Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

About this guide

The One Identity Manager Authorization and Authentication Guide describes the basics and features of One Identity Manager's own roles and permissions model.

This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.

NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.

This shows you an overview of One Identity Manager's application roles, permissions groups, and system users. The guide explains how to set up and implement application roles. The guide also explains how you grant permissions for the tables and columns of the One Identity Manager schema. In addition, you will find an overview of the various One Identity Manager authentication modules.

Available documentation

You can access One Identity Manager documentation in the Manager and in the Designer by selecting the Help > Search menu item. The online version of One Identity Manager documentation is available in the Support portal under Technical Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.

One Identity Manager application roles

You can use the One Identity Manager role model to control edit permissions for One Identity Manager users. This role model takes into account technical aspects, for example, One Identity Manager tool administrative permissions, as well as functional aspects, which result from One Identity Manager user tasks within the company structure (for example, permissions for approving requests). One Identity Manager makes so-called application roles available.

Application roles have the following aims:

  • Program functions, employees, company resources, approval workflows and approval policies are assigned to fixed application roles. Permissions for these application roles must not be defined specifically for the company. This simplifies how you manage permissions.

  • Enables audit secure internal administration of One Identity Manager users and their permissions. Permissions can be granted through assignment, request, and approval or by calculation on account of specific properties. The plausibility of the permissions can be tested at any time with the attestation function.

  • Users are provided with initial permissions, which they required for carrying out their tasks. This is a way, for example, to create initially required user accounts.

Application roles can be linked to permissions groups whose edit permissions are predefined by One Identity Manager. Controlling permissions

  • Access to objects and their properties

  • Navigation configuration in administration tools

  • Which interface forms and tasks are displayed

  • Availability of special program functionality

Users must be role-based to use application roles for logging in to One Identity Manager. Role-based authentications module finds the valid edit permissions from all the user's application roles. This provides the One Identity Manager user with permissions corresponding to their application roles for the One Identity Manager functions when they log onto One Identity Manager tools.

Detailed information about this topic
Related topics

Application roles overview

One Identity Manager supplies default application roles whose permissions are matched to the different task and functions. Assign employees to default applications who take on individual tasks and functions. You can also create your own application roles for custom defined tasks.

NOTE: Default application roles are defined in One Identity Manager modules and are not available until the modules are installed. You cannot delete default application roles.
Detailed information about this topic

Application roles for basic functions

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available to you for the basic functionality in One Identity Manager.

Table 1: Application roles for basic functions
Application role Description

Administrators

 

Administrators must be assigned to the Base roles | Administrators application role.

Users with this application role:

  • Administer application roles for administrators.

  • Assign employees to administrator application roles.

  • Add other employees to the Base roles | Administrators application role and edit conflicting application roles.

  • See the main data for the other application roles.

  • Can use Password Reset Portal to set passwords for selected system users.

Everyone (change)

 

The Base roles | Everyone (change) application role is automatically assigned to every user.

Users with this application role:

  • Can edit certain employee main data in the Web Portal.

If every user is automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.

Members of this application role are determined through a dynamic role.

Everyone (lookup)

 

The Base roles | Everyone (Lookup) application role is automatically assigned to every user.

Users with this application role:

  • Obtain read access to objects in the Web Portal.

If every user is automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.

Members of this application role are determined through a dynamic role.

Employee managers

 

The Base roles | Employee managers application role is automatically assigned to a user if the user is a manager or supervisor of employees, departments, locations, cost centers, business roles, or IT Shops.

Users with this application role:

  • Can edit main data for the objects they are responsible for and assign company resources to them.

  • Can edit new employees added in the Web Portal and edit the main data of their staff.

  • Can add their staff members to the IT Shop.

  • Can view their staff compliance rule violations in the Web Portal.

  • Can create delegations for their staff in Web Portal.

  • Can see and edit their staff delegations in Web Portal.

Members of this application role are determined through a dynamic role.

Birthright Assignments

The Base roles | Birthright assignments application role is used to provide birthrights to employees which are provided to establish their working environment. The application roles are allocated all the resources marked for automatic assignment to all employees. All internal employees are assigned to this application role and obtain the resources. Internal employees are found through a dynamic role.

Self-registered employees

All new external employees that have registered themselves in the Web Portal, are assigned to the Base roles | Self-registered employees application role. These employees are determined by a dynamic role.

Related topics
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating