Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Editing permissions groups

One Identity Manager provides permissions groups with a predefined user interface and special permissions for One Identity Manager schema's tables and columns. In certain isolated cases, it may be necessary to define custom permissions groups. You need custom permissions groups, for example, if:

  • The default permissions groups grant too many permissions

  • Selected default permissions groups are to be grouped to form a new permissions group

  • Additional role-based permissions groups are required for the custom application roles

  • Permissions for custom adjustments such as schema extensions, forms, or menu structures.

When the One Identity Manager database is installed using the Configuration Wizard, custom permissions groups that you can use are already created.

  • For non role-based login, the CCCViewPermissions and CCCEditPermissions permission groups are created. Administrative system users are automatically added to these permissions groups.

  • For role-based login, the CCCViewRole and CCCEditRole permission groups are created.

In the Designer, permissions groups are managed in the Permissions > Permissions groups category. Here you will find an overview of edit permissions and user interface components that are assigned to individual permissions groups. In addition, the system users are displayed to which the permissions groups are assigned.

Use the Designer to create and edit permissions groups with the User & Permissions Group Editor. The User & Permissions Group Editor displays the permissions groups in their hierarchy. Each permissions group is represented by a permissions group element. Each permissions group element has a tooltip. The contents of the tooltip is made up of the name and description of the permissions group.

You can run the following tasks:

  • Edit permissions group main data

  • Define new dependencies between permissions groups

  • Copy permissions groups

  • Create new permissions groups

Related topics

Dependencies between permissions groups

By structuring permissions groups hierarchically, permissions and user interface components can be passed down from one permissions group to another permissions group. This means that inheritance is top down within the hierarchy.

The following applies to permissions group dependencies:

  • A role-based permissions group can inherit from role-based permissions groups and non role-based permissions groups.

  • A non role-based permissions group can inherit from non role-based permissions groups. A non role-based permissions group must not inherit from role-based permissions groups.

Example:

Two permission groups are defined with the following permissions and user interface components.

Permissions group Permissions User interface

A

Viewable

Menu structures and forms

B

Editable

Task definitions

Permissions group B is assigned below permissions group A in the hierarchy and inherits from permissions group A. Consequently, a user of permissions group B has access to the viewing permissions and editing permissions as well as the menu structure, forms, and task definitions.

Related topics

Permissions group dependencies

You edit dependencies between permissions groups in the hierarchical view of the User & Permissions Group Editor. Permissions groups that are higher up in the hierarchy are displayed further to the right in the User & Permissions Group Editor‘s hierarchical. When a permissions group is selected in the hierarchical view, dependencies to other permissions groups are marked in color thus showing the direction of inheritance.

Figure 1: Visual of the permissions group hierarchy (inheritance from right to left)

Table 21: Meaning of colors in the hierarchical representation
Color Meaning

Blue

The selected permissions group.

Purple

This permissions group is a child of the selected permissions group and directly inherits from the selected permissions group.

Light purple

This permissions group inherits indirectly from the selected permissions group over the hierarchy.

Red

This permissions group is a child of the selected permissions group and directly inherits from the selected permissions group.

Light red

This permissions group passes inheritance indirectly to the selected permissions group over the hierarchy.

Green

This permissions group does not inherit or pass inheritance to the selected permissions group.

To specify dependencies of a permissions group

  1. In the Designer, select the Permissions > Permissions groups category.

  2. Select the permissions group and start the User & Permissions Group Editor using the Edit permissions group task.

  3. In the hierarchical view of the permissions groups, select the permissions group and run one of the following actions.

    • Select the Inherit permissions from context menu and select the permissions groups from which the selected permissions group is to inherit.

    • Select the Permissions inherited by context menu and select the permissions groups to be included in the selected permissions group. Child permissions groups inherit permissions from the selected permissions group.

  4. Select the Database > Save to database and click Save.

Copying permissions groups

The User & Permissions Group Editor provides a wizard for copying permissions and the user interface of an existing permissions group to a new permissions group.

To copy a permissions group

  1. In the Designer, select the Permissions > Permissions groups category.

  2. Select the permissions group you want to copy and start the User & Permissions Group Editor with the Edit permissions group task.

  3. Select the Permissions groups > Copy permissions group menu item.

  4. On the start page of the wizard for copying permissions groups, click Next.

  5. On the Select permissions group page, enter the following information:

    • Select permissions group to copy: The permissions group is pre-selected.

    • Copy name: Name of the new permissions group. A name suggestion is already entered that you can modify. Ensure that the permissions group name begins with the prefix CCC.

  6. On the Select copy options page, specify which permissions group relations are to be copied. You can select multiple options. The following copy options are available.

    Table 22: Copy options for permissions groups
    Option Description

    Permissions

    Enable this option to copy the table permissions and column permissions of the selected permissions group to the new permissions group.

    User interface

    Enable this option to copy the menu items, the forms and the task definitions of the selected permissions group to the new permissions group.

    System user

    Select this option if the system user should be copied to the new permissions group.

    NOTE: Predefined system users are not included in the new permissions group.

  7. To start compiling, click Next.

    The copying process may take some time.

  8. The Copy permissions group page shows the individual copy steps and any error messages. If the copy action is complete, click Next.

  9. To end the wizard, click Finish on the last page.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating