Chat now with support
Chat with Support

Identity Manager 9.1.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Simulating permissions for system users

By simulating the permissions in the Permissions Editor, you can see which permissions a system user has based on their permissions group. You can specify which permissions groups of a system user to include in the simulation. The result displayed shows which of the selected permissions groups has which table permissions and column permissions. Effective permissions for the system user are also displayed.

NOTE: Simulation mode remains active until you end it. In simulation mode, you can edit permissions group permissions and update simulation data.

To run a simulation:

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit translation in database task.

  3. From the Simulation > Start simulation menu, start the simulation wizard.

  4. On the start page of the wizard, click Next.

  5. On the Simulation base configuration page, select the following data.

    • User: Select the system user whose permissions you want to simulate.

    • Direct groups: Use this button to select all permissions groups that are directly assigned to the system user.

    • All groups: Use this button to select all permissions groups that are directly assigned to the system user as well as all permissions groups that the system user inherits indirectly.

    • Permissions groups: Select individual permissions groups directly. Use Ctrl + select to select multiple permissions groups.

  6. On the Simulation configuration page, specify the tables for which the permissions are simulated.

    • In the Selected tables pane, all tables of the One Identity Manager schema are selected. If necessary, limit the selection to individual tables. Click None to undo the selection. Use Shift + select to select individual tables.

    • Using the Context table menu, you can specify a table from which you can view the resulting implicit permissions for the foreign key columns display values.

      Example:

      For the Employee table, viewing permissions have been assigned to the UID_Org column. As a result, viewing permissions are implicitly assigned to columns of the Org table that are used as a display template, for example, Org.Ident_Org.

      To simulate this example, select the Employee table under Context table and the Org table under Selected tables.

  7. The processing progress of the simulation is displayed on the Simulation page. The simulation process can take some time.

  8. To end the wizard, click Finish on the last page.

    After you complete simulation wizard, the system user's effective table permissions and column permissions are displayed in the upper part of the Permissions Editor in the Simulation view.

  9. To determine which table permission or column permission results from which of the system user's permissions groups, select the table or column in the upper part of the Permissions Editor.

    The permissions and permissions groups are displayed in the Permissions simulation view in the lower part of the Permissions Editor.

  10. To end the simulation mode, select the Simulation > End simulation menu.

    The simulation data is deleted and the Permissions simulation view is closed.

Displaying permissions for objects

You can display object properties and permissions in One Identity Manager tools.

NOTE: The Manager must be running in expert mode to show object properties.

To view an object's permissions

  1. Select the object and open the Properties context menu.

  2. Select the Permissions tab.

    On the Permissions tab, based on the permissions groups, you see what permissions apply to an object. The first entry shows the basic permissions for the table. The permissions for this particular object are displayed beneath that. The other entries show the column permissions.

    TIP: Double-click the table entry, the object entry, or a column entry to display the permissions group from which the permissions were determined.

    Table 26: Icon used for permissions
    Icon Meaning

    Permissions exist.

    Permissions have been removed by the object layer.

    Permissions limited by conditions.

Displaying permissions for the current user

To get more information about the current user

  • To display user information, double-click the icon in the program status bar.

Table 27: Extra information about the current user
Property Meaning

System users

Name of system user

Authenticated by

Name of the authentication module used for logging in.

Employee UID (UserUID)

Unique ID for the current user’s employee if an employee related authentication module is used to log in.

SQL access level

Access level of the database server used to log in.

Read-only

The system user has only has read permissions. Modification to data are not possible.

Dynamic user

The current user uses a dynamic system user. Dynamic system users are applied when a role-based authentication module is used.

Administrative user

The current user uses an administrative system user.

Remarks

More details about the system user in use.

Permissions group

Permissions groups that are assigned to the system user. The permissions groups determine the user's user interface and object permissions.

Program functions

Program functions assigned to the system user The menu items and functions available depend on the program functions.

Assigning role-based permissions groups to an applications

If you assign a permissions group to an application, the permissions of the group apply only to this application. When a user logs on to the application, they receive the permissions of the permissions group in addition to their own permissions.

To assign a role-based permissions group to an application

  1. In the Designer, select the Permissions > Permissions groups > Role based permissions groups category.

  2. Select View > Select table relations and enable the DialogGroupInProductLimited table.

  3. In the List Editor, select the permissions group.

  4. Assign the application in the Applications edit view.

  5. Select the Database > Commit to database and click Save.

For more information about applications in One Identity Manager, see the One Identity Manager Configuration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating