You can define user policies in SharePoint that guarantee permissions across all sites in a site collection. These user policies overlay all the permissions that are specially defined for the sites. User policies are based on authentication objects from which SharePoint user accounts are created. These authentication objects can be saved as authentication objects in user policies.
User policies obtain their permissions through permission policies. SharePoint permissions are explicitly granted or denied in permission policies.
Figure 5: Permissions for SharePoint Web Applications through Policies
You define user policies and permission policies for a web application. User policies are therefore implicitly authorized for all web application sites. You can limit them to single zones or be allow them for the entire web application.
On the permission policy overview form, you can view the web application and the user policies to which the permission policy is assigned. All permissions are listed that have been explicitly granted or denied.
To obtain an overview of a permission policy
The denied SharePoint permission "Deny write" is displayed. SharePoint groups internally several single permissions together that are only found as single permissions in the SharePoint interface. The One Identity Manager maps the SharePoint internal permission. That is why only the permission "Deny write" appears in the One Identity Manager interface. Single permissions are therefore not known to the One Identity Manager.
User policies have a dynamic foreign key (column AuthenticationObject) that references the appropriate authentication object. An additional employee can be assigned if the dynamic foreign key references an Active Directory or an LDAP user account.
Each user policy represents an object from an authentication system. This object can be a group or a user.
To edit user policy master data
The following properties are displayed for user polices.
|Display name||Display name for the user policy.|
|User account||Specifies whether the user policy's authentication object is a user account.|
|Login name||Login name for the user policy. It is found using a template.|
|System account||Specified whether the user policies in the SharePoint environment operates as a system account.|
|Employee||Employee using the user policy. If an authentication object is assigned, the connected employee is found through the authentication object by using a template. If there is no authentication object assigned, the employee can be assigned manually.
An employee can only be assigned if the User account option is set.
|Web application||Unique identifier for the web application for which the user policy is setup.|
|Zone||Unique identifier of the SharePoint zone for which the user policy is valid.|
|Authentication objectObject through which a user can be authenticated when logging into SharePoint. For example, an Active Directory group or an LDAP user account.||Authentication object referencing the user policy. Each user policy represents an object from an authentication system trusted by the SharePoint installation. If this authentication system is managed as a target system in One Identity Manager, the object used for authentication can be saved as the authentication object in the user policy.
The authentication object is assigned during automatic synchronization. If the option User account is set, the following authentication objects can be assigned:
If the User account option is disabled, the following authentication objects can be assigned:
|NOTE: When an authentication object assigned to a SharePoint user policy is deleted from the One Identity Manager database, the link to the authentication object is removed from the user policy. Employees assigned to it remain assigned if necessary.|
Global user polices are user policies that are valid for all zones. They are mapped in SharePoint | Hierarchical view | <farm> | Web applications | <web application> | Global user policies.
Zone specific user policies are user policies that are valid for a single zone in a web application. They are displayed in SharePoint | Hierarchical view | <farm> | Web applications | <web application> | Zone specific user policies | <zone>.
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SharePoint farms.
|NOTE: Other sections may be available depending on the which modules are installed.|
|Overview of all assignments (site collection)||This report finds all roles containing employees with at least one user account in the selected site collection.|
|Overview of all assignments (web application)||This report finds all roles containing employees with at least one user account in the selected site collection.|
|Overview of all assignments (group)||This report finds all roles containing employees with the selected group.|
|Show orphaned user accounts||This report shows all user accounts of the site collection that are not assigned an employee. The report contains assigned groups and risk assessment.|
|Show employees with multiple user accounts||This report shows all employees with more than one user account in the site collection. The report contains a risk assessment.|
|Show system entitlement drifts||This report shows all One Identity Manager groups in the site collection that are the result of manual operations in the target system rather than using the provisioning engine.|
|Show unused user accounts||This report shows all user accounts in the site collection that have not been used in the last few months.|
|Show user accounts with an above average number of system entitlements||This report contains all user accounts in the site collection with an above average number of group memberships. You can find the report in the category My One Identity Manager | Data quality analysis.|