Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for Connecting to SharePoint

Managing SharePoint environments Setting up SharePoint farm synchronization Basic data for managing a SharePoint environment SharePoint farms SharePoint web applications SharePoint site collections and sites SharePoint user accounts SharePoint roles and groups
SharePoint groups SharePoint roles and permission levels
Permissions for SharePoint web applications Reports about SharePoint objects Configuration parameters for managing a SharePoint environment Default project template for SharePoint

Creating an account definition

To create or edit an account definition

  1. In the Manager, select the SharePoint > Basic configuration data > Account definitions > Account definitions category.

  2. Select an account definition in the result list. Select the Change main data task.

    -OR-

    Click in the result list.

  3. Enter the account definition's main data.
  4. Save the changes.

Main data for an account definition

Enter the following data for an account definition:

Table 11: Main data for an account definition

Property

Description

Account definition

Account definition name.

User account table

Table in the One Identity Manager schema that maps user accounts.

Target system

Target system to which the account definition applies.

Required account definition

Specifies the required account definition. Define the dependencies between account definitions. When this account definition is requested or assigned, the required account definition is assigned automatically.

TIP: You can enter this account definition for the associated Active Directory or LDAP domain here. In this case, an Active Directory or LDAP user account is created for the employee first. If this exists, the SharePoint user account is added.

Implement this behavior on a custom basis. Customize TSB_PersonHasAccountDef_AutoCreate_SPSUser to do this.

Description

Text field for additional explanation.

Manage level (initial)

Manage level to use by default when you add new user accounts.

Risk index

Value for evaluating the risk of assigning the account definition to employees. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

For more information, see the One Identity Manager Risk Assessment Administration Guide.

Service item

Service item through which you can request the account definition resource in the IT Shop. Assign an existing service item or add a new one.

IT Shop

Specifies whether the account definition can be requested through the IT Shop. The account definition can be requested by an employee through the Web Portal and distributed using a defined approval process. The resource can also be assigned directly to employees and roles outside the IT Shop.

Only for use in IT Shop

Specifies whether the account definition can only be requested through the IT Shop. The account definition can be requested by an employee through the Web Portal and distributed using a defined approval process. The account definition cannot be directly assigned to roles outside the IT Shop.

Automatic assignment to employees

Specifies whether the account definition is automatically assigned to all internal employees. To automatically assign the account definition to all internal employee, use the Enable automatic assignment to employees The account definition is assigned to every employee that is not marked as external. Once a new internal employee is created, they automatically obtain this account definition.

To automatically remove the account definition assignment from all employees, use the Disable automatic assignment to employees. The account definition cannot be reassigned to employees from this point on. Existing account definition assignments remain intact.

Retain account definition if permanently disabled

Specifies the account definition assignment to permanently deactivated employees.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition if temporarily disabled

Specifies the account definition assignment to temporarily deactivated employees.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on deferred deletion

Specifies the account definition assignment on deferred deletion of employees.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Retain account definition on security risk

Specifies the account definition assignment to employees posing a security risk.

Option set: The account definition assignment remains in effect. The user account remains intact.

Option not set (default): The account definition assignment is not in effect. The associated user account is deleted.

Resource type

Resource type for grouping account definitions.

Spare field 01 - spare field 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked employee. If the option is set, the user account inherits groups through hierarchical roles, in which the employee is a member, or through IT Shop requests.

  • If you add an employee with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an employee has requested group membership in the IT Shop and the request is granted approval, the employee's user account only inherits the group if the option is set.

Roles can be inherited

Specifies whether the user account can inherit SharePoint roles through the linked employee. If the option is set, the user account inherits the roles through hierarchical roles, in which the employee is a member, or through IT Shop requests.

Creating manage levels

Specify the manage level for an account definition for managing user accounts. The user account’s manage level specifies the extent of the employee’s properties that are inherited by the user account. This allows an employee to have several user accounts in one target system, for example:

  • Default user account that inherits all properties from the employee.

  • Administrative user account that is associated to an employee but should not inherit the properties from the employee.

One Identity Manager supplies a default configuration for manage levels:

  • Unmanaged: User accounts with the Unmanaged manage level are linked to the employee but they do no inherit any further properties. When a new user account is added with this manage level and an employee is assigned, some of the employee's properties are transferred initially. If the employee properties are changed at a later date, the changes are not passed onto the user account.

  • Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned employee. When a new user account is created with this manage level and an employee is assigned, the employee's properties are transferred in an initial state. If the employee properties are changed at a later date, the changes are passed onto the user account.

NOTE: The Full managed and Unmanaged manage levels are analyzed in templates. You can customize the supplied templates in the Designer.

You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.

Specify the effect of temporarily or permanently disabling, deleting, or the security risk of an employee on its user accounts and group memberships for each manage level. For more information about manage levels, see the One Identity Manager Target System Base Module Administration Guide.

  • Employee user accounts can be locked when they are disabled, deleted, or rated as a security risk so that permissions are immediately withdrawn. If the employee is reinstated at a later date, the user accounts are also reactivated.

  • You can also define group membership inheritance. Inheritance can be discontinued if desired when, for example, the employee’s user accounts are disabled and therefore cannot be members in groups. During this time, no inheritance processes should be calculated for this employee. Existing group memberships are deleted.

IMPORTANT: The Unmanaged manage level is assigned automatically when you create an account definition and it cannot be removed.

To assign manage levels to an account definition

  1. In the Manager, select the SharePoint > Basic configuration data > Account definitions > Account definitions category.

  2. Select an account definition in the result list.

  3. Select the Assign manage level task.

  4. In the Add assignments pane, assign the manage level.

    TIP: In the Remove assignments pane, you can remove assigned manage levels.

    To remove an assignment

    • Select the manage level and double-click .

  5. Save the changes.

To edit a manage level

  1. In the Manager, select the SharePoint > Basic configuration data > Account definitions > Manage levels category.

  2. Select the manage level in the result list. Select Change main data.

    - OR -

    Click in the result list.

  3. Edit the manage level's main data.

  4. Save the changes.

Main data for manage levels

Enter the following data for a manage level.

Table 12: Main data for manage levels
Property Description

Manage level

Name of the manage level.

Description

Text field for additional explanation.

IT operating data overwrites

Specifies whether user account data formatted from IT operating data is automatically updated. Permitted values are:

  • Never: Data is not updated. (Default)

  • Always: Data is always updated.

  • Only initially: Data is only determined at the start.

Retain groups if temporarily disabled

Specifies whether user accounts of temporarily deactivated retain their group memberships.

Lock user accounts if temporarily disabled *)

Specifies whether user accounts of temporarily deactivated employees are locked.

Retain groups if permanently disabled

Specifies whether user accounts of permanently deactivated employees retain group memberships.

Lock user accounts if permanently disabled *)

Specifies whether user accounts of permanently deactivated employees are locked.

Retain groups on deferred deletion

Specifies whether user accounts of employees marked for deletion retain their group memberships.

Lock user accounts if deletion is deferred*)

Specifies whether user accounts of employees marked for deletion are locked.

Retain groups on security risk

Specifies whether user accounts of employees posing a security risk retain their group memberships.

Lock user accounts if security is at risk*)

Specifies whether user accounts of employees posing a security risk are locked.

Retain groups if user account disabled

Specifies whether disabled user accounts retain their group memberships.

NOTE:*) SharePoint user accounts cannot be locked!

When an employee is disabled, deleted, or rated as a security risk their SharePoint user accounts remain enabled. For logging into a SharePoint site collection, you need to know if the user account referenced as an authentication object is locked or disabled. To prevent a disabled, deleted, or security risk employee logging into a SharePoint site collection, manage the user accounts linked as authentication objects using account definitions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating