You can assign LDAP groups directly or indirectly to LDAP user accounts and LDAP computers. Employees (workdesks or devices) and LDAP groups are grouped into hierarchical roles in the case of indirect assignment. The number of LDAP groups assigned to an employee (workdesk or device) is calculated from the position within the hierarchy and inheritance direction.
-
If you add an employee to roles and that employee owns an LDAP user account, the LDAP user account is added to the LDAP group.
-
If you add a device to roles, the LDAP computer that references the device is added to the LDAP groups.
-
If a device owns a workdesk and you add the workdesk to roles, the LDAP computer, which references this device, is also added to all LDAP groups of the workdesk's roles.
Furthermore, LDAP groups can be requested through the Web Portal. To do this, add employees to a shop as customers. All LDAP groups are assigned to this shop can be requested by the customers. Requested LDAP groups are assigned to the employees after approval is granted.
Through system roles, LDAP groups can be grouped together and assigned to employees and workdesks as a package. You can create system roles that contain only LDAP groups. You can also group any number of company resources into a system role.
To react quickly to special requests, you can also assign LDAP groups directly to LDAP user accounts and LDAP computers.
For more information see the following guides:
Topic |
Guide |
---|---|
Basic principles for assigning and inheriting company resources |
One Identity Manager Identity Management Base Module Administration Guide One Identity Manager Business Roles Administration Guide |
Assigning company resources through IT Shop requests |
One Identity Manager IT Shop Administration Guide |
System roles |
One Identity Manager System Roles Administration Guide |
Detailed information about this topic
- Prerequisites for indirect assignment of LDAP groups
- Assigning LDAP groups to departments, cost centers, and locations
- Assigning LDAP groups to business roles
- Adding LDAP groups to system roles
- Adding LDAP groups to the IT Shop
- Assigning LDAP user accounts directly to LDAP groups
- Assigning LDAP groups directly to LDAP user accounts
- Assigning LDAP computers directly to LDAP groups
- Assigning LDAP groups directly to LDAP computers