Chat now with support
Chat with Support

Identity Manager 8.1.5 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Permissions for executing scripts

The basic permissions for executing scripts are granted to the logged in user through the program feature Allow the starting of arbitrary scripts from the frontend (Common_StartScripts).

If a script is assigned a program function (QBMScriptHasFeature table), users can only execute this script if they have the necessary permissions groups. An error occurs if the user does not own this program function and tries to run it.

To control execution of a script using a program function

  1. Create a new program function.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the Object | New menu item.

    3. Enter the following information:

      • Program function: Name of the program function.

      • Description: Short description of the program function.

      • Function group: Property for grouping program functions.

  2. Connect the program function with the scripts that the user are allowed to trigger.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the View | Select table relations menu item and enable the QBMScriptHasFeature table.

    3. In the List Editor, select the newly created program function.

    4. In the Scripts edit view, assign the scripts.

  3. Assign the required program functions to the custom permissions group whose systems users will trigger these scripts.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the View | Select table relations menu item and enable the DialogGroupHasFeature table.

    3. In the List Editor, select your newly created program function.

    4. In the List Editor, use Ctrl+Selection to select your newly created program function and the Allow the starting of arbitrary scripts from the frontend function (Common_StartScripts).

    5. Assign the permissions group in the Permissions groups edit view.

Related topics

Permissions for executing methods

If a task definition is assigned a program function (QBMMethodHasFeature table) users can only execute this task if they have the necessary permissions groups. An error occurs if the user does not own this program function and tries to run it.

To make a task definition available to users using a program function

  1. Create a new program function.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the Object | New menu item.

    3. Enter the following information:

      • Program function: Name of the program function.

      • Description: Short description of the program function.

      • Function group: Property for grouping program functions.

  2. Connect the program function with the task definition events that the user will trigger.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the View | Select table relations menu item and enable the QBMMethodHasFeature table.

    3. In the List Editor, select the newly created program function.

    4. In the Tasks edit view, assign the task definitions.

  3. Assign the required program functions to the custom permissions group whose systems users will trigger these tasks.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the View | Select table relations menu item and enable the DialogGroupHasFeature table.

    3. In the List Editor, select your newly created program function.

    4. In the Permissions groups edit view, assign the permissions group.

Related topics

Permissions for triggering processes

The basic permissions for triggering processes are granted to the logged in user by the Allow to trigger any events from the frontend program feature (Common_TriggerEvents).

In One Identity Manager, triggering of events on stored processes is linked to the permissions concept. Users can only trigger events on objects like this if they own edit permissions for them. This can lead to table users who only have viewing permissions not being able to trigger additional events for processes.

In this case, it is possible to connect the object events (QBMEvent table) with a program function (QBMFeature table). An event (JobEventGen table), which is defined for a process, is linked with an object event (JobEventGen.UID_QBMEvent column). If the object event is assigned a program function (QBMEventHasFeature table), users that own this program function by permissions group, can trigger the object event and therefore the process, irrespective of their permissions.

To control triggering a process through a program function

  1. Create a new program function.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the Object | New menu item.

    3. Enter the following information:

      • Program function: Name of the program function.

      • Description: Short description of the program function.

      • Function group: Property for grouping program functions.

  2. Connect the program function with object events that the user will trigger.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the View | Select table relations menu item and enable the QBMEventHasFeature table.

    3. In the List Editor, select the newly created program function.

    4. Assign the object events in the Object events edit view.

  3. Assign the required program functions to the custom permissions group whose systems users will trigger these events.

    1. In the Designer, select the Permissions | Program functions category.

    2. Select the View | Select table relations menu item and enable the DialogGroupHasFeature table.

    3. In List Editor, use Ctrl+Selection to select your newly created program function and the function Allow to trigger any events from the frontend (Common_TriggerEvents).

    4. In the Permissions groups edit view, assign the permissions group.

Related topics

Modifying permissions for executing actions in the Launchpad

One Identity Manager supplies a number of Launchpad actions that you can use to start applications by using the Launchpad. You can also start your own applications over the Launchpad.

If some actions in the Launchpad should not be made available to all users, you can manage the permissions by assigning Launchpad actions to program functions (QBMLaunchActionHasFeature table). Only tasks containing actions that the user's program function permissions permit him to run are shown in the Launchpad.

To assign a program function to Launchpad actions

  1. In the Designer, select the Permissions | Program functions category.

  2. Select the View | Select table relations menu item and enable the QBMLaunchActionHasFeature table.

  3. In the List Editor, select the program function.

  4. In the Launchpad action edit view, assign the actions.

  5. Save the changes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating