Chat now with support
Chat with Support

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Configuration data for system user dynamic authentication

In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.

To specify configuration data

  1. In the Designer, select the Base data | Security settings | Programs category.
  2. Select the application and adjust the Configuration data.

Use XML syntax for entering the configuration data:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

<Usermapping

DialogUser = "System user name"

/>

...

</Usermappings>

</DialogUserDetect>

Enter the system user (DialogUser) in the Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.

You can assign function groups to permissions groups on order to deal with complex rights and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.

If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.

<DialogUserDetect>

<FunctionGroupMapping

PersonToFunction = "View mapping employee to function group"

FunctionToGroup = "View mapping function group to permissions group"

/>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

...

</Usermappings>

</DialogUserDetect>

Related topics

Example of a simple system user assignment

All employees should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.

To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "dlg_all"

/>

</Usermappings>

</DialogUserDetect>

Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:

  • Employee contact data
  • Requesting a product
  • Unsubscribing a product

Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.

Related topics

Example of a system user assignment using a selection criterion

The scenario described in the previous example is extended such that only the cost center manager can see an employee’s leaving date. You need to add the input field LeavingDate to the contact data form to do this.

Permissions are used for controlling viewing and editing. Set up a new dlg_kst system user and include the system user in the vi_DE-CentralPwd, vi_DE-ITShopOrder and WebShop_Customer_Grp permissions groups. You should also give the system user read and write access to the Person.Exitdate column.

Extend the application configuration data in such a way that the cost center managers use the dlg_kst system user to log in. All other employees use the dlg_all system user to log in.

Change the configuration data as follows:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "dlg_kst"

Selection = "select 1 where %uid% in (select uid_personhead from profitcenter)"

/>

<Usermapping

DialogUser = "dlg_all"

/>

</Usermappings>

</DialogUserDetect>

Related topics

Example of a function group assignment

To assign function groups to permissions groups you have to define two database views. The first database view shows the assignment of employees to function groups. The database view contains two columns, UID_Person and FunctionGroup.

Example:

create view custom_Person2Fu as

select uid_personHead as UID_Person, 'Cost center manager' as FunctionGroup

from Profitcenter

where isnull(uid_personHead, '') > ' '

union all

select uid_personHead, 'Department manager' as FunctionGroup

from Department

where isnull(uid_personHead, '') > ' '

The second database view assigns function groups to permissions groups. This database view contains two columns, FunctionGroup and DialogGroup.

Example:

create view custom_Fu2D as

select 'Cost center manager' as FunctionGroup, '<UID_Custom_Dialoggroup_ChefP>' as DialogGroup

union all select 'Department manager', '<UID_Custom_Dialoggroup_ChefD>'as DialogGroup

Set up role-based permissions groups with the required permissions.

TIP: A role-based permissions group can inherit from a non role-based permissions group. This allows you to build up an inheritance hierarchy to making it easier to grant permissions.

Change the configuration data for assigning function groups to permissions groups as follows:

<DialogUserDetect>

<FunctionGroupMapping

PersonToFunction = "custom_Person2Fu"

FunctionToGroup = "custom_Fu2D"

/>

</DialogUserDetect>

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating