Chat now with support
Chat with Support

Identity Manager 8.1 - Administration Guide for Connecting to a Universal Cloud Interface

Managing Universal Cloud Interface Environments Setting up Synchronization with a Cloud Application in the Universal Cloud Interface Basic data for managing a Universal Cloud Interface environment Cloud Target Systems Container Structures in a Cloud Target System Cloud User Accounts Cloud Groups Cloud Permissions Controls Provisioning Object Changes Reports about Objects in Cloud Target Systems Appendix: Configuration Parameters for Managing Cloud Target Systems Appendix: Default Project Template for Cloud Application in the Universal Cloud Interface

Managing Universal Cloud Interface Environments

One Identity Manager supports the implementation of Identity and Access Governance demands in IT environments, which are often a mix of traditional, internally hosted applications and modern cloud applications. Users and entitlements from cloud applications can be mapped in One Identity Manager. This makes it possible to also use Identity and Access Governance processes such as attestation, identity audit, management of users and system entitlements, IT Shop, or report subscriptions for cloud applications.

Data protection policies, such as the General Data Protection Regulation, require agreement as to which employee data can be stored in cloud applications. If the system environment is configured appropriately, One Identity Manager guarantees that cloud applications and their administrators have no access to any employee master data or Identity and Access Governance processes respectively. For this reason, cloud applications are managed in two separate modules, which can be installed in separate databases if necessary.

The Universal Cloud Interface Module provides the interface through which users and permissions can be transferred from cloud applications to a One Identity Manager database. Synchronization with the cloud applications is configured and executed at this stage. Each cloud application is mapped as its own base object in One Identity Manager. The user data is saved as user accounts, groups and permissions controls and can be organized into containers. They cannot be edited in One Identity Manager. There is no connection made to identities (employees).

Identities are connected in the Cloud Systems Management Module; user accounts, groups and permissions controls can be created and edited. This allows Identity and Access Governance processes to be used for managing cloud user accounts and their permissions. Data is exchanged between the Universal Cloud Interface and Cloud System Management modules by synchronization. Provisioning processes ensure that object changes are transferred from the Cloud Systems Management Module to the Universal Cloud Interface Module.

Automated interfaces for provisioning changes from the Universal Cloud Interface Module to the cloud application can (on technical grounds) or should (due to too few changes) not be applied to certain cloud applications. In this case, changes can be manually provisioned.

Because only data that must be available in the cloud application is saved in the Universal Cloud Interface Module, the module can be installed in a separate database. This database may be outside the company's infrastructure.

The One Identity Starling Connect cloud solution provides a simple and comprehensive solution for integrating cloud applications and for meeting the requirements of hybrid solution scenarios.

Architecture overview

A synchronization server installed with the Universal Cloud Interface Module connector is required for synchronizing cloud applications in the Universal Cloud Interface. The Universal Cloud Interface Module can exist in the same One Identity Manager database in which the Cloud Systems Management Module is installed. Synchronization can also be set up with another One Identity Manager database, which is provided on an external database server.

Figure 1: Architecture for synchronization

For more detailed information about communicating between the Universal Cloud Interface and cloud application, see the One Identity Manager Administration Guide for Connecting to Cloud Applications.

One Identity Manager Users for Managing Cloud Target Systems

The following users are used for setting up and managing cloud target systems.

Table 1: Users
Users Task

Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administrate application roles for individual target systems types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles are conflicting for target system managers

  • Authorize other employee to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the application role Target systems | Cloud target systems or a sub application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change or delete target system objects, like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare groups for adding to the IT Shop.

  • Can create employees with an identity that differs from the Primary identity.

  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in Designer as required.

  • Create system users and permissions groups for non-role-based login to administration tools in Designer as required.

  • Enable or disable additional configuration parameters in Designer as required.

  • Create custom processes in Designer as required.

  • Create and configures schedules as required.

  • Create and configure password policies as required.

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Assign groups to IT Shop structures.
Administrators for organizations

Administrators must be assigned to the application role Identity Management | Organizations | Administrators.

Users with this application role:

  • Assign groups to departments, cost centers and locations.
Business roles administrators

Administrators must be assigned to the application role Identity Management | Business roles | Administrators.

Users with this application role:

  • Assign groups to business roles.

Setting up Synchronization with a Cloud Application in the Universal Cloud Interface

Data is exchanged between the Universal Cloud Interface and Cloud System Management modules by synchronization. In order to apply Identity and Data Governance processes to cloud application objects, you must set up synchronization between the two modules.

NOTE: The terms "target system" and "(One Identity Manager) database" are used frequently in the following. The term "target system" always means a cloud application in the Universal Cloud Interface. "One Identity Manager database" or "database" refers to the objects in the Cloud Systems Management Module.

Table 2: Terms
  One Identity Manager database Target system
Connected system Cloud Systems Management Module Universal Cloud Interface Module
Base object Cloud target system Cloud application

The mapping defines how schema types of the connection systems are mapped to each other. For more information, see Appendix: Default project template for cloud applications in the Universal Cloud Interface.

To transfer objects from a cloud application into the Cloud Systems Management Module for the first time

  1. Provide One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.
  2. The One Identity Manager components for managing cloud target systems are available if the configuration parameter "TargetSystem\CSM" is set.
    • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  3. Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.

    The cloud application must already be available in the Universal Cloud Interface Module.

Detailed information about this topic

For more detailed information about setting up initial synchronization with a cloud application, see the One Identity Manager Administration Guide for Connecting to Cloud Applications.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents