Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and employees
Account definitions for Active Directory user accounts and Active Directory contacts Assigning employees automatically to Active Directory user accounts Supported user account types Updating employees when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login information for Active Directory user accounts Mapping of Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Active DirectoryRequesting Groups Memberships

Table 61: Default objects for requesting group memberships

Shelves:

Identity & Access Lifecycle > Active Directory groups

Approval policies/approval workflows

Approval of Active Directory group membership requests

Product owners and target system managers can request members for groups in these shelves in the Web Portal. The respective product owner or target system manager must grant approval for this modification. The changes are published in the target system.

Related topics

Basic data for managing an Active Directory environment

To manage an Active Directory environment in One Identity Manager, the following basic data is relevant.

  • Account definitions

    One Identity Manager has account definitions for automatically allocating user accounts to employees. You can create account definitions for every target system. If an employee does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an employee.

    For more information, see Account definitions for Active Directory user accounts and Active Directory contacts.

  • Password policy

    One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.

    Predefined password policies are supplied with the default installation that you can use or customize if required. You can also define your own password policies.

    For more information, see Password policies for Active Directory user accounts.

  • Initial password for new user accounts

    You have the different options for issuing an initial password for user accounts. Enter a password or use a random generated initial password when you create a user account.

    For more information, see Initial password for new Active Directory user accounts.

  • Email notifications about credentials

    When a new user account is created, the login data are sent to a specified recipient. In this case, two messages are sent with the user name and the initial password. Mail templates are used to generate the messages.

    For more information, see Email notifications about login data.

  • User account names

    To assign permissions to directories and files, it is sometimes necessary to define user account names such as Administrators or Domain Users in specific languages.

    For more information, see User account names.

  • Target system types

    Target system types are required for configuring target system comparisons. Tables with outstanding objects are maintained with the target system types and settings are configured for provisioning memberships and single objects synchronization. Target system types also map objects in the Unified Namespace.

    For more information, see Post-processing outstanding objects.

  • Target system managers

    A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who have permission to edit all domains in One Identity Manager.

    Define additional application roles if you want to limit the permissions for target system managers to individual domains. The application roles must be added under the default application role.

    For more information, see Target system managers.

  • Servers

    Servers must be informed of your server functionality in order to handle Active Directory-specific processes in One Identity Manager. These may be the synchronization server, home server, or profile server, for example.

    For more information, see Job server for Active Directory-specific process handling.

User account names

To assign permissions to directories and files, it is sometimes necessary to define user account names such as Administrators or Domain Users in specific languages.

NOTE:  Default language for user account names is English.

To edit user account names

  1. In the Manager, select the Active Directory > Basic configuration data > User account names category.

  2. Select an item in the result list. Select the Change main data task.

    - OR -

    Click in the result list.

  3. Enter the English name for the user account. Translate the given text using the button.

  4. Save the changes.

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who have permission to edit all domains in One Identity Manager.

Define additional application roles if you want to limit the permissions for target system managers to individual domains. The application roles must be added under the default application role.

For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers
  1. The One Identity Manager administrator allocates employees to be target system administrators.

  2. These target system administrators add employees to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the domains in One Identity Manager.

  3. Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual domains.

Table 62: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Active Directory application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

To initially specify employees to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)

  2. Select the One Identity Manager Administration > Target systems > Administrators category.

  3. Select the Assign employees task.

  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration > Target systems > Active Directory category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Active Directory > Basic configuration data > Target system managers category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To specify target system managers for individual domains

  1. Log in to the Manager as a target system manager.

  2. Select the Active Directory > Domains category.

  3. Select the domain in the result list.

  4. Select the Change main data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Active Directory parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign employees to this application role who are permitted to edit the domain in One Identity Manager.

NOTE: You can also specify target system managers for individual containers. Target system managers for a container are authorized to edit objects in this container.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating