Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Connecting to OneLogin

Managing OneLogin domains Synchronizing a OneLogin domain
Setting up initial synchronization with an OneLogin domain Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing OneLogin user accounts and employees Managing memberships in OneLogin roles Login information for OneLogin user accounts Mapping of OneLogin objects in One Identity Manager Handling of OneLogin objects in the Web Portal Base data for OneLogin domains Configuration parameters for managing OneLogin domains Default template for OneLogin domains Editing OneLogin system objects OneLogin connector settings

Specifying deferred deletion for OneLogin user accounts

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

    In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the OLGUser table.

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the OLGUser table.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For more information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

Managing memberships in OneLogin roles

OneLogin user accounts can be grouped into OneLogin roles that can be used to regulate access to OneLogin applications.

In One Identity Manager, you can assign OneLogin roles directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the roles through the Web Portal. To do this, roles are provided in the IT Shop.

Detailed information about this topic

Assigning OneLogin roles to OneLogin user accounts

OneLogin roles can be assigned directly or indirectly to OneLogin user accounts.

In the case of indirect assignment, employees and OneLogin roles are assigned to hierarchical company structures, such as departments, cost centers, locations, or business roles. The OneLogin roles assigned to an employee are calculated from the position in the hierarchy and the direction of inheritance. If you add an employee to company structures and that employee owns a OneLogin user account, the OneLogin user account is added to the OneLogin role.

Furthermore, OneLogin roles can be requested through the Web Portal. To do this, add employees to a shop as customers. All OneLogin roles, which are assigned to this shop as products, can be requested by the customers. Requested OneLogin roles are assigned to the employees after approval is granted.

You can use system roles to group OneLogin roles together and assign them to employees as a package. You can create system roles that contain only OneLogin roles. You can also group any number of company resources into a system role.

To react quickly to special requests, you can assign OneLogin roles directly to OneLogin user accounts.

For more information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of OneLogin roles to OneLogin user accounts

In the case of indirect assignment, employees and OneLogin roles are assigned to hierarchical company structures, such as departments, cost centers, locations, or business roles. When assigning OneLogin roles indirectly, check the following settings and modify them if necessary.

  1. Assignment of employees and OneLogin roles is permitted for role classes (departments, cost centers, locations, or business roles).

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

    ClosedAllow assignments to role classes of departments, cost centers, locations, or roles

  2. Settings for assigning OneLogin roles to OneLogin user accounts.

    • The OneLogin user account is linked to an employee.

    • The OneLogin user account is labeled with the Roles can be inherited option.

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of employees not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating