Chat now with support
Chat with Support

Identity Manager 9.1.3 - Administration Guide for Connecting to SharePoint

Managing SharePoint environments Setting up SharePoint farm synchronization Basic data for managing a SharePoint environment SharePoint farms SharePoint web applications SharePoint site collections and sites SharePoint user accounts SharePoint roles and groups
SharePoint groups SharePoint roles and permission levels
Permissions for SharePoint web applications Reports about SharePoint objects Configuration parameters for managing a SharePoint environment Default project template for SharePoint

Permissions for SharePoint web applications

You can define user policies in SharePoint that guarantee permissions across all sites in a site collection. These user policies overlay all the permissions that are specially defined for the sites. User policies are based on authentication objects from which SharePoint user accounts are created. These authentication objects can be saved as authentication objects in user policies.

User policies obtain their permissions through permission policies. SharePoint permissions are explicitly granted or denied in permission policies.

Figure 5: Permissions for SharePoint web applications through policies

You define user policies and permission policies for a web application. User policies are therefore implicitly authorized for all web application sites. You can limit them to single zones or be allow them for the entire web application.

SharePoint permission policies

On the permission policy overview form, you can view the web application and the user policies to which the permission policy is assigned. All permissions are listed that have been explicitly granted or denied.

To obtain an overview of a permission policy

  1. Select the SharePoint > Permission policies category.
  2. Select the permission policy from the result list.
  3. Select the SharePoint permission policy overview task.

The denied SharePoint permission "Deny write" is displayed. SharePoint groups internally several single permissions together that are only found as single permissions in the SharePoint interface. One Identity Manager maps the SharePoint internal permission. That is why only the permission "Deny write" appears in the One Identity Manager interface. Single permissions are therefore not known to One Identity Manager.

SharePoint user policies

User policies have a dynamic foreign key (column AuthenticationObject) that references the appropriate authentication object. An additional employee can be assigned if the dynamic foreign key references an Active Directory or an LDAP user account.

Each user policy represents an object from an authentication system. This object can be a group or a user.

To edit user policy main data

  1. Select the SharePoint > User accounts category.
  2. Select the SharePoint role in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.

The following properties are displayed for user polices.

Table 36: Main data for a user policy
Property Description
Display name Display name for the user policy.
User account Specifies whether the user policy's authentication object is a user account.
Login name Login name for the user policy. It is found using a template.
System account Specified whether the user policies in the SharePoint environment operates as a system account.
Employee Employee using the user policy. If an authentication object is assigned, the connected employee is found through the authentication object by using a template. If there is no authentication object assigned, the employee can be assigned manually.

An employee can only be assigned if the User account option is set.

Web application Unique identifier for the web application for which the user policy is setup.
Zone Unique identifier of the SharePoint zone for which the user policy is valid.
Authentication objectClosed Authentication object referencing the user policy. Each user policy represents an object from an authentication system trusted by the SharePoint installation. If this authentication system is managed as a target system in One Identity Manager, the object used for authentication can be saved as the authentication object in the user policy.

The authentication object is assigned during automatic synchronization. If the User account option is set, the following authentication objects can be assigned:

  • Active Directory user accounts
  • LDAP user accounts

If the User account option is disabled, the following authentication objects can be assigned:

  • Active Directory groups
  • LDAP groups
NOTE: When an authentication object assigned to a SharePoint user policy is deleted from the One Identity Manager database, the link to the authentication object is removed from the user policy. Employees assigned to it remain assigned if necessary.
Global user policies

Global user polices are user policies that are valid for all zones. They are mapped in the SharePoint > Hierarchical view > <farm> > Web applications > <web application> > Global user policies category.

Zone-specific user policies

Zone specific user policies are user policies that are valid for a single zone in a web application. They are displayed in the SharePoint > Hierarchical view > <farm> > Web applications > <web application> > Zone specific user policies > <zone> category.

Reports about SharePoint objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SharePoint farms.

NOTE: Other sections may be available depending on the which modules are installed.

Table 37: Data quality target system report

Report

Published for

Description

Show overview

User account

This report shows an overview of the user account and the assigned permissions.

Show overview including origin

User account

This report shows an overview of the user account and origin of the assigned permissions.

Show overview including history

User account

This report shows an overview of the user accounts including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

group

Role

This report finds all roles containing employees who have the selected system entitlement.

Show overview

group

Role

This report shows an overview of the system entitlement and its assignments.

Show overview including origin

group

Role

This report shows an overview of the system entitlement and origin of the assigned user accounts.

Show overview including history

group

Role

This report shows an overview of the system entitlement and including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show entitlement drifts

Site collection

This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager.

Show user accounts overview (incl. history)

Site

Site collection

This report returns all the user accounts with their permissions including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show user accounts with an above average number of system entitlements

Site collection

This report contains all user accounts with an above average number of system entitlements.

Show employees with multiple user accounts

Site collection

This report shows all the employees that have multiple user accounts. The report contains a risk assessment.

Show system entitlements overview (incl. history)

Site

Site collection

This report shows the system entitlements with the assigned user accounts including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

Web applications

Site collection

This report finds all roles containing employees with at least one user account in the selected target system.

Show unused user accounts

Site collection

This report contains all user accounts, which have not been used in the last few months.

Show orphaned user accounts

Site collection

This report shows all user accounts to which no employee is assigned.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating