Identity Manager 8.2.1 - Target System Base Module Administration Guide

Basic mechanisms for employee and user account administration

Employee and user account administration Handling employees and user accounts Using account definitions to create user accounts

Account definitions and manage levels Assigning account definitions to employees Determining valid IT operating data for the target systems IT operating data for the One Identity Manager default configuration Employee's central user account Employee's default email address Changing employee main data Templates and processes for implementing account definitions Examples for implementing several account definitions within a target system type

Assigning employees automatically to user accounts

Configuring automatic employee assignment Editing search criteria for automatic employee assignment Define search criteria for employee assignment Finding employees and directly assigning them to user accounts Modifying scripts for automatic employee assignment

Deactivating and deleting employees and user accounts

Temporarily deactivating employees Permanently deactivating employees Deferred deletion of an employee Disabling and deleting using account definitions

The Unified Namespace

Mapping target system objects in Unified Namespace Special features for mapping object properties One Identity Manager users for managing target systems in Unified Namespace Displaying Unified Namespace objects Reports about a target system in the Unified Namespace Reports about all target systems in the Unified Namespace

The Unified Namespace

The Unified Namespace is a virtual system in which different target systems can be mapped with their structures, user accounts, system entitlements and memberships. The Unified Namespace allows a general, cross-target system mapping of all connected target systems. This means that target systems like Active Directory domains can be mapped just the same as custom target systems.

You can use other Unified Namespace core functionality across target systems by mapping target systems in the One Identity Manager, such as identity audit, attestation, or report functions. You are supplied with several reports by default.

Detailed information about this topic

Mapping target system objects in Unified Namespace

Each Unified Namespace object type joins the various tables of the One Identity Manager schema required for mapping connected target systems. The various target system tables are joined in database layers. This allows different object properties to be mapped uniformly.

Use the following database views to run compliance checks or attestation across target systems and also to create reports across target systems.

Target systems (UNSRoot)

Target system type	Table
Active Directory	ADSDomain
Microsoft Exchange	EX0Organization
SharePoint	SPSSite
SharePoint Online	O3SSite
HCL Domino	NotesDomain
SAP R/3	SAPMandant
LDAP	LDPDomain
Custom target systems	UNSRootB
Unix	UNXHost
Azure Active Directory	AADOrganization
Google Workspace	GAPCustomer
Cloud target systems	CSMRoot
Oracle E-Business Suite	EBSSystem
Privileged Account Management	PAGAppliance

Container (UNSContainer)

Target system type	Table
Active Directory	ADSContainer
SharePoint	SPSWeb
SharePoint Online	O3SWeb
LDAP	LDAPContainer
Custom target systems	UNSContainerB
Cloud target systems	CSMContainer
Google Workspace	GAPOrgUnit

User accounts (UNSAccount)

Target system type	Table
Active Directory	ADSAccount, ADSContact
Microsoft Exchange	EX0MailUser, EX0MailContact, EX0Mailbox
SharePoint	SPSUser
SharePoint Online	O3SUser
HCL Domino	NotesUser
SAP R/3	SAPUser, SAPBWUser, SAPUserMandant
LDAP	LDAPAccount
Custom target systems	UNSAccountB
Unix	UNXAccount
Azure Active Directory	AADUser
Exchange Online	O3EMailbox, O3EMailContact, O3EMailUser
Google Workspace	GAPUser
Cloud target systems	CSMUser
Oracle E-Business Suite	EBSUser
Privileged Account Management	PAGUser

System entitlements (UNSGroup)

Target system type	Table
Active Directory	ADSGroup
Microsoft Exchange	EX0DL
SharePoint	SPSGroup, SPSRLAsgn
SharePoint Online	O3SGroup, O3SRLAsgn
HCL Domino	NotesGroup
SAP R/3	SAPGrp, SAPProfile, SAPRole, SAPHRP, SAPBWP
LDAP	LDAPGroup
Custom target systems	UNSGroupB, UNSGroupB1, UNSGroupB2, UNSGroupB3
Unix	UNXGroup
Azure Active Directory	AADGroup, AADDeniedServicePlan, AADDirectoryRole, AADSubSku
Exchange Online	O3EDL, O3EUnifiedGroup
Google Workspace	GAPGroup, GAPPaSku, GAPOrgAdminRole
Cloud target systems	CSMGroup, CSMGroup1, CSMGroup2, CSMGroup3
Oracle E-Business Suite	EBSResp
Privileged Account Management	PAGUsrGroup

Permissions controls (UNSItem)

Target system type	Table
Custom target systems	UNSItemB
Cloud target systems	CSMItem

Assignment system entitlements (UNSAccountInUNSGroup)

Target system type	Table
Active Directory	ADSAccountInADSGroup, ADSContactInADSGroup
SharePoint	SPSUserInSPSGroup, SPSUserHASSPSRLAsgn
HCL Domino	NotesUserInGroup
SAP R/3	SAPUserInSAPGrp, HelperSAPUserInSAPRole, SAPUserInSAPProfile, HelperSAPUserInSAPHRP, SAPBWUserInSAPBWP
LDAP	LDAPAccountInLDAPGroup
Custom target systems	UNSAccounBInUNSGroupB, UNSAccounBInUNSGroupB1, UNSAccounBInUNSGroupB2, UNSAccounBInUNSGroupB3, UNSAccounBHasUNSGroupB, UNSAccounBHasUNSGroupB1, UNSAccounBHasUNSGroupB2, UNSAccounBHasUNSGroupB3
Unix	UNXAccountInUNXGroup
Azure Active Directory	AADUserHasDeniedService, AADUserInDirectoryRole, AADUserInAADGroup
Exchange Online	O3EAADUserInUnifiedGroup, O3EMailboxInDL, O3EMailContactInDL, O3EMailUserInDL
Google Workspace	GAPUserInGroup, GAPUserInPaSku, GAPUserInOrgAdminRole
Cloud target systems	CSMUserInGroup, CSMUserInGroup1, CSMUserInGroup2, CSMUserInGroup3, CSMUserHasGroup, CSMUserHasGroup1, CSMUserHasGroup2, CSMUserHasGroup3
Oracle E-Business Suite	EBSUserInRespCompressed
Privileged Account Management	PAGUserInUsrGroup

Assignment permissions controls (UNSAccountHasUNSItem)

Target system type	Table
Custom target systems	UNSAccountBHasUNSItemB
Cloud target systems	CSMUserHasItem

Assignment system entitlements (UNSGroupInUNSGroup)

Target system type	Table
Active Directory	ADSGroupInADSGroup
SharePoint	SPSGroupHasSPSRLAsgn
HCL Domino	NotesGroupInGroup
SAP R/3	SAPProfileInSAPProfile, SAPRoleInSAPRole, SAPProfileInSAPRole
LDAP	LDAPGroupInLDAPGroup
Custom target systems	UNSGroupBInUNSGroupB, UNSGroupBInUNSGroupB1, UNSGroupBInUNSGroupB2, UNSGroupBInUNSGroupB3
Azure Active Directory	AADGroupInGroup
Exchange Online	O3EDLInDL
Google Workspace	GAPGroupInGroup
Cloud target systems	CSMGroupInGroup, CSMGroupInGroup1, CSMGroupInGroup2, CSMGroupInGroup3

Assignment permissions controls (UNSGroupHasUNSItem)

Target system type	Table
Custom target systems	UNSGroupBHasUnsItemB
Cloud target systems	CSMGroupHasItem

Inheritance exclusion (UNSGroupExclusion)

Target system type	Table
Active Directory	ADSGroupExclusion
SharePoint	SPSGroupExclusion, SPSRLAsgnExclusion
HCL Domino	NotesGroupExclusion
SAP R/3	SAPGrpExclusion, SAPProfileExclusion, SAPRoleExclusion
LDAP	LDAPGroupExclusion
Custom target systems	UNSGroupBExclusion, UNSGroupB1Exclusion, UNSGroupB2Exclusion, UNSGroupB3Exclusion
Unix	UNXGroupExclusion
Azure Active Directory	AADGroupExclusion, AADSubSkuExclusion
Google Workspace	GAPGroupExclusion
Cloud target systems	CSMGroupExclusion, CSMGroup1Exclusion, CSMGroup2Exclusion, CSMGroup3Exclusion
Oracle E-Business Suite	EBSRespExclusion
Privileged Account Management	PAGUsrGroupExclusion

System entitlement hierarchy (UNSGroupCollection)

Target system type	Table
Active Directory	ADSGroupCollection
SharePoint	SPSGroupCollection, SPSRLAsgn
HCL Domino	NotesGroupCollection
SAP R/3	SAPCollectionRPG
LDAP	LDAPGroupCollection
Custom target systems	UNSGroupBCollection, UNSGroupB1Collection, UNSGroupB2Collection, UNSGroupB3Collection
Unix-based target system	UNXGroupExclusion
Azure Active Directory	AADGroupCollection
Exchange Online	O3EDLCollection
Google Workspace	GAPGroupCollection
Cloud target systems	CSMGroupCollection, CSMGroup1Collection, CSMGroup2Collection, CSMGroup3Collection

Special features for mapping object properties

In certain target systems, assignments of system entitlements to user accounts can have a limited duration.

The validity period is not mapped in the Unified Namespace.
The Marked for deletion (UNSAccountInUNSGroup.XMarkedForDeletion) identifier cannot be set for these assignments. Therefore, in the Unified Namespace, you cannot tell whether an assignment was marked as outstanding by synchronization.

One Identity Manager users for managing target systems in Unified Namespace

The following users are used for managing target systems in the Unified Namespace.

Table 9: Users
Users	Tasks
Target system administrators	Target system administrators must be assigned to the Target systems \| Administrators application role. Users with this application role: Administer application roles for individual target system types. Specify the target system manager. Set up other application roles for target system managers if required. Specify which application roles for target system managers are mutually exclusive. Authorize other employees to be target system administrators. Do not assume any administrative tasks within the target system.
Target system managers	Target system managers must be assigned to the Target systems \| Unified Namespace application role or a child application role. Users with this application role: Obtain view of the objects in the connected target systems across all target systems. Can create reports across all target systems. If the users are also target system managers of the basic underlying target systems, you can manage these target systems through the Unified Namespace.
One Identity Manager administrators	One Identity Manager administrator and administrative system users Administrative system users are not added to application roles. One Identity Manager administrators: Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required. Create system users and permissions groups for non role-based login to administration tools in the Designer as required. Enable or disable additional configuration parameters in the Designer as required. Create custom processes in the Designer as required. Create and configure schedules as required. Create and configure password policies as required.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 8.2.1 - Target System Base Module Administration Guide

The Unified Namespace

Detailed information about this topic

Mapping target system objects in Unified Namespace

Special features for mapping object properties

One Identity Manager users for managing target systems in Unified Namespace