Chat now with support
Chat with Support

Identity Manager 8.1.4 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Managing departments, cost centers, and locations Working with dynamic roles Employee administration
One Identity Manager users for employee administration Basic data for employee master data Entering employee master data Employee's central user account Employee's central password Employee's default email address Mapping multiple employee identities Disabling and deleting employees Password policies for employees Limited access to One Identity Manager Assigning company resources to employees Displaying the origin of an employee's roles and entitlements Analyzing role memberships and employee assignments Additional tasks for managing employees Determining an employee’s language Determining an employee's working hours Employee reports
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Effective configuration parameters for setting up employees Configuration parameters for managing devices and workdesks

Employee identity types

To differentiate the different identities of a person, use the following identity types.

Table 38: Identity types



Primary identity

Employee's default identity. The employee has a default user account.

Organizational identity

Virtual employee (subidentity) for mapping different roles to an employee in the organization. The sub-identity has a user account of the Organizational identity type.

Also enter a main identity.

Personalized admin identity

Virtual person (sub-identity) that belongs to a user account of the Personalized administrator identity type.

Also enter a main identity.

Sponsored identity

Dummy employee who is linked to a user account of the Sponsored identity type.

Assign a manager to the employee.

Shared identity

Dummy employee who is linked to an administrative user account of the Shared identity type.

Assign a manager to the employee.

Service identity

Dummy employee who is linked to a user account of the Service identity type.

Assign a manager to the employee.

Machine identity

Dummy employee for mapping machine identities.

The primary identity, the organizational identity, and the personal admin identity are different identities under which the same actual person can execute their different tasks within the company.

Employees with a personal admin identity or an organizational identity are set up as sub-identities. These subidentities are then linked to user accounts, enabling you to assign the required Entitlements to the different user accounts.

The sponsored identity, group identity, and service identity are dummy persons through which the connected user accounts are given permissions for the relevant target systems. The classification of dummy employees to hierarchical roles or as customers in the IT Shop enables the assignment of permissions to the user accounts. Requests in the IT Shop can be triggered only by the manager of these dummy persons. In the evaluation of reports, attestations, or compliance checks, you check whether dummy employees need to be handled in a specific way.

Related topics

Disabling and deleting employees

How employees are handled, particularly in the case of permanent or partial withdrawal of an employee, varies between individual companies. There are companies that never delete employees, and only disable them when they leave the company.

The following methods are available in the One Identity Manager standard version:

Temporarily deactivating employees

The employee has temporarily left the company and is expected to return at a predefined date. The desired course of action could be to disable the user account and remove all group memberships. Or the user accounts could be deleted and reestablished with the employee's return, even if it is with a new system identification number (SID).

Temporary disabling of an employee is triggered by:

  • TheTemporary disabled option
  • The start and end date for deactivation (Temporary disabled from and Temporary disabled until)


  • Configure the Lock accounts of employees that have left the company schedule in the Designer. This schedule checks the start date for disabling and sets the Temporarily disabled option when it is reached.
  • In the Designer, configure the Enable temporarily disabled accounts schedule. This schedule monitors the end date of the disabled period and enables the employee with their user accounts when the date expires. Employee's user accounts that were disabled before the period of temporary absence are also re-enabled once the period has expired.
Related topics

Permanently deactivating employees

Employees can be disabled permanently when, for example, they leave the company. It might be necessary, to remove access to this employee's entitlements in connected target systems and their company resources.

Effects of permanent disabling of an employee are:

  • The employee cannot be assigned to employees as a manager.
  • The employee cannot be assigned to roles as a supervisor.
  • The employee cannot be assigned to attestation policies as an owner.
  • There is no inheritance of company resources through roles, if the additional No inheritance option is set for an employee.
  • Employee user accounts are locked or deleted and then removed from group memberships.

Trigger permanent deactivation through:

  • The Disable employee permanently task

    This task ensures that the Permanently disabled option is enabled and that the leaving date and the date of the last working day are set to the current date.

  • Arrival of the leaving date
    NOTE: Check the Lock accounts of employees that have left the company schedule in the Designer. This schedule regularly checks the leaving date and sets the Permanently disabled option on reaching the date.
    NOTE: The Re-enable employee task ensures that the employee is re-enabled.
  • The Denied certification status

    If an employee's certification status is set to Denied through attestation or manually, the employee is permanently disabled with immediate effect. When the employee's certification status is changed to Certified, the employee is activated again.

    NOTE: This function is only available if the Attestation Module is installed.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating