Chat now with support
Chat with Support

Identity Manager 8.1 - Administration Guide for Connecting to SharePoint

Managing SharePoint Environments Setting Up SharePoint Farm Synchronization Basic data for managing a SharePoint environment SharePoint Farms SharePoint Web Applications SharePointSite Collections and Sites SharePoint User accounts SharePoint Roles and Groups
SharePoint Groups SharePoint Roles and Permission Levels
Permissions for SharePoint Web Applications Reports about SharePoint Site Collections Appendix: Configuration parameters for managing a SharePoint environment Appendix: Default Project Template for SharePoint

Permissions for SharePoint Web Applications

You can define user policies in SharePoint that guarantee permissions across all sites in a site collection. These user policies overlay all the permissions that are specially defined for the sites. User policies are based on authentication objects from which SharePoint user accounts are created. These authentication objects can be saved as authentication objects in user policies.

User policies obtain their permissions through permission policies. SharePoint permissions are explicitly granted or denied in permission policies.

Figure 5: Permissions for SharePoint Web Applications through Policies

You define user policies and permission policies for a web application. User policies are therefore implicitly authorized for all web application sites. You can limit them to single zones or be allow them for the entire web application.

SharePoint Permission Policies

On the permission policy overview form, you can view the web application and the user policies to which the permission policy is assigned. All permissions are listed that have been explicitly granted or denied.

To obtain an overview of a permission policy

  1. Select SharePoint | Permission policies.
  2. Select the permission policy from the result list.
  3. Select SharePoint permission policy overview in the task view.

The denied SharePoint permission "Deny write" is displayed. SharePoint groups internally several single permissions together that are only found as single permissions in the SharePoint interface. The One Identity Manager maps the SharePoint internal permission. That is why only the permission "Deny write" appears in the One Identity Manager interface. Single permissions are therefore not known to the One Identity Manager.

SharePoint User Policies

User policies have a dynamic foreign key (column AuthenticationObject) that references the appropriate authentication object. An additional employee can be assigned if the dynamic foreign key references an Active Directory or an LDAP user account.

Each user policy represents an object from an authentication system. This object can be a group or a user.

To edit user policy master data

  1. Select SharePoint | User policies.
  2. Select the SharePoint role in the result list. Select Change master data.
  3. Enter the required data on the master data form.
  4. Save the changes.

The following properties are displayed for user polices.

Table 42: Master data for a user policy
Property Description
Display name Display name for the user policy.
User account Specifies whether the user policy's authentication object is a user account.
Login name Login name for the user policy. It is found using a template.
System account Specified whether the user policies in the SharePoint environment operates as a system account.
Employee Employee using the user policy. If an authentication object is assigned, the connected employee is found through the authentication object by using a template. If there is no authentication object assigned, the employee can be assigned manually.

An employee can only be assigned if the User account option is set.

Web application Unique identifier for the web application for which the user policy is setup.
Zone Unique identifier of the SharePoint zone for which the user policy is valid.
Authentication objectClosed Authentication object referencing the user policy. Each user policy represents an object from an authentication system trusted by the SharePoint installation. If this authentication system is managed as a target system in One Identity Manager, the object used for authentication can be saved as the authentication object in the user policy.

The authentication object is assigned during automatic synchronization. If the option User account is set, the following authentication objects can be assigned:

  • Active Directory User accounts
  • LDAP User accounts

If the User account option is disabled, the following authentication objects can be assigned:

  • Active Directory Groups
  • LDAP groups

NOTE: When an authentication object assigned to a SharePoint user policy is deleted from the One Identity Manager database, the link to the authentication object is removed from the user policy. Employees assigned to it remain assigned if necessary.
Global user policies

Global user polices are user policies that are valid for all zones. They are mapped in SharePoint | Hierarchical view | <farm> | Web applications | <web application> | Global user policies.

Zone-specific user policies

Zone specific user policies are user policies that are valid for a single zone in a web application. They are displayed in SharePoint | Hierarchical view | <farm> | Web applications | <web application> | Zone specific user policies | <zone>.

Reports about SharePoint Site Collections

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SharePoint farms.

NOTE: Other sections may be available depending on the which modules are installed.
Table 43: Reports for the Target System
Report Description
Overview of all assignments (site collection) This report finds all roles containing employees with at least one user account in the selected site collection.
Overview of all assignments (web application) This report finds all roles containing employees with at least one user account in the selected site collection.
Overview of all assignments (group) This report finds all roles containing employees with the selected group.
Show orphaned user accounts This report shows all user accounts of the site collection that are not assigned an employee. The report contains assigned groups and risk assessment.
Show employees with multiple user accounts This report shows all employees with more than one user account in the site collection. The report contains a risk assessment.
Show system entitlement drifts This report shows all One Identity Manager groups in the site collection that are the result of manual operations in the target system rather than using the provisioning engine.
Show unused user accounts This report shows all user accounts in the site collection that have not been used in the last few months.
Show user accounts with an above average number of system entitlements This report contains all user accounts in the site collection with an above average number of group memberships. You can find the report in the category My One Identity Manager | Data quality analysis.
Related Documents