Chat now with support
Chat with Support

Identity Manager 8.1 - Administration Guide for Connecting to SharePoint Online

Mapping a SharePoint Online environment in One Identity Manager Synchronizing a SharePoint Online environment Managing SharePoint Online user accounts and employees Managing the assignments of SharePoint Online groups and roles Mapping of SharePoint Online objects in One Identity Manager
SharePoint Online tenants SharePoint Online user accounts SharePoint Online groups SharePoint Online permission levels SharePoint Online site collections SharePoint Online sites SharePoint Online roles
Handling of SharePoint Online objects in Web Portal Basic data for managing a SharePoint Online environment Appendix: Configuration parameters for managing SharePoint Online Appendix: Default project template for SharePoint Online Appendix: Editing system objects About us

Assigning SharePoint Online entitlements directly to a user account

To enable a quick response to special requests, you can assign entitlements directly to a user account.

To assign entitlements directly to a user account

  1. Select the category SharePoint Online | User accounts.

  2. Select the user account in the result list.

  3. Select one of the following tasks.

    • Assign groups

    • Assign SharePoint Online roles

  4. Assign the entitlements in the Add assignments area.

    - OR -

    Remove the entitlements in the Remove assignments area.

  5. Save the changes.
Related Topics

Assigning SharePoint Online roles to SharePoint Online groups

In order for SharePoint Online user groups to obtain permissions for individual websites, assign SharePoint Online roles to the groups. SharePoint Online roles and groups must belong to the same site collection.

NOTE: SharePoint Online Roles that reference permission levels with the Hidden option enabled cannot be assigned to groups.

To assign SharePoint Online roles to a group

  1. Select the category SharePoint Online | Groups.
  2. Select the group in the result list.
  3. Select Assign SharePoint Online roles in the task view.
  4. Assign roles in Add assignments.

    - OR -

    In Remove assignments, remove the roles.

  5. Save the changes.
Related Topics

Assigning SharePoint Online groups to SharePoint Online roles

In order for SharePoint Online user groups to obtain permissions for individual websites, assign SharePoint Online roles to the groups. SharePoint Online roles and groups must belong to the same site collection.

NOTE: SharePoint Online Roles that reference permission levels with the Hidden option enabled cannot be assigned to groups.

To assign groups to a SharePoint Online role

  1. Select SharePoint Online | Roles.
  2. Select the role in the result list.
  3. Select Assign groups.
  4. Assign groups in Add assignments.

    - OR -

    Remove groups from Remove assignments.

  5. Save the changes.
Related Topics

Effectiveness of SharePoint Online entitlement assignments

Table 17: Configuration Parameter for Conditional Inheritance
Configuration parameter Effect when set

QER | Structures | Inherite | GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to the parameter require recompiling the database.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.

The effectiveness of the assignments is mapped in the O3SUserInO3SGroup and O3SBaseTreeHasGroup via the column XIsInEffect.

Example of the effect of group memberships
  • Group A is assigned through the department "Marketing", group B through "Finance" and group C through the business role "Control group".

Clara Harris has a user account in this site collection. She primarily belongs to the department "marketing". The business role "Control group" and the department "Finance" are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B and C.

By using suitable controls, you want to prevent an employee from obtaining authorizations of groups A and group B at the same time. That means, groups A, B and C are mutually exclusive. A user, who is a member of group C cannot be a member of group B at the same time. That means, groups B and C are mutually exclusive.

Table 18: Specifying excluded groups (table O3SGroupExclusionAADGroupExclusionCSMGroupExclusion))

Effective Group

Excluded Group

Group A

Group B

Group A

Group C

Group B

Table 19: Effective Assignments

Employee

Member in Role

Effective Group

Ben King

Marketing

Group A

Jan Bloggs

Marketing, finance

Group B

Clara Harris

Marketing, finance, control group

Group C

Jenny Basset

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.

Table 20: Excluded groups and effective assignments

Employee

Member in Role

Assigned Group

Excluded Group

Effective Group

Jenny Basset

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The configuration parameter QER | Structures | Inherite | GroupExclusion is enabled.

  • Mutually exclusive groups belong to the same site collection.

To exclude a group

  1. In Manager, select SharePoint Online | Groups.

  2. Select a group in the result list.
  3. Select Exclude groups.

  4. Assign the groups that are mutually exclusive to the selected group in Add assignments.

    - OR -

    In Remove assignments, remove the groups that are not longer mutually exclusive.

  5. Save the changes.
Related Documents