Identity Manager 8.1 - Administration Guide for Connecting Unix-Based Target Systems

Managing Unix-Based Systems Setting Up Synchronization with a Unix-Based Target System Base Data for Unix-Based Target Systems Unix Host Unix User Accounts Unix Groups Reports about Unix Objects Appendix: Configuration parameters for managing a Unix environment Appendix: Default Project Template for Unix-Based Target Systems

Providing administrative user accounts for several employees

Prerequisite
  • The user account must be labeled as a shared identity.

  • A dummy employee must exist. The dummy employee must be labeled as a shared identity and must have a manager.

  • The employees who are permitted to use the user account must be labeled as a primary identity.

To prepare an administrative user account for multiple employees

  1. Label the user account as a shared identity.

    1. In Manager, select Unix | User accounts.

    2. Select the user account in the result list.

    3. Select Change master data.

    4. On the General tab, in the Identity selection list, select Shared identity.

  2. Link the user account to a dummy employee.

    1. In Manager, select Unix | User accounts.

    2. Select the user account in the result list.

    3. Select Change master data.

    4. On the General tab, select the dummy employee from the Employee selection list.

      TIP: If you are the target system manager, you can choose to create a new dummy employee.

  3. Assign the employees who will use this administrative user account to the user account.

    1. In Manager, select Unix | User accounts.

    2. Select the user account in the result list.

    3. Select the task Assign employees authorized to use.

    4. Assign employees in Add assignments.

      TIP: In the Remove assignments area, you can remove the assignment of employees.

      To remove an assignment

      • Select the employee and double click .
Related Topics

Privileged User Accounts

Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are marked as Privileged user account (Column IsPrivilegedAccount).

NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the script TSB_SetIsPrivilegedAccount.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.
  2. If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts is created.
  3. Specify the effect of temporarily or permanently disabling or deleting, or the security risk of an employee on its user accounts and group memberships for each manage level.
  4. Create a formatting rule for IT operating data.

    You use the mapping rule to define, for example, which rules are used to map the IT operating data for the user accounts, and which default values are used if no IT operating data can be determined via a person's primary roles.

    Which IT operating data is required depends on the target system. The following settings are recommended for privileged user accounts:

    • In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and enable Always use default value.
    • You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.
    • To prevent privileged user accounts from inheriting the Entitlements of the default user, define a mapping rule for the IsGroupAccount column with a default value of 0 and enable Always use default value.
  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to employees who work with privileged user accounts.

    When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, create the template according to which the login names are formed.

  • To use a prefix for the login name, enable the TargetSystem | Unix | Accounts | PrivilegedAccount | AccountName_Prefix configuration parameter in Designer.
  • To use a postfix for the login name, enable the TargetSystem | Unix | Accounts | PrivilegedAccount | AccountName_Postfix configuration parameter in Designer.

These configuration parameters are evaluated in the default installation, if a user account is marked with the property Privileged user account (IsPrivilegedAccount column). The user account login names are renamed according to the formatting rules. This also occurs if the user accounts are labeled as privileged using the Mark selected user accounts as privileged schedule.

Related Topics

Entering Master Data for Unix User Accounts

A user account can be linked to an employee in One Identity Manager. You can also manage user accounts separately from employees.

NOTE: It is recommended to use account definitions to set up user accounts for company employees. In this case, some of the master data described in the following is mapped through templates from employee master data.

NOTE: If employees are to obtain their user accounts through account definitions, the employees must own a central user account and obtain their IT operating data through assignment to a primary department, a primary location or a primary cost center.

To create a user account

  1. In Manager, select Unix | User accounts.

  2. Click in the result list toolbar.

  3. On the master data form, edit the master data for the user account.

  4. Save the changes.

To edit master data for a user account

  1. In Manager, select Unix | User accounts.

  2. Select the user account in the result list and run Change master data.

  3. Edit the user account's resource data.

  4. Save the changes.

To manually assign or create a user account for an employee

  1. Select the Employees | Employees.

  2. Select the employee in the result list and run Assign Unix user accounts from the task view.

  3. Assign a user account.

  4. Save the changes.
Detailed information about this topic
Related Topics

General master data of a Unix user account

Enter the following data on General:

Table 23: Additional Master Data for a User Account
Property Description

Host

The user account's host.

Employee

Employee that uses this user account. An employee is already entered if the user account was generated by an account definition. If you create the user account manually, you can select an employee in the menu. If you are using automatic employee assignment, an associated employee is found and added to the user account when you save the user account.

For a user account with an identity of type Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity or Service identity, you can create a new employee. To do this, click next to the input field and enter the required employee master data. Which login data is required depends on the selected identity type.

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account master data and to specify a manage level for the user account. The One Identity Manager finds the IT operating data of the assigned employee and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

Manage level

Manage level of the user account. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.

Login shell

Shell that is executed if a user logs in to Unix using a terminal-based login.

User name

Name of the user account for logging in to a Unix host. If an account definition is assigned, this field is automatically filled with the employee's central user account depending on the manage level.

User ID

User ID for the user account in the Unix host.

Password

Password for the user account. Based on the QER | Person | UseCentralPassword configuration parameter, the central password of the assigned employee is mapped to the password of the user account. If you use an initial password for the user accounts, it is automatically entered when a user account is created.

NOTE: One Identity Manager password policies are taken into account when a user password is being verified. Ensure that the password policy does not violate the target system's requirements.

Password confirmation

Reconfirm password.

Primary group ID Identifier of the user account's primary group.
Primary group

Name of the user account's primary group. This defines the group ownership of files created by the user.

A user account's primary group is determined as follows:

  • If you entered a primary group in the host, the group is used as primary group when a user account is created.
  • If you did not enter a primary group, a new group is created with the display name of the new user account assigned as the primary group.

Home directory

The user's full home directory path, for example, /home/user001.

Risk index (calculated)

Maximum risk index value of all assigned groups. The property is only visible if the QER | CalculateRiskIndex configuration parameter is enabled. For more detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for the inheritance of groups by the user account. Groups can be selectively inherited by user accounts. To do this, groups and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Comment (GECOS)

Spare text box for additional explanation. Additional information about the user account, which is found in the GECOS in /etc/password. If an account definition is assigned, this field is automatically filled with the employee's internal name depending on the manage level.

Identity

User account's identity type Permitted values are:

  • Primary identity: Employee's default user account.

  • Organizational identity: Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.

  • Personalized administrator identity: User account with administrative entitlements, used by one employee.

  • Sponsored identity: User account that is used for training purposes, for example.

  • Shared identity: User account with administrative entitlements, used by several employees. Assign all employees show use the user account.

  • Service identity: Service account.

Groups can be inherited

Specifies whether the user account can inherit groups via the employee. If this option is set, the user account inherits groups via hierarchical roles or IT Shop requests.

  • If you add an employee with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.
  • If an employee has requested group membership in the IT Shop and the request is granted approval, the employee's user account only inherits the group if the option is set.

Privileged user account

Specifies whether this is a privileged user account.

Related Topics
Related Documents