.
One Identity Manager uses special account definitions for allocating user accounts to employees during working hours. Account definitions can be created for each target system of the appointed target system type, for example, the different domains of an Active Directory environment or the individual clients of an SAP R/3 system. A priority is applied to the account definitions in order to ensure that a Microsoft Exchange mailbox, for instance, is only created when an Active Directory user account is available.
An employee can obtain a user account though the integrated inheritance mechanism by either direct assignment of account definitions to an employee, or by assignment of account definitions to departments, cost centers, locations or business roles. All company employees can be allocated special account definitions independent of their affiliation to the departments, cost centers, locations or business roles. It is possible to assign account definitions to the One Identity Manager as requestable items in the IT Shop. A department manager can then request user accounts from the Web Portal for his staff.
The handling of personal data, particularly during long-term or temporary absence of an employee, is dealt with differently in each company. Some companies never delete personal data, but just disabled it when the person leaves the company. Other companies delete the personal data but only after they are sure that all the user accounts have been deleted.
The requirements of a company’s user administration are often different not only in the existing target system types, but also in the individual target systems of a target system type. Even within a target system, there may be different rules for different user groups. For example, different rules for allocating user accounts can apply in the individual domains within an Active Directory environment.
A requirement could look like the following, for example:
In order to fulfill the individual requirements of user administration, users can be divided into categories:
The user account is not linked to an employee.
The user accounts are linked to the employee.
The user accounts are linked to the employee. The effect of the link and the scope of the employee’s inherited properties on the user accounts can be configured through an account definition and its manage levels.
One Identity Manager supplies a default configuration with the manage levels:
The user accounts are assigned to an employee but do not inherit other properties from the employee.
The user accounts are assigned to an employee and inherit the employee’s properties.
The following visual is designed to make user account transitions clearer. The default mechanisms integrated in One Identity Manager about employee and user account administration are shown.
Figure 1: Transition States for a User Account
Case 3: If an employee is already assigned when the user account is added and an account definition is assigned at the same time, the user account enters the "Linked configured" state. The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use.
|Note: The employee entry cannot be removed from user accounts in the "Linked configured" state as long as the employee owns an account definition. Removing an employee's account definition results immediately in deleting the user accounts.|
One Identity Manager has account definitions for automatically allocating user accounts to employees during working hours. You can create account definitions for every target system. If an employee does not have a user account in the target system, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling.
The data for the user accounts in the respective target system comes from the basic employee data. The assignment of the IT operating data to the employee’s user account is controlled through the primary assignment of the employee to a location, a department, a cost center, or a business role (template processing). Processing is done through templates. There are predefined templates for determining the data required for user accounts included in the default installation. You can customize templates as required.