Chat now with support
Chat with Support

Identity Manager 8.1 - Identity Management Base Module Administration Guide

Basics for Mapping Company Structures in One Identity Manager Managing Departments, Cost Centers and Locations Working with Dynamic Roles Employee administration
One Identity Manager users for employee administration Basic data for employee master data Entering employee master data Employee's central user account Employee's central password Employee's default email address Mapping multiple employee identities Disabling and deleting employees Password policies for employees Limited access to One Identity Manager Assigning company resources to employees Displaying the origin of an employee's roles and entitlements Analyzing role memberships and employee assignments Additional tasks for managing employees Determining an employee‘s language Determining an employee's working hours Employee reports
Managing Devices and Workdesks Managing Resources Set up Extended Properties Appendix: Configuration parameters for managing departments, cost centers, and locations Appendix: Configuration parameters for managing employees Appendix: Configuration Parameters for Managing Devices and Workdesks

Changing the certification status of an employee

NOTE: This function is only available if the module Attestation Module is installed.

Employee's certification status is set by default through certification and recertification procedures. For detailed information, see the One Identity Manager Attestation Administration Guide.

You can manually change an employee's certification status if it is necessary to do so outside the regular recertification schedule.

Prerequisite
  • The configuration parameter QER | Attestation | UserApproval is enabled.

To change an employee's certification status manually

  1. To change the certification status of an active person, select Employees | Employees.

    - OR -

    To change the certification status of a permanently disabled employee, select Employees | Inactive employees.

  2. Select the employee in the result list.
  3. Select Change certification statusin the task view.
  4. Select the certification status you want from the Certification status menu.
  5. Click OK to accept the changes.

    The new certification status for the employee is displayed on the form.

    NOTE: The option Permanently disabled is updated depending on the certification status. If an employee's certification status is set to Denied manually or as a result of attestation, the employee is immediately permanently disabled. If the employee's certification status is changed to Certified, the employee is enabled again.

Related Topics

Assigning company resources to employees

One Identity Manager uses different assignment types to assign company resources.

  • Indirect Assignment

    In the case of indirect assignment of company resources, employees, devices and workdesks are arranged in departments, cost centers, locations, business roles or application roles. The total of assigned company resources for an employee, device or workdesk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods a difference between primary and secondary assignment is taken into account.

  • Direct Assignment

    Direct assignment of company resources results from the assignment of a company resource to an employee, device, or workdesk, for example. Direct assignment of company resources makes it easier to react to special requirements.

  • Assigning through Dynamic Roles

    Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Employees, devices, and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices, or workdesks fulfill these conditions. The means the role memberships change dynamically. For example, company resources can be assigned dynamically to all employees in a department in this way; if an employee leaves the department they immediately lose the resources assigned to them.

  • Assigning through IT Shop requests

    Assignment through the IT Shop is a special case of indirect assignment. Add employees to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the employees after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.

The following table shows the possible company resources assignments to employees.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 45: Possible assignments of company resources to employees
Company Resource Direct assignment permitted Indirect assignment permitted Comment

Resources

+ +

 

System roles

+ +

 

Subscribable reports

+ +

 

Applications

+ +
Account definitions + +  

Groups of custom target systems

- +

All the employee's user accounts are added to the associated application group, which permit application inheritance.

Active Directory Groups

- +

All the employee's Active Directory user accounts and Active Directory contacts are added to Active Directory groups, which permit group inheritance.

SharePoint Groups

- +

All the employee's SharePoint user accounts are added to SharePoint groups.

SharePoint roles

- +

All the employee's SharePoint user accounts are added to SharePoint roles.

LDAP Groups

- +

All the employee's LDAP user accounts, which permit group inheritance, are added to LDAP groups.

Notes Groups

- +

All the employee's Notes user accounts are added to Notes groups.

SAP Groups

+ +

All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP groups.

SAP profiles

+ +

All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP profiles.

SAP roles

+ +

All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP roles.

Structural profiles

- +

All the employee's SAP user accounts, which are in the same SAP clients, are added to structural profiles.

BI analysis authorizations

- +

All the employee's BI user accounts, which are in the same system, obtain BI analysis authorizations.

E-Business Suite entitlements

- +

All the employee's E-Business Suite user accounts, which are in the same E-Business Suite system and for which group inheritance is permitted, are added to E-Business Suite groups.

Azure Active Directory Groups

- +

All the employee's Azure Active Directory user accounts, which permit group inheritance, are added to Azure Active Directory groups.

Azure Active Directory administrator roles

- +

All the employee's Azure Active Directory user accounts, which permit group inheritance, are added to Azure Active Directory administrator roles.

Azure Active Directory Subscriptions

-

+

All the employee's Azure Active Directory user accounts, which permit group inheritance, are given Azure Active Directory subscriptions.

Disabled Azure Active Directory service plans

-

+

All the employee's Azure Active Directory user accounts, which permit group inheritance, are given Azure Active Directory service plans.

Unix Groups

-

+

All the employee's Unix user accounts, which permit group inheritance, are added to Unix groups.

PAM user groups

-

+

All the employee's PAM user accounts for which the inheritance of groups is permitted are added to the PAM user groups.

Detailed information about this topic
Related Topics

Assigning employees to departments, cost centers, and locations

Assign the employee to departments, cost centers, and locations so employees obtain their company resources through these organizations. To assign company resources to departments, cost centers, and locations, use the appropriate organization tasks.

To assign an employee to departments, cost centers, and locations (secondary assignment; default method)

  1. Select the Employees | Employees.
  2. Select the employee in the result list.
  3. Select Assign organizations.
  4. Assign organizations in Add assignments.

    • Assign departments on the Departments tab.

    • Assign locations on the Locations tab.

    • Assign cost centers on the Cost centers tab.

    TIP: In the Remove assignments area, you can remove the assignment of organizations.

    To remove an assignment

    • Select the organization and double click .

  5. Save the changes.

To assign an employee to departments, cost centers, and locations (primary assignment)

  1. Select the Employees | Employees.
  2. Select the employee in the result list.
  3. Select Change master data.
  4. Adjust the following master data:
    • Primary department
    • Primary cost center
    • Primary location
  5. Save the changes.
Related Topics

Assigning employees to business roles

NOTE: This function is only available if the module Business Roles Module is installed.

Assign employees to business roles so that employees obtain their company resources through these business roles. To assign company resources to business roles user the corresponding business role tasks. For detailed information about working with business roles, see One Identity Manager Business Roles Administration Guide.

To assign an employee to business roles (secondary assignment; default method)

  1. Select the Employees | Employees.
  2. Select the employee in the result list.
  3. Select Assign business roles in the task view.
  4. Assign business roles in Add assignments.

    TIP: In the Remove assignments area, you can remove the assignment of business roles.

    To remove an assignment

    • Select the business role and double click .

  5. Save the changes.

To assign an employee to business roles (primary assignment)

  1. Select the Employees | Employees.
  2. Select the employee in the result list.
  3. Select Change master data.
  4. Enter the primary role.
  5. Save the changes.
Related Topics
Related Documents