Assigning SharePoint Online entitlements directly to a user account
To enable a quick response to special requests, you can assign entitlements directly to a user account.
To assign entitlements directly to a user account
-
Select the category SharePoint Online | User accounts.
-
Select the user account in the result list.
-
Select one of the following tasks.
-
Assign groups
-
Assign SharePoint Online roles
-
-
Assign the entitlements in the Add assignments area.
- OR -
Remove the entitlements in the Remove assignments area.
- Save the changes.
Related Topics
- Assigning SharePoint Online user accounts directly to an entitlement
- Assigning SharePoint Online permissions to departments, cost centers, and locations
- Assigning SharePoint Online permissions to business roles
- Include SharePoint Online entitlements in system roles
- Adding SharePoint Online entitlements to IT Shop
Assigning SharePoint Online roles to SharePoint Online groups
In order for SharePoint Online user groups to obtain permissions for individual websites, assign SharePoint Online roles to the groups. SharePoint Online roles and groups must belong to the same site collection.
|
|
NOTE: SharePoint Online Roles that reference permission levels with the Hidden option enabled cannot be assigned to groups. |
To assign SharePoint Online roles to a group
- Select the category SharePoint Online | Groups.
- Select the group in the result list.
- Select Assign SharePoint Online roles in the task view.
- Assign roles in Add assignments.
- OR -
In Remove assignments, remove the roles.
- Save the changes.
Related Topics
- General master data for SharePoint Online permission levels
- Assigning SharePoint Online user accounts directly to an entitlement
- Assigning SharePoint Online permissions to departments, cost centers, and locations
- Assigning SharePoint Online permissions to business roles
- Assigning SharePoint Online entitlements directly to a user account
- Include SharePoint Online entitlements in system roles
- Adding SharePoint Online entitlements to IT Shop
Assigning SharePoint Online groups to SharePoint Online roles
In order for SharePoint Online user groups to obtain permissions for individual websites, assign SharePoint Online roles to the groups. SharePoint Online roles and groups must belong to the same site collection.
|
|
NOTE: SharePoint Online Roles that reference permission levels with the Hidden option enabled cannot be assigned to groups. |
To assign groups to a SharePoint Online role
- Select SharePoint Online | Roles.
- Select the role in the result list.
- Select Assign groups.
- Assign groups in Add assignments.
- OR -
Remove groups from Remove assignments.
- Save the changes.
Related Topics
- General master data for SharePoint Online permission levels
- Assigning SharePoint Online permissions to departments, cost centers, and locations
- Assigning SharePoint Online permissions to business roles
- Assigning SharePoint Online entitlements directly to a user account
- Assigning SharePoint Online roles to SharePoint Online groups
- Adding SharePoint Online entitlements to IT Shop
Effectiveness of SharePoint Online entitlement assignments
| Configuration parameter | Effect when set |
|---|---|
|
QER | Structures | Inherite | GroupExclusion |
Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to the parameter require recompiling the database. |
When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.
It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.
|
|
NOTE:
|
The effectiveness of the assignments is mapped in the
Example of the effect of group memberships
- Group A is assigned through the department "Marketing", group B through "Finance" and group C through the business role "Control group".
Clara Harris has a user account
By using suitable controls, you want to prevent an employee from
|
Effective Group |
Excluded Group |
|---|---|
|
Group A |
|
|
Group B |
Group A |
|
Group C |
Group B |
|
Employee |
Member in Role |
Effective Group |
|---|---|---|
|
Ben King |
Marketing |
Group A |
|
Jan Bloggs |
Marketing, finance |
Group B |
|
Clara Harris |
Marketing, finance, control group |
Group C |
|
Jenny Basset |
Marketing, control group |
Group A, Group C |
Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.
|
Employee |
Member in Role |
Assigned Group |
Excluded Group |
Effective Group |
|---|---|---|---|---|
|
Jenny Basset
|
Marketing |
Group A |
|
Group C
|
|
Control group |
Group C |
Group B
Group A |
Prerequisites
-
The configuration parameter QER | Structures | Inherite | GroupExclusion is enabled.
-
Mutually exclusive groups belong to the same site collection.
To exclude a group
-
In Manager, select SharePoint Online | Groups.
- Select a group in the result list.
-
Select Exclude groups.
-
Assign the groups that are mutually exclusive to the selected group in Add assignments.
- OR -
In Remove assignments, remove the groups that are not longer mutually exclusive.
- Save the changes.