Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to Custom Target Systems

Managing custom target systems Setting up script-controlled data provisioning in a custom target system Basic data for custom target systems Setting up a custom target system Container structures in a custom target system User accounts in a custom target system Groups in a custom target system Entering permissions controls Reports about custom target systems Configuration parameters for managing custom target systems

Privileged user accounts

Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).

NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.
  2. If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.
  3. Specify the effect of temporarily or permanently disabling or deleting, or the security risk of an employee on its user accounts and group memberships for each manage level.
  4. Create a formatting rule for the IT operating data.

    You use the mapping rule to define which rules are used to map the IT operating data for the user accounts, and which default values are used if no IT operating data can be determined through a person's primary roles.

    Which IT operating data is required depends on the target system. The following settings are recommended for privileged user accounts:

    • In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.
    • You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.
    • To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount column with a default value of 0 and set the Always use default value option.
  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to employees who work with privileged user accounts.

    When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, create the template according to which the login names are formed.

Related topics

Entering user account master data

A user account can be linked to an employee in One Identity Manager. You can also manage user accounts separately from employees.

NOTE: It is recommended to use account definitions to set up user accounts for company employees. In this case, some of the master data described in the following is mapped through templates from employee master data.

To create a user account

  1. In the Manager, select the Custom target systems | <target system> | User accounts category.

  2. Click in the result list.

  3. On the master data form, edit the master data for the user account.

  4. Save the changes.

To edit master data for a user account

  1. In the Manager, select the Custom target systems | <target system> | User accounts category.

  2. Select the user account in the result list and run the Change master data task.

  3. Edit the user account's resource data.

  4. Save the changes.

To manually assign or create a user account for an employee

  1. In the Manager, select the Employees | Employees category.

  2. Select the employee in the result list and run the Assign user accounts task.

  3. Assign a user account.

  4. Save the changes.
Related topics

User account master data

Enter the following data for a user account:

Table 23: User account properties
Property Description

Employee

Employee that uses this user account. An employee is already entered if the user account was generated by an account definition. If you create the user account manually, you can select an employee in the menu.

You can create a new employee for a user account with an identity of type Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity, or Service identity. To do this, click next to the input field and enter the required employee master data. Which login data is required depends on the selected identity type.

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account master data and to specify a manage level for the user account. One Identity Manager finds the IT operating data of the assigned employee and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

Manage level

Manage level of the user account. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.

Target system Target system in which the user account is created.

First name

The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Container Container in which to create the user account. If you have assigned an account definition, the container is determined from the company IT data for the assigned employee depending on the manage level of the user account. When the container is selected, the defined name for the user is created using a formatting rule.

Login name

Name the user uses to log onto the target system.

If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Name

User account identifier. The identifier is made up of the user’s first and last names.

Canonical name

Canonical name of the user account. The canonical name is generated automatically and should not be changed.

Distinguished name

User account's distinguished name. The distinguished name is determined using a template and must not be changed.

Risk index (calculated)

Maximum risk index value of all assigned groups. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for the inheritance of groups by the user account. Groups can be selectively inherited by user accounts. To do this, groups and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Account expiry date

The date up to which the user can log into a target system with this user account.

If a leaving date is specified for an employee, this date is used as the account expiration date depending on the manage level. Any existing account expiry date is overwritten in this case.

NOTE: If the employee's leaving date is deleted at a later point in time, the user account expiration date remains intact.

Last login

Date of last target system login.

Password last changed

Data of last password change.

Password

Password for the user account. The employee’s central password can be mapped to the user account password. For detailed information about an employee’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

If you use an initial password for the user accounts, it is automatically entered when a user account is created.

NOTE: One Identity Manager password policies are taken into account when a user password is being verified. Ensure that the password policy does not violate the target system's requirements.

Password confirmation

Reconfirm password.

Description

Text field for additional explanation.

Identity

User account's identity type Permitted values are:

  • Primary identity: Employee's default user account.

  • Organizational identity: Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.

  • Personalized administrator identity: User account with administrative permissions, used by one employee.

  • Sponsored identity: User account that is used for a specific purpose, such as training.

  • Shared identity: User account with administrative permissions, used by several employees. Assign all employees that use this user account.

  • Service identity: Service account.

Privileged user account

Specifies whether this is a privileged user account.

Groups can be inherited

Specifies whether the user account can inherit groups through the employee. If this option is set, the user account inherits groups through hierarchical roles or IT Shop requests.

  • If you add an employee with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.
  • If an employee has requested group membership in the IT Shop and the request is granted approval, the employee's user account only inherits the group if the option is set.

User account is disabled

Specifies whether the user account is locked. If a user account is not required for a period of time, you can temporarily disable the user account by using the <User account is deactivated> option.

Related topics

Additional tasks for managing user accounts

After you have entered the master data, you can run the following tasks.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating