One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for Azure Active Directory.
NOTE: Other sections may be available depending on the which modules are installed.
Table 40: Data quality target system report
|
Show overview |
User account |
This report shows an overview of the user account and the assigned permissions. |
|
Show overview including origin |
User account |
This report shows an overview of the user account and origin of the assigned permissions. |
|
Show overview including history |
User account |
This report shows an overview of the user accounts including its history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
License overview |
User account |
The report contains a summary of assigned and effective subscriptions and service plans for a user account. |
|
License overview |
Subscription |
The report shows an overview of a subscription license. It shows to which groups and user accounts the subscription is assigned and which service plans effectively apply to the groups and the user accounts. |
|
Overview of all assignments |
group
Subscription
Administrator role |
This report finds all roles containing employees who have the selected system entitlement. |
|
Show overview |
group |
This report shows an overview of the system entitlement and its assignments. |
|
Show overview including origin |
group |
This report shows an overview of the system entitlement and origin of the assigned user accounts. |
|
Show overview including history |
group |
This report shows an overview of the system entitlement and including its history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Show entitlement drifts |
Tenant |
This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager. |
|
Show user accounts overview (incl. history) |
Tenant |
This report returns all the user accounts with their permissions including a history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Show user accounts with an above average number of system entitlements |
Tenant |
This report contains all user accounts with an above average number of system entitlements. |
|
Show employees with multiple user accounts |
Tenant |
This report shows all the employees that have multiple user accounts. The report contains a risk assessment. |
|
Show system entitlements overview (incl. history) |
Tenant |
This report shows the system entitlements with the assigned user accounts including a history.
Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report. |
|
Overview of all assignments |
Tenant |
This report finds all roles containing employees with at least one user account in the selected target system. |
|
Show unused user accounts |
Tenant |
This report contains all user accounts, which have not been used in the last few months. |
|
Show orphaned user accounts |
Tenant |
This report shows all user accounts to which no employee is assigned. |
Table 41: Additional reports for the target system
|
Azure Active Directory user account and group administration |
This report contains a summary of user account and group distribution in all tenants. You can find this report in the My One Identity Manager category. |
|
Data quality summary for Azure Active Directory user accounts |
This report contains different evaluations of user account data quality in all tenants. You can find this report in the My One Identity Manager category. |
One Identity Manager enables its users to perform various tasks simply using a Web Portal.
-
Managing user accounts and employees
An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized person, such as a manager.
-
Managing assignments of groups, administrator roles, subscriptions, and disabled service plans
In the Web Portal, by assigning groups, administrator roles, subscriptions, and disabled service plans to an IT Shop shelf, you can request these products from shop customers. The request undergoes a defined approval process. The group, administrator role, subscription, or disabled service plan is not assigned until it has been approved by an authorized person.
In the Web Portal, managers and administrators of organizations can assign groups, administrator roles, subscriptions, and disabled service plans to the departments, cost centers, or locations for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all employees who are members of these departments, cost centers, or locations.
If the Business Roles Module is available, in the Web Portal, managers and administrators of business roles can assign groups, administrator roles, subscriptions, and disabled service plans to the business roles for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all employees who are members of these business roles.
If the System Roles Module is available, in the Web Portal, supervisors of system roles can assign groups, administrator roles, subscriptions, and disabled service plans to the system roles. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all employees that have these system roles assigned to them.
-
Attestation
If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.
-
Governance administration
If the Compliance Rules Module is available, you can define rules that identify the invalid entitlement assignments and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check and resolve rule violations and to grant exception approvals.
If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.
-
Risk assessment
You can use the risk index of groups, administrator roles, subscriptions and disabled service plans to evaluate the risk of entitlement assignments for the company. One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.
-
Reports and statistics
The Web Portal provides a range of reports and statistics about the employees, user accounts, and their entitlements and risks.
For detailed information about the named topics, see Managing Azure Active Directory user accounts and employees, Managing memberships in Azure Active Directory groups, Managing Azure Active Directory administrator roles assignments, Managing Azure Active Directory subscription and Azure Active Directory service plan assignments and in refer to the following guides:
-
One Identity Manager Web Designer Web Portal User Guide
-
One Identity Manager Attestation Administration Guide
-
One Identity Manager Compliance Rules Administration Guide
-
One Identity Manager Company Policies Administration Guide
-
One Identity Manager Risk Assessment Administration Guide
NOTE: The following modules must be installed to support federations in One Identity Manager:
In a federation, the local Active Directory user accounts are connected to Azure Active Directory user accounts. The connection is established by using the ms-ds-consistencyGUID property in the Active Directory user account and the immutable property in the Azure Active Directory user account. Synchronization of Active Directory and Azure Active Directory user accounts is carried out in the federation by Azure AD Connect. For more information about Azure AD Connect, see the Azure Active Directory documentation from Microsoft.
One Identity Manager maps the connection using the Active Directory user account's Azure AD Connect anchor ID (ADSAccount.MSDsConsistencyGuid) and the Azure Active Directory user account's immutable identifier (AADUser.OnPremImmutableId).
Some of the target system relevant properties of Azure Active Directory user accounts that are linked to local Active Directory user account cannot be changed in One Identity Manager. However, assignment of permissions to Azure Active Directory user accounts in One Identity Manager is possible.
Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.
The One Identity Manager supports the following scenarios for federations.
Scenario 1
-
Active Directory user accounts are created in One Identity Manager and provisioned the local Active Directory environment.
-
Azure AD Connect creates the Azure Active Directory user accounts in Azure Active Directory tenants.
-
Azure Active Directory synchronization loads the Azure Active Directory user accounts in to One Identity Manager.
This is the recommended procedure. Creating Azure Active Directory user accounts through Azure AD Connect and then loading them into One Identity Manager normally takes a while. Azure Active Directory user accounts are not immediately available in One Identity Manager.
Scenario 2
-
Active Directory user accounts and Azure Active Directory user accounts are created in One Identity Manager.
In this case, the connection is established by using the ADSAccount.MSDsConsistencyGuid and AADUser.OnPremImmutableId columns. This can be carried using custom scripts or custom templates.
-
Active Directory and Azure Active Directory user accounts are provisioned independently in their own target systems.
-
Azure AD Connect detects the connection between the user accounts, establishes the connection in the federation and updates the required properties.
-
The next Azure Active Directory synchronization updates the Azure Active Directory user accounts in One Identity Manager.
With this scenario, the Azure Active Directory user accounts are immediately available in One Identity Manager and can be issued their permissions.
NOTE:
-
If you work with account definitions, it is recommended you enter the account definition for Active Directory as a required account definition in the account definition for Azure Active Directory.
-
If you work with account definitions, it is recommended you select the Only initially value for the IT operating data overwrites property in the manage level. Then the data is only determined in the initial case.
-
Do not post-process Azure Active Directory user accounts using templates because certain target system relevant properties cannot be edited and the following errors may occur:
[Exception]: ServiceException occured
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
[ServiceException]: Code: Request_BadRequest - Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
Related topics
To manage an Azure Active Directory environment in One Identity Manager, the following basic data is relevant.
-
Target system types
Target system types are required for configuring target system comparisons. Tables with outstanding objects are maintained with the target system types and settings are configured for provisioning memberships and single objects synchronization. Target system types also map objects in the Unified Namespace.
For more information, see Post-processing outstanding objects.
-
Target system managers
A default application role exists for the target system manager in One Identity Manager. Assign the employees who have permission to edit all tenants in One Identity Manager to this application role.
Define additional application roles if you want to limit the permissions for target system managers to individual tenants. The application roles must be added under the default application role.
For more information, see Target system managers for Azure Active Directory.
-
Servers
Servers must be informed of your server functionality in order to handle Azure Active Directory-specific processes in One Identity Manager. For example, the synchronization server.
For more information about editing Job servers for Azure Active Directory components, see the One Identity Manager Administration Guide for Connecting to Azure Active Directory.
