Table 35: Configuration parameter for forming the central user accounts
QER | Person | CentralAccountGlobalUnique |
This configuration parameter specifies how the central user account is mapped.
If this configuration parameter is set, the central user account for an employee is formed uniquely in relation to the central user accounts of all employees and the user account names of all permitted target systems.
If the configuration parameter is not set, it is only formed uniquely related to the central user accounts of all employees. |
The employee’s central user account is used to form the user account login name in the active system. The central user account is still used for logging into the One Identity Manager tools. In One Identity Manager default installation, the central user account is made up of the first and the last name of the employee. If only one of these is known, then it is used for the central user account. One Identity Manager checks to see if a central user account with that value already exists. If this is the case, an incremental number is added to the end of the value.
Table 36: Example of forming of central user accounts
Clara |
|
CLARA |
|
Harris |
HARRIS |
Clara |
Harris |
CLARAH |
Clara |
Harrison |
CLARAH1 |
An employee's central password can be used for logging into the target systems and for logging in to . Depending on the configuration, an employee's central password is replicated to their user accounts and their system user password.
-
To publish the change in an employee's central user password to all existing user accounts of the employee, check in the Designer if the QER | Person | UseCentralPassword configuration parameter is set. If not, set the configuration parameter.
-
To use the central password of an employee for new user accounts belonging to the same employee, in the Designer, set the QER | Person | UseCentralPassword | PermanentStore configuration parameter.
If the configuration parameter is enabled, the central password is stored in the One Identity Manager database and is used for new users. If the configuration parameter is disabled, the central password is deleted from the One Identity Manager database following publishing to the existing user accounts. The central password is not available for new user accounts.
-
To copy an employee's central password to their system user password for logging in, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword configuration parameter is set. If not, set the configuration parameter.
-
If an employee’s system user account must be unlocked if the central password is given, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword | UnlockByCentralPassword configuration parameter is set. If not, set the configuration parameter.
NOTE:
-
The Employee central password policy password policy is applied to an employee's central password. Ensure that the password policy does not violate the target system's specific password policies.
-
Use the QER | Person | UseCentralPassword | CheckAllPolicies configuration parameter to specify whether the employee’s central password is tested against all the target system’s password policies in which the employee has user accounts. This test is only carried out in the Password Reset Portal.
-
An employee's central password is not replicated to privileged user accounts of the employee.
-
If a password cannot be changed due to an error, the employee receives a corresponding email notification.
-
To replicate an employee's central password to a password column of a customer-specific user account table, in the Designer, define a ViewAddOn for the QERVPersonCentralPwdColumn view. The database view returns the password column of the user account tables. The user account table must have a reference to the employee (UID_Person) and a XMarkedForDeletion column. For detailed information about changing the One Identity Manager schema, see the One Identity Manager Configuration Guide.
-
If you want to map additional user-specific features, overwrite the QER_Publish_CentralPassword script. For detailed information about editing scripts, see the One Identity Manager Configuration Guide.
-
Use the Password Reset Portal to set the central password. For detailed information, see the One Identity Manager Web Portal User Guide and the One Identity Manager Web Application Configuration Guide.
Related topics
The employee’s default email address is displayed on the mailboxes in the activated target system. In the One Identity Manager default installation, the default email address is formed from the employee’s central user account and the default mail domain of the active target system.
The default mail domain is determined using the QER | Person | DefaultMailDomain configuration parameter.
- In the Designer, set the configuration parameter and enter the default mail domain name as a value.
Related topics
Table 37: Configuration parameter for representing multiple identities
Person | MasterIdentity | UseMasterForAuthentication |
This configuration parameter specifies whether the main identity should be used to log in to One Identity Manager tools through an employee-linked authentication module.
If this parameter is set, the main identity is used for employee linked authentication. If the parameter is not set, the subidentity for employee-linked authentication is used.
For detailed information about the One Identity Manager authentication modules and about editing system users, see the One Identity Manager Authorization and Authentication Guide. |
It may be necessary for employees to have different identities for their work under certain circumstances – for example, identities that result from contracts at different branches. These identities can be differentiated through the membership of a department, cost center or through access permissions. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in One Identity Manager to represent each of the identities and to group them at a central location.
In target systems, different types of user accounts are available to provide the employees with different permissions. An employee can have different identities to use multiple user accounts with different types. In order to improve the assignment of authorizations to the target systems, the sub-identities of the employees are split into different identity types. This classification corresponds to the user account types.
Main identity
-
A main identity represents a real person.
-
A main identity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
-
The employee master data for a main identity is shown in One Identity Manager.
-
A main identity can have several subidentities.
Subidentity
-
A subidentity is a virtual employee.
-
A subidentity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
-
A subidentity is always assigned to a main identity.
-
Employee master data for a subidentity is displayed in One Identity Manager. This can be copied from the main identity data using the appropriate templates.
-
Enter a main identity for the subidentity using Main identity on the employee’s master data form.
TIP: If an employee works with several identities, but only one of these is currently known in the One Identity Manager, then you should
-
create a main identity for this employee
-
assign the identity known until now as a subidentity
-
create new subidentities for the additional identities
In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.
Related topics