Chat now with support
Chat with Support

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Master data of application roles

Table 13: Application role properties

Property

Meaning

Application role

Application role name.

Internal name

Empty text field for a internal company identifier

Full name

Full name of application role. Is made up automatically from the application role name and the parent application role.

Parent application role

Application role to which the application role being edited is subordinate.

Department, location, cost center

Additional information for the application role definition. These input fields are only used for information. They do not indicate for which department, cost center or location the application roles are responsible.

Manager

Manager responsible for the application role.

Deputy manager

Deputy manager for the application role.

Permissions group

Permissions group for determining write permissions on role-based login. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.

Administrators can assign the rest of the application roles to custom defined permissions groups. For more information, see Customized extension of application role edit permissions.

NOTE: Permissions groups for default administrator application roles for cannot be edited.

Description

Text field for additional explanation.

Comment

Text field for additional explanation.

Certification status

Status of the application role's certification. The following values can be selected.

  • New: The application role was newly created in the One Identity Manager database.
  • Certified: The master data of the application role is approved by a manager.
  • Denied: The application role master data was not approved by a manager.

Block inheritance

Specifies whether inheritance for this application role can be discontinued. Set this option to prevent company resources being inherited by child application roles.

Dynamic roles not allowed

Specifies whether a dynamic role can be created for the application role.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Assigning employees to application roles

Assigned employees obtain all the write permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role.

Employees of the parent application role are inherited if no employees are directly assigned to an application role.

NOTE: The application roles for Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers, and Base roles | Birthright Assignments are automatically assigned to employees. Do not make any manually assignments to these application roles.

To assign employees to an application role

  1. In the Manager, select an application role in the One Identity Manager Administration category.
  2. Select the Assign employees task.
  3. In the Add assignments pane, add employees.

    TIP: In the Remove assignments pane, you can remove assigned employees.

    To remove an assignment

    • Select the employee and double-click .
  4. Save the changes.
Related topics

Customized extension of application role edit permissions

For role-based login, the application roles require a link to a permissions group in which write permissions for One Identity Manager are defined. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.

Some of the default application roles are already assigned permissions groups. These permissions groups have the edit permissions for the tables and columns and are equipped with menu items, forms, tasks, and program functions, which allow the application data to be edited in the Manager and in the Web Portal.

You can assign customized permissions groups to application roles so that the write permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.

NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.

Proceed as follows:

  1. Create a new permissions group in the Designer.

    NOTE: Set the Only use for role-based authentication option for the permissions group.
  2. In the Designer, make the new permissions group dependent on the default permissions group of the application role. Assign the default permissions group as a parent permissions group. As a result, the newly defined permissions group inherits the properties of the default permissions group.
  3. In the Designer, grant additional edit permissions for menu items, forms, tables, or columns.
  4. In the Manager, assign the new permissions group to the application role.

A user who logs in to the Manager or to the Web Portal with an application role changed in this way receives – in addition to the default privileges of this application role – the custom edit permissions.

Related topics

Additional tasks for managing application roles

After you have entered the master data, you can run the following tasks.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating