The One Identity Manager Authorization and Authentication Guide describes the basics and features of the internal One Identity Manager roles and permissions model.
This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.
NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.
You will find an overview of the default application roles, default permissions groups and system users of One Identity Manager. You will learn how to get the application roles up and running. The guide also explains how you grant permissions for the tables and columns of the One Identity Manager schema. In addition, you will find an overview of the various One Identity Manager authentication modules.
Available documentation
You can access One Identity Manager documentation in the Manager and in the Designer by selecting the Help | Search menu item. The online version of One Identity Manager documentation is available in the Support portal under Technical Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.
You can use the One Identity Manager role model to control edit permissions for One Identity Manager users. This role model takes into account technical aspects, for example, One Identity Manager tool administrative permissions, as well as functional aspects, which result from One Identity Manager user tasks within the company structure (for example, permissions for approving requests). One Identity Manager makes so-called application roles available.
Application roles have the following aims:
- Program functions, employees, company resources, approval workflows and approval policies are assigned to fixed application roles. Edit permissions for these application roles do not need to be defined specifically for the company. This simplifies administration of edit permissions.
- Enables audit secure internal administration of One Identity Manager users and their write permissions. Edit permissions can be granted through assignment, request, and approval or by calculation on account of specific properties. The plausibility of the edit permissions can be tested at any time with the attestation function.
- Users are provided with initial permissions, which they required for carrying out their tasks. This is a way, for example, to create initially required user accounts.
Application roles can be limited to permissions groups whose edit permissions are predefined by One Identity Manager. Controlling edit permissions:
- Navigation configuration in administration tools
- Access to objects and their properties
- Which interface forms and tasks are displayed
- Availability of special program functionality
Users must be role-based to use application roles for logging in to One Identity Manager. Role-based authentications module finds the valid edit permissions from all the user's application roles. This provides the One Identity Manager user with permissions corresponding to their application roles for the One Identity Manager functions when they log onto One Identity Manager tools.
Detailed information about this topic
Related topics
One Identity Manager supplies default application roles whose permissions are matched to the different task and functions. Assign employees to default applications who take on individual tasks and functions. You can also create your own application roles for custom defined tasks.
NOTE: Default application roles are defined in One Identity Manager modules and are not available until the modules are installed. You cannot delete default application roles.
The following default application roles are defined:
The following application roles are available to you for the basic functionality in One Identity Manager.
Table 1: Application roles for basic functions
Administrators
|
Administrators must be assigned to the Base roles | Administrators application role.
Users with this application role:
- Administer application roles for administrators.
- Assign employees to administrator application roles.
- Add other employees to the Base roles | Administrators application role and edit conflicting application roles.
- See the master data for the other application roles.
- Can use Password Reset Portal to set passwords for selected system users.
|
Everyone (change)
|
The Base roles | Everyone (change) application role is automatically assigned to every user.
Users with this application role:
- Can edit certain employee master data in the Web Portal.
Should every user be automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.
Members of this application role are determined through a dynamic role. |
Everyone (lookup)
|
The Base roles | Everyone (Lookup) application role is automatically assigned to every user.
Users with this application role:
- Obtain read access to objects in the Web Portal.
Should every user be automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.
Members of this application role are determined through a dynamic role. |
Employee managers
|
The Base roles | Employee managers application role is automatically assigned to a user if the user is a manager or supervisor of employees, departments, locations, cost centers, business roles, or IT Shops.
Users with this application role:
- Can edit master data for the objects they are responsible for and assign company resources to them.
- Can edit new employees added in the Web Portal and edit the master data of their staff.
- Can add their staff members to the IT Shop.
- Can view their staff's compliance rule violations in the Web Portal.
Members of this application role are determined through a dynamic role. |
Birthright Assignments |
The Base roles | Birthright assignments application role is used to provide birthrights to employees which are provided to establish their working environment. The application roles are allocated all the resources marked for automatic assignment to all employees. All internal employees are assigned to this application role and obtain the resources. Internal employees are found through a dynamic role. |
Operations support. |
Employees that use the Operations Support Web Portal, must be assigned the Base roles | Operations support application role.
Users with this application role:
-
Monitor handling of Job queue processes
-
Monitor handling of the DBQueue
-
Create access codes to enable employees to log on to Password Reset Portal |
Self-registered employees |
All new external employees that have registered themselves in the Web Portal, are assigned to the Base roles | Self-registered employees application role. These employees are determined by a dynamic role. |
Related topics