Chat now with support
Chat with Support

Identity Manager 8.0 - Target System Base Module Administration Guide

Account Definitions and Manage Levels

An account definition specifies which rules are used to form the IT operating data and which default values will be used if no IT operating data can be found through the employee's primary roles.

Account definitions can be created for each target system of the appointed target system type, for example, the different domains of an Active Directory environment or the individual clients of an SAP R/3 system. An account definition is always valid for a target system. You can, however, define several account definitions for one target system. Which account definition will be used is decided when creating an employee's user account. To ensure that a Microsoft Exchange mailbox, for example, is not created until a Active Directory user account exists, you can define dependencies between account definitions.

The manage levels that may be used are specified in the account definition. You can create more than one manage level. The manage level determines the scope of the properties that an employee's user account can inherit.

The One Identity Manager supplies a default configuration for manage levels:

  • Unmanaged

    User accounts with a manage level of "Unmanaged" become linked to an employee but do not inherit any other properties. When a new user account is added with this manage level and an employee is assigned, some of the employee's properties are transferred initially. If the employee properties are changed at a later date, the changes are not passed onto the user account.

  • Full managed

    User accounts with a manage level of "Full managed" inherit specific properties from the assigned employee.

NOTE: The manage levels "Full managed" and "Unmanaged" are evaluated in the templates. You can customize the supplied templates in the Designer.

You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.

A default manage level is defined for every account definition. This manage level is used to determined the valid IT operating data when a user account is created automatically. In the One Identity Manager default installation, the processes are checked at the start to see if the employee already has a user account in the target system that has an account definition. If no user account exists, a new user account is created with the account definition’s default manage level.

Note: If a user account already exists and is disabled, then it is re-enabled. You have to alter the user account manage level afterwards in this case.

The effects on account definition inheritance of temporary disabling, permanent disabling, deletion and security risk to employees is specified for each account definition. As long as an account definition applies to an employee, this employee keeps its linked user accounts. You may want employees that are disabled or marked for deletion to inherit account definitions to ensure that all necessary permissions are made immediately available when the employee is reactivated at a later time. If the account definition assignment no longer applies or is removed from the employee, the user account created through this account definition, is deleted. In addition, you can specify the effect of temporarily or permanently disabling, deleting or the security risk of an employee on its user accounts and group memberships for each manage level.

Assigning Account Definitions to Employees

Account definitions are assigned to company employees. Indirect assignment is the default method for assigning account definitions to employees. Account definitions are assigned to departments, cost centers, locations or roles. The employees are categorized into these departments, cost centers, locations or roles depending on their function in the company and thus obtain their account definitions. To react quickly to special requests, you can assign individual account definitions directly to employees. You can automatically assign special account definitions to all company employees. It is possible to assign account definitions to the IT Shop as requestable products. A department manager can then request user accounts from the Web Portal for his staff. It is also possible to add account definitions to system roles. These system roles can be assigned to employees through hierarchical roles or directly or added as products in the IT Shop.

Determining valid IT Operating Data for the Target System

In order for an employee to create user accounts with the manage level "Full managed", the necessary IT operating data must be determined. The operating data required to automatically supply an employee with IT resources is shown in the departments, locations, cost centers, and business roles. An employee is assigned to one primary location, one primary department, one primary cost center or one primary business role. The necessary IT operating data is ascertained from these assignments and used in creating the user accounts. Default values are used if valid IT operating data cannot be found over the primary roles.

The process sequence for automatically assigning IT operating data to the employee’s user account within the One Identity Manager should be made clearer with the help of the following diagram.

Figure 2: Displaying IT Operating Data on Top of a User Account

You can also specify IT operating data directly for a specific account definition.

Example:

Normally, each employee in department A obtains a default user account in the domain A. In addition, certain employees in department A obtain administrative user accounts in the domain A.

Create an account definition A for the default user account of the domain A and an account definition B for the administrative user account of domain A. Specify the property "Department" in the IT operating data formatting rule for the account definitions A and B in order to determine the valid IT operating data.

Specify the effective IT operating data of department A for the domain A. This IT operating data is used for standard user accounts. In addition, specify the effective account definition B IT operating data for department A. This IT operating data is used for administrative user accounts.

One Identity Manager Default Configuration IT Operating Data

One Identity Manager Default Configuration IT Operating Data

The IT operating data necessary in the One Identity Manager default configuration for automatically creating or changing employee user accounts and mailboxes in the target system is itemized in the following table.

Note: IT operating data is dependent on the target system and is contained in One Identity Manager modules. The data is not available until the modules are installed.
Table 1: Target System Dependent IT Operating Data
Target system type IT Operating Data

Active Directory

Container

Home server

Profile Server

Terminal home server

Terminal profile server

Groups can be inherited

Identity

Privileged user account

Microsoft Exchange

Mailbox database

LDAP

Container

Groups can be inherited

Identity

Privileged user account

IBM Notes

Server

Certificate

Template for mail file

Identity

SharePoint

Authentication mode

Groups can be inherited

Identity

Privileged user account

Custom target systems

Container (per target system)

Groups can be inherited

Identity

Privileged user account

Azure Active Directory

Groups can be inherited

Identity

Privileged user account

Change password the next time you log in

Cloud target system Container (per target system)
Groups can be inherited

Identity

Privileged user account

Unix-based target system

 

 

 

Login shell
Groups can be inherited

Identity

Privileged user account

Exchange Online

Groups can be inherited

G Suite

Organizational unit

Groups can be inherited

Privileged user account

Change password the next time you log in

Related Documents