Chat now with support
Chat with Support

Identity Manager 8.1 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee administration
One Identity Manager users for employee administration Basic data for employee master data Entering employee master data Employee's central user account Employee's central password Employee's default email address Mapping multiple employee identities Disabling and deleting employees Password policies for employees Limited access to One Identity Manager Assigning company resources to employees Displaying the origin of an employee's roles and entitlements Analyzing role memberships and employee assignments Additional tasks for managing employees Determining an employee‘s language Determining an employee's working hours Employee reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration parameters for managing departments, cost centers, and locations Appendix: Configuration parameters for managing employees Appendix: Configuration Parameters for Managing Devices and Workdesks

Employee's central user account

Table 37: Configuration parameter for forming the central user accounts
Configuration parameter Meaning

QER | Person | CentralAccountGlobalUnique

This configuration parameter specifies how the central user account is mapped.

If this configuration parameter is set, the central user account for an employee is formed uniquely in relation to the central user accounts of all employees and the user account names of all permitted target systems.

If the configuration parameter is not set, it is only formed uniquely related to the central user accounts of all employees.

The employee’s central user account is used to form the user account login name in the active system. The central user account is still used for logging into the One Identity Manager tools. In One Identity Manager default installation, the central user account is made up of the first and the last name of the employee. If only one of these is known, then it is used for the central user account. One Identity Manager checks to see if a central user account with that value already exists. If this is the case, an incremental number is added to the end of the value.

Table 38: Example of forming of central user accounts
First name Last name Central user account
Clara   CLARA
  Harris HARRIS
Clara Harris CLARAH
Clara Harrison CLARAH1

Employee's central password

An employee's central password can be used for logging into the target systems and for logging in to One Identity Manager. Depending on the configuration, an employee's central password is replicated to their user accounts and their system user password.

  • To publish the change in an employee's central user password to all existing user accounts of the employee, check in the Designer whether the configuration parameter QER | Person | UseCentralPassword is enabled. If not, set the configuration parameter.
  • To use the central password of an employee for new user accounts belonging to the same employee, enable the QER | Person | UseCentralPassword | PermanentStore configuration parameter in Designer.

    If the configuration parameter is enabled, the central password is stored in the One Identity Manager database and is used for new users. If the configuration parameter is disabled, the central password is deleted from the One Identity Manager database following publishing to the existing user accounts. The central password is not available for new user accounts.

  • To copy an employee's central password to their system user password for logging in, check in the Designer whether the configuration parameter QER | Person | UseCentralPassword | SyncToSystemPassword is set. If not, set the configuration parameter.


  • The password policy Employee central password policy is applied to an employee's central password. Ensure that the password policy does not violate the target system's specific password policies.

  • An employee's central password is not replicated to privileged user accounts of the employee.
  • If a password cannot be changed due to an error, the employee receives a corresponding email notification.
  • To replicate an employee's central password to a password column of a customer-specific user account table, in the Designer define a ViewAddOn for the view QERVPersonCentralPwdColumn. The database view returns the password column of the user account tables. The user account table must have a reference to the employee (UID_Person) and a column XMarkedForDeletion. For detailed information about changing the One Identity Manager schema, see the One Identity Manager Configuration Guide.

  • If you want to map additional user-specific features, overwrite the script QER_Publish_CentralPassword. For detailed information about editing scripts, see the One Identity Manager Configuration Guide.
Related Topics

Employee's default email address

The employee’s default email address is displayed on the mailboxes in the activated target system. In the One Identity Manager default installation, the default email address is formed from the employee’s central user account and the default mail domain of the active target system.

The default mail domain is determined using the QER | Person | DefaultMailDomain configuration parameter.

  • Set the configuration parameter in Designer and enter the default mail domain name as a value.
Related Topics

Mapping multiple employee identities

Table 39: Configuration parameter for representing multiple identities

Configuration parameter

Effect when set

Person | MasterIdentity | UseMasterForAuthentication

This configuration parameter specifies whether the main identity should be used to log in to One Identity Manager tools through an employee-linked authentication module.

If this parameter is set, the main identity is used for employee linked authentication. If the parameter is not set, the subidentity for employee-linked authentication is used.

For detailed information about the One Identity Manager authentication modules and about editing system users, see the One Identity Manager Authorization and Authentication Guide.

It may be necessary for employees to have different identities for their work under certain circumstances – for example, identities that result from contracts at different branches. These identities can be differentiated through the membership of a department, cost center or through access permissions. External employees at different locations can also be used and represented with different identities in the system. You can define a main identity and a subidentity for an employee in One Identity Manager to represent each of the identities and to group them at a central location.

In target systems, different types of user accounts are available to provide the employees with different permissions. An employee can have different identities to use multiple user accounts with different types. In order to improve the assignment of authorizations to the target systems, the sub-identities of the employees are split into different identity types. This classification corresponds to the user account types.

Main identity
  • A main identity represents a real person.
  • A main identity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
  • The employee master data for a main identity is shown in the One Identity Manager.
  • A main identity can have several subidentities.
  • A subidentity is a virtual employee.
  • A subidentity can be assigned user accounts and permissions in One Identity Manager and it can place requests in the IT Shop.
  • A subidentity is always assigned to a main identity.
  • Employee master data for a subidentity is displayed in One Identity Manager. This can be copied from the main identity data using the appropriate templates.
  • Enter a main identity for the subidentity using Main identity on the employee’s master data form.

TIP: If an employee works with several identities, but only one of these is currently known in the One Identity Manager, then you should

  • create a main identity for this employee
  • assign the identity known until now as a subidentity
  • create new subidentities for the additional identities

In this way, it is possible to test the employee’s permitted permissions per subidentity or per main identity including all subidentities in the bounds of an identity audit.

Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating