Permissions for SharePoint web applications
You can define user policies in SharePoint that guarantee permissions across all sites in a site collection. These user policies overlay all the permissions that are specially defined for the sites. User policies are based on authentication objects from which SharePoint user accounts are created. These authentication objects can be saved as authentication objects in user policies.
User policies obtain their permissions through permission policies. SharePoint permissions are explicitly granted or denied in permission policies.
Figure 5: Permissions for SharePoint web applications through policies
You define user policies and permission policies for a web application. User policies are therefore implicitly authorized for all web application sites. You can limit them to single zones or be allow them for the entire web application.
SharePoint permission policies
On the permission policy overview form, you can view the web application and the user policies to which the permission policy is assigned. All permissions are listed that have been explicitly granted or denied.
To obtain an overview of a permission policy
- Select the SharePoint | Permission policies category.
- Select the permission policy from the result list.
- Select the SharePoint permission policy overview task.
The denied SharePoint permission "Deny write" is displayed. SharePoint groups internally several single permissions together that are only found as single permissions in the SharePoint interface. One Identity Manager maps the SharePoint internal permission. That is why only the permission "Deny write" appears in the One Identity Manager interface. Single permissions are therefore not known to One Identity Manager.
SharePoint user policies
User policies have a dynamic foreign key (column AuthenticationObject) that references the appropriate authentication object. An additional employee can be assigned if the dynamic foreign key references an Active Directory or an LDAP user account.
Each user policy represents an object from an authentication system. This object can be a group or a user.
To edit user policy master data
- Select the SharePoint | User policies category.
- Select the SharePoint role in the result list. Select the Change master data task.
- Enter the required data on the master data form.
- Save the changes.
The following properties are displayed for user polices.
Table 42: Master data for a user policy
Display name |
Display name for the user policy. |
User account |
Specifies whether the user policy's authentication object is a user account. |
Login name |
Login name for the user policy. It is found using a template. |
System account |
Specified whether the user policies in the SharePoint environment operates as a system account. |
Employee |
Employee using the user policy. If an authentication object is assigned, the connected employee is found through the authentication object by using a template. If there is no authentication object assigned, the employee can be assigned manually.
An employee can only be assigned if the User account option is set. |
Web application |
Unique identifier for the web application for which the user policy is setup. |
Zone |
Unique identifier of the SharePoint zone for which the user policy is valid. |
|
Authentication object referencing the user policy. Each user policy represents an object from an authentication system trusted by the SharePoint installation. If this authentication system is managed as a target system in One Identity Manager, the object used for authentication can be saved as the authentication object in the user policy.
The authentication object is assigned during automatic synchronization. If the User account option is set, the following authentication objects can be assigned:
- Active Directory user accounts
- LDAP user accounts
If the User account option is disabled, the following authentication objects can be assigned:
- Active Directory groups
- LDAP groups
|
NOTE: When an authentication object assigned to a SharePoint user policy is deleted from the One Identity Manager database, the link to the authentication object is removed from the user policy. Employees assigned to it remain assigned if necessary.
Global user policies
Global user polices are user policies that are valid for all zones. They are mapped in the SharePoint | Hierarchical view | <farm> | Web applications | <web application> | Global user policies category.
Zone-specific user policies
Zone specific user policies are user policies that are valid for a single zone in a web application. They are displayed in the SharePoint | Hierarchical view | <farm> | Web applications | <web application> | Zone specific user policies | <zone> category.
Reports about SharePoint site collections
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SharePoint farms.
NOTE: Other sections may be available depending on the which modules are installed.
Table 43: Reports for the target system
Overview of all assignments (site collection) |
This report finds all roles containing employees with at least one user account in the selected site collection. |
Overview of all assignments (web application) |
This report finds all roles containing employees with at least one user account in the selected site collection. |
Overview of all assignments (group) |
This report finds all roles containing employees with the selected group. |
Show orphaned user accounts |
This report shows all user accounts of the site collection that are not assigned an employee. The report contains assigned groups and risk assessment. |
Show employees with multiple user accounts |
This report shows all employees with more than one user account in the site collection. The report contains a risk assessment. |
Show entitlement drifts |
This report shows all groups in the site collection that are the result of manual operations in the target system rather than provisioned by One Identity Manager. |
Show unused user accounts |
This report shows all user accounts in the site collection that have not been used in the last few months. |
Show user accounts with an above average number of system entitlements |
This report contains all user accounts in the site collection with an above average number of group memberships. You can find the report in the category My One Identity Manager | Data quality analysis. |