Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Connecting to Cloud Applications

Mapping cloud applications in One Identity Manager Synchronizing cloud applications through the Universal Cloud Interface Provisioning object changes Managing provisioning processes in the Web Portal Mapping cloud objects in One Identity Manager
Cloud applications Container structures in cloud applications User accounts in cloud applications Groups and system entitlements in cloud applications Permissions controls in a cloud application
Base data for managing cloud applications Troubleshooting a cloud application connection Default project template for cloud applications Cloud system object processing methods Configuration parameters for managing cloud applications

Groups and system entitlements in cloud applications

Groups and system entitlements represent the objects used in the cloud application to control access to the cloud resources. A user account obtains the necessary permissions to access cloud resources by assigning it to groups and system entitlements.

Detailed information about this topic

System entitlements types in cloud applications

Many cloud applications use different entitlement types to manage user entitlements. In addition to groups, these can also be roles or permissions sets, for example. Using synchronization projects created with the Synchronization of a One Identity Starling Connect environment project template, the different types are mapped in the One Identity Manager as follows.

Table 22: Mapping system entitlements in the One Identity Manager

Type

Table

Display name

Group

UCIGroup

Groups

Role

UCIGroup1

System entitlements 1

Profiles

UCIGroup2

System entitlements 2

Entitlement

UCIGroup3

System entitlements 3

Permissionset

UCIItem

Permissions controls

NOTE: In synchronization projects created with a One Identity Manager version older than 8.2, objects of type Profile are also mapped in the UCIItem table.

A user account obtains the required entitlements for accessing target system resources through its assignments to groups or system entitlements. Depending on the target system, assignments are maintained either on user accounts (user-based assignment) or on system entitlements (entitlement-based assignment). When setting up synchronization using the One Identity Starling Connect synchronization project template, the SCIM connector determines the object type that stores the assignments. Memberships are mapped in the following tables:

Table 23: User-based assignment

UCIUserHasGroup

Groups: Assignments to user accounts

UCIUserHasGroup1

System entitlement 1: Assignments to user accounts

UCIUserHasGroup2

System entitlement 2: Assignments to user accounts

UCIUserHasGroup3

System entitlement 3: Assignments to user accounts

UCIUserHasItem

User accounts: Permission control assignments

Table 24: Entitlement-based assignment

UCIUserInGroup

User accounts: Assignment to groups

UCIUserInGroup1

User accounts: Assignment to system entitlements 1

UCIUserInGroup2

User accounts: Assignment to system entitlements 2

UCIUserInGroup3

User accounts: Assignment to system entitlements

Assignments for the Permissionset type are allows user-based.

By default, only groups are mapped by synchronization projects created with the SCIM Synchronization project template. The SCIM connector determines which object type stores the assignments and maps them accordingly either in the UCIUserHasGroup table or in the UCIUserInGroup table.

The types of system entitlements used and whether the assignments are saved with the user accounts or the system entitlements is stored with the cloud applications.

To display the types of system entitlements used

  1. In the Manager, select the Universal Cloud Interface > Basic configuration data > Cloud applications category.

  2. In the result list, select a cloud application and select the Change main data task.

    • System entitlement types used: List of types of system entitlements used in the cloud application.

    • User account has memberships: List of system entitlement types with user-based assignments. For types not listed here, the assignments are stored with the system entitlements.

TIP: If the cloud application schema cannot be adequately represented by any default project template, customize the synchronization configuration. At the same time, define how the system entitlements are mapped in the One Identity Manager schema. When you are setting up synchronization, ensure that the base object for the cloud application(CSMRoot) is created in the database and the System entitlements types used (GroupUsageMask) and User account has memberships (UserContainsGroupList) properties are set correctly.

Related topics

Groups in cloud applications

Groups and system entitlements represent the objects used in the cloud application to control access to the cloud resources. A user account obtains the necessary permissions to access cloud resources by assigning it to groups and system entitlements.

To display a group's main data

  1. In the Manager, select the Universal Cloud Interface > <cloud application> > Groups category.

  2. Select the group in the result list.

  3. Select the Show main data task.

To display a system entitlement's main data

  1. In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 1 category.

    - OR -

    In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 2 category.

    - OR -

    In the Manager, select the Universal Cloud Interface > <cloud application> > System entitlements 3 category.

  2. Select the system entitlement in the result list.

  3. Select the Show main data task.

Detailed information about this topic
Related topics

General main data for groups in cloud applications

You are provided with the following general main data of a group.

Table 25: Entering main data of a group

Property

Description

Name

Name of the group.

Container

The group's container.

Cloud application

The group's cloud application.

Distinguished name

Distinguished name of the group.

Display name

Name for displaying the group in the user interface of One Identity Manager tools.

Group name

Additional name for the group.

Email address

Group's email address

Account manager

Manager responsible for the group.

Description

Text field for additional explanation.

Group type

Unique group type ID. For example if groups of different types are supplied through one and the same SCIM endpoint.

Resource type

Resource type identifier. The resource type corresponds to a SCIM endpoint, /Groups for example.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating