NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the assignment of an account definition is removed, the user account that was created from this account definition is deleted.
You can delete a user account that was not created using an account definition through the result list or from the menu bar. After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is locked in One Identity Manager and finally deleted from the database and the One Identity Manager depending on the deferred deletion setting.
Configuring deferred deletion
By default, user accounts are finally deleted from the database after 30 days. During this period you have the option to reactivate the user accounts. A restore is not possible once deferred deletion has expired. In the Designer, you can set an alternative delay on the UNSAccountB table.
To delete a user account
- Select the Custom target systems | <target system> | User accounts category.
- Select the user account in the result list.
- Click
in the result list.
- Confirm the security prompt with Yes.
To restore a user account
- Select the Custom target systems | <target system> | User accounts category.
- Select the user account in the result list.
- Click Undo delete in the result list toolbar.
Related topics
Groups map the objects that control access to target system resources in the target systems. A user receives access to target system resources through group memberships and access permissions.
To edit group master data
-
In the Manager, select the Custom target systems | <target system> | Groups category.
-
Select the group in the result list and run the Change master data task.
-
On the master data form, edit the master data for the group.
- Save the changes.
Detailed information about this topic
Enter the following master data for a group.
Table 27: Entering master data for a group
|
Name |
Name of the group. |
|
Canonical name |
The canonical name is generated automatically and should not be changed. |
|
Distinguished name |
The distinguished name is determined using a template and must not be changed. |
|
Display name |
The display name is used to display the group in the One Identity Manager tools user interface. |
|
Container |
Container in which to create the group. |
|
Service item |
Service item data for requesting the group through the IT Shop. |
|
Risk index |
Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.
For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide. |
|
Category |
Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu. |
|
Description |
Text field for additional explanation. |
|
IT Shop |
Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles. |
|
Only for use in IT Shop |
Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is not permitted. |
Related topics
- Group inheritance based on categories
- For more detailed information about preparing groups for requesting through the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Groups can be assigned directly or indirectly to user accounts. In the case of indirect assignment, employees, and groups are assigned to hierarchical roles, such as , departments, cost centers, locations, or business roles. The groups assigned to an employee are calculated from the position in the hierarchy and the direction of inheritance.
If you add an employee to roles and that employee owns a user account in a target system, the user account is added to the group. Prerequisites for indirect assignment of employees to user accounts:
- Direct assignment of employees and groups of custom target systems is permitted for role classes (departments, cost centers, locations, or business roles).
- User accounts are marked with the Groups can be inherited option.
Groups can also be assigned to employees through IT Shop requests. So that groups can be assigned using IT Shop requests, employees are added to a shop as customers. All groups are assigned to this shop can be requested by the customers. Requested groups are assigned to the employees after approval is granted.
For more detailed information about inheriting company resources, see the One Identity Manager Identity Management Base Module Administration Guide.
Related topics
