When you are defining templates in One Identity Manager, you need to take the policies defined in into account. Values generated in One Identity Manager are passed to the connector without checking adherence to the policies. If the values that are passed violate the policies, the entire process fails. To prevent this, you need to customize the One Identity Manager templates for .
Refer to your documentation for more information about One Identity Active Roles policies.
You can set up organizational units in a hierarchical container structure in One Identity Manager. Organizational units (divisions or departments) are used to logically organize Active Directory objects like user accounts and groups, thus simplifying administration.
NOTE: In the following, you are provided with details about the special features of managing Active Directory objects using . For detailed documentation on managing an Active Directory environment with One Identity Manager, see One Identity Manager Administration Guide for Connecting to Active Directory.
Detailed information about this topic
Table 7: Configuration parameter for automatically add groups in the IT Shop
|
QER | ITShop | GroupAutoPublish |
Preprocessor-relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to this parameter require the database to be recompiled. |
|
QER | ITShop | GroupAutoPublish | ADSGroupExcludeList |
This configuration parameter contains a list of all Active Directory groups for which automatic IT Shop assignment should not take place. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.
Example:
.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS |
|
TargetSystem | ADS | ARS_SSM |
Preprocessor-relevant configuration parameter for controlling the database model components for Self-Service Management in the One Identity Manager IT Shop. If the parameter is set, Self-Service Management components are available. Changes to this parameter require recompilation of the database. |
Transfer of One Identity Manager Self-Service Manager functionality into the Active Directory's is directly supported in the IT Shop One Identity Manager Edition. If you are using the One Identity Manager Edition, run the following steps before initial synchronization:
To add groups automatically to the IT Shop
-
In the Designer, set the QER | ITShop | GroupAutoPublish configuration parameter.
-
In the Designer, set the QER | ITShop | GroupAutoPublish | ADSGroupExcludeList configuration parameter and specify the Active Directory groups that are not to be added automatically to the IT Shop.
-
In the Designer, set the TargetSystem | ADS | ARS_SSM configuration parameter
-
Compile the database.
The groups are added automatically to the IT Shop from now on.
-
Synchronization ensures that the groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor.
-
New groups created in One Identity Manager are added to the IT Shop.
The following steps are run to add a group to the IT Shop.
-
A service item is determined for the group.
The service item is tested and modified for each group as required. The service item name corresponds to the name of the group. The service item is assigned to one of the default service categories.
-
The service item is modified for groups with service items.
-
Groups without service items are allocated new service items.
-
The service item is enabled or disabled depending on whether the group is published in Self-Service Manager.
-
An application role for product owners is determined and the service item is assigned. Product owners can approve requests for membership in these groups. By default, the group's account manager is established as product owner.
NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
-
If the account manager of the group is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the group.
-
If the account manager of the group is not yet a member of an application role for product owners, a new application role is created. The name of the application corresponds to the name of the account manager.
-
If the account manager is a user account or a contact, the user account's employee or the contact's employee is added to the application role.
-
If it is a group of account managers, the employees of all this group's user accounts are added to the application role.
-
If the group does not have an account manager, the Request & Fulfillment | IT Shop | Product owner | Without owner in AD default application role is used.
-
The group is labeled with the IT Shop option and assigned to the Active Directory Groups IT Shop shelf in the Identity & Access Lifecycle shop.
Then the shop customers can request group memberships through the Web Portal.
NOTE: When a One Identity Manager group is irrevocably deleted from the database, the associated service item is also deleted.
Related topics
NOTE: If you request group membership, "Approval of Active Directory group membership requests" in the default installation.
To request a new Active Directory group
- In the Web Portal, in the Service catalog | Requests menu, select the service category "Active Directory groups".
- Request the Active Directory group using the "New Active Directory distribution list" or the "New Active Directory security group" product.
The following steps are automatically executed when you request a new Active Directory groups:
Active Directory group membership can then be requested by customers of this shop through the Web Portal.
NOTE: If an Active Directory group is permanently deleted from the One Identity Manager database, the associated service item is also deleted.
Related topics
