Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Connecting to LDAP

About this guide Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Adjusting the synchronization configuration for LDAP environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing LDAP user accounts and employees Managing memberships in LDAP groups Login information for LDAP user accounts Mapping LDAP objects in One Identity Manager Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment Troubleshooting Configuration parameters for managing an LDAP environment Default project template for LDAP LDAP connector V2 settings

Assigning LDAP groups to LDAP user accounts and LDAP computers in One Identity Manager

You can assign LDAP groups directly or indirectly to LDAP user accounts and LDAP computers. Employees (workdesks or devices) and LDAP groups are grouped into hierarchical roles in the case of indirect assignment. The number of LDAP groups assigned to an employee (workdesk or device) is calculated from the position within the hierarchy and inheritance direction.

  • If you add an employee to roles and that employee owns an LDAP user account, the LDAP user account is added to the LDAP group.

  • If you add a device to roles, the LDAP computer that references the device is added to the LDAP groups.

  • If a device owns a workdesk and you add the workdesk to roles, the LDAP computer, which references this device, is also added to all LDAP groups of the workdesk's roles.

Furthermore, LDAP groups can be requested through the Web Portal. To do this, add employees to a shop as customers. All LDAP groups are assigned to this shop can be requested by the customers. Requested LDAP groups are assigned to the employees after approval is granted.

Through system roles, LDAP groups can be grouped together and assigned to employees and workdesks as a package. You can create system roles that contain only LDAP groups. You can also group any number of company resources into a system role.

To react quickly to special requests, you can also assign LDAP groups directly to LDAP user accounts and LDAP computers.

For more information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of LDAP groups

In the case of indirect assignment, employees and LDAP groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. When assigning LDAP groups indirectly, check the following settings and modify them if necessary.

Prerequisites for indirect assignment of LDAP groups to LDAP user accounts

  1. Assignment of employees and LDAP groups is permitted for role classes (departments, cost centers, locations, or business roles).

  2. The LDAP user account is linked to an employee.

  3. The LDAP user account is labeled with the Groups can be inherited option.

Prerequisites for indirect assignment of LDAP groups to LDAP computers

  1. Assignment of devices and LDAP groups is permitted for role classes (departments, cost centers, locations, or business roles).

  2. The LDAP computer is connected to a device.

  3. The device is labeled as a PC or server.

  4. The TargetSystem | LDAP | HardwareInGroupFromOrg configuration parameter is set.

Prerequisites for indirect assignment to LDAP groups to LDAP computers through workdesks

  1. Assignment of workdesks and LDAP groups is permitted for role classes (departments, cost centers, locations, or business roles).

  2. The LDAP computer is connected to a device.

  3. The device is labeled as a PC or server.

  4. The device owns a workdesk.

ClosedAllow assignments to role classes of departments, cost centers, locations, or roles

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of employees, devices or workdesks not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Assigning LDAP groups to departments, cost centers, and locations

Assign groups to departments, cost centers, or locations so that the group can be assigned to user accounts and computers through these organizations. This task is not available for dynamic groups.

To assign a group to departments, cost centers, or locations (non role-based login)

  1. In the Manager, select the LDAP > Groups category.

  2. Select the group in the result list.

  3. Select the Assign organizations task.

  4. In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  5. Save the changes.

To assign groups to a department, a cost center, or a location (non role-based login or role-based login)

  1. In the Manager, select the Organizations > Departments category.

    - OR -

    In the Manager, select the Organizations > Cost centers category.

    - OR -

    In the Manager, select the Organizations > Locations category.

  2. Select the department, cost center, or location in the result list.

  3. Select the Assign LDAP groups task.

  4. In the Add assignments pane, assign groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics

Assigning LDAP groups to business roles

NOTE: This function is only available if the Business Roles Module is installed.

Assign the group to business roles so that the group is assigned to user accounts and computers through these business roles. This task is not available for dynamic groups.

To assign a group to a business role (non role-based login)

  1. In the Manager, select the LDAP > Groups category.

  2. Select the group in the result list.

  3. Select the Assign business roles task.

  4. In the Add assignments pane, select the role class and assign business roles.

    TIP: In the Remove assignments pane, you can remove assigned business roles.

    To remove an assignment

    • Select the business role and double-click .

  5. Save the changes.

To assign groups to a business role (non role-based login or role-based login)

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the Assign LDAP groups task.

  4. In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating