Identity Manager 8.1 - Administration Guide for Connecting to a Universal Cloud Interface

Managing Universal Cloud Interface Environments Setting up Synchronization with a Cloud Application in the Universal Cloud Interface Basic data for managing a Universal Cloud Interface environment Cloud Target Systems Container Structures in a Cloud Target System Cloud User Accounts Cloud Groups Cloud Permissions Controls Provisioning Object Changes Reports about Objects in Cloud Target Systems Appendix: Configuration Parameters for Managing Cloud Target Systems Appendix: Default Project Template for Cloud Application in the Universal Cloud Interface

Locking and Unlocking User Accounts

The way you disable user accounts depends on how they are managed.

Scenario:
  • The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the manage level Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the CSMUser.AccountDisabledPAGUser.IsDisabled column.

Scenario:
  • The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter

  • If the configuration parameter is set, the employee’s user accounts are disabled if the employee is permanently or temporarily disabled.

  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To disable the user account when the configuration parameter is disabled.

  1. In Manager, select Cloud Target Systems | <target system> | User accounts.

  2. Select the user account in the result list.

  3. Select Change master data.
  4. Enable Account is disabled on the General tab.

  5. Save the changes.
Scenario:
  • User accounts not linked to employees.

To disable a user account that is no longer linked to an employee.

  1. In Manager, select Cloud Target Systems | <target system> | User accounts.

  2. Select the user account in the result list.

  3. Select Change master data.
  4. Enable Account is disabled on the General tab.

  5. Save the changes.
Related Topics

For detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.

Deleting User Accounts

You can delete a user account from the result list or the menu base. After the security prompt has been confirmed, the user account is deleted from the One Identity Manager database.

Configuring deferred deletion

By default, user accounts are finally deleted from the database after 30 days. During this period you have the option to reactivate the user accounts. A restore is not possible once the delete delay has expired. You can configure an alternative deletion delay in Designer in the table CSMUser.

To delete a user account

  1. Select the category Cloud Target Systems | <target system> | User accounts.
  2. Select the user account in the result list.
  3. Click in the result list toolbar.
  4. Confirm the security prompt with Yes.

Once you have deleted a user account, it is also deleted in the Universal Cloud Interface Module through the provisioning process and then in the cloud application. The deletion is logged as a pending change. You can see whether the user account has been deleted in the cloud application from the process status for the pending change. The same applies if memberships of user accounts in groups are deleted.

User accounts are not allowed to be deleted in certain cloud applications. These user accounts cannot be deleted in the Manager, only disabled. You can configure the appropriate behavior in the cloud target system.

To prevent user accounts from being deleted

  1. Select the category Cloud Target Systems | Basic configuration data | Cloud target systems.
  2. Select the target system in the result list. Select Change master data.
  3. Set the option User account deletion not permitted.
  4. Save the changes.
Detailed information about this topic

Cloud Groups

Groups map the objects that control access to cloud resources though the cloud application. A user account obtains access permissions to cloud resources through its group memberships.

To edit group master data

  1. In Manager, select the category Cloud Target Systems | <target system> | Groups.

  2. Select the group in the result list and run Change master data.

  3. On the master data form, edit the master data for the group.

  4. Save the changes.
Detailed information about this topic

Entering Master Data for a Group

Table 37: Configuration Parameters for Setting up User Accounts

Configuration parameter

Effect when set

QER | CalculateRiskIndex

Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

Enter the following master data for a group.

Table 38: Entering master data for a group

Property

Description

Name

Name of the group

Container

Container in which to create the group.

Target system The group's cloud target system

Distinguished name

Distinguished name of the group.

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Group name Additional name for the group.
Email address Group's email address
Account manager Manager responsible for the group.

To specify an account manager

  1. Click next to the text box.
  2. Under Table, select the table which maps the account manager.
  3. Select the manager under Account manager.
  4. Click OK.
IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles.

For detailed information, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is no permitted.

Service item Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This input field is only visible if the configuration parameter QER | CalculateRiskIndex is activated.

For detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.

For detailed information, see the One Identity Manager Target System Base Module Administration Guide.

Description

Spare text box for additional explanation.

Group type Name of the group type. This is only required if different group types are recognized in the cloud application.
Resource type Type of resource, for example, Group.
Detailed information about this topic
Related Documents