Chat now with support
Chat with Support

Identity Manager 8.1.5 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Creating and editing dynamic roles for application roles

Use this task to assign employees to an application role through dynamic roles. For detailed information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.

NOTE: The task Create dynamic role is only available for application roles, which do not have the option Dynamic roles not allowed set.

To create a dynamic role for the application role

  1. In the Manager in the One Identity Manager Administration category, select the application role.
  2. Select the Create dynamic role task.
  3. Enter the required master data. The following applies to dynamic roles for application roles:
    • Object class: Select Employee.
    • Application role: This data is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.
    • Dynamic role: The dynamic role name is made up of the object class and the full name of the application role by default.
  4. Save the changes.

To edit a dynamic role

  1. In the Manager in the One Identity Manager Administration category, select the application role.
  2. Select the Application role overview task.
  3. In the overview form, click the dynamic role name in the Dynamic roles form element.

  4. Select the Change master data task.

  5. Edit the dynamic role.
  6. Save the changes.
Related topics

Specifying mutually exclusive application roles

It is possible that employees cannot own certain system roles at the same time. Thus, for example, exception approvers for rule violations may not be rule supervisors at the same time. To implement this behavior, you can specify mutually exclusive application roles. Then you cannot assign these application roles to the same person anymore.

NOTE: Only system roles, which are defined directly as conflicting application roles cannot be assigned to the same employee. Definitions made on parent or child application roles do not effect the assignment.

To configure inheritance exclusion

  • In the Designer, set the QER | Structures | ExcludeStructures configuration parameter and compile the database.

To specify inheritance exclusion for application roles

  1. In the Manager in the One Identity Manager Administration category, select the application role for which you want to define an inheritance exclusion.
  2. Select the Edit conflicting application roles task.
  3. In the Add assignments pane, assign the application roles that are mutually exclusive to the selected application role.

    - OR -

    In the Remove assignments pane, remove the application roles that are no longer mutually exclusive.

  4. Save the changes.

Assigning subscribable reports to application roles

Use this task to assign subscribable reports to an application role. All employee in this application role can subscribe to reports in the Web Portal. For detailed information about subscribable reports, see the One Identity Manager Report Subscriptions Administration Guide.

NOTE:

  • This function is only available if the Report Subscription Module is installed.

  • The task is only available if a permissions group is assigned to the application role (or a parent application role).

  • Subscribable reports cannot be assigned to the Base roles | Employee Managers, the Base roles | Everyone (Lookup), or the Base roles | Everyone (Change) application role.

To assign subscribable reports to an application role

  1. In the Manager, select an application role in the One Identity Manager Administration category.

  2. Select the Assign subscribable reports task.

  3. In the Add assignments pane, assign reports.

    - OR -

    In the Remove assignments pane, remove the reports.

  4. Save the changes.

Assigning extended properties to application roles

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager. For detailed information about using extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for an application role

  1. In the Manager, in the One Identity Manager Administration category, select the Application role.
  2. Select the Assign extended properties task.

  3. In the Add assignments pane, assign extended properties.

    TIP: In the Remove assignments pane, you can remove assigned extended properties.

    To remove an assignment

    • Select the extended property and double-click .
  4. Save the changes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating