SharePoint Online group inheritance based on categories
In One Identity Manager, user accounts can selectively inherit groups. To do this, groups and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The template contains two tables; the user account table and the group table. Use the user account table to specify categories for target system dependent user accounts. In the group table, enter your categories for the target system-dependent groups. Each table contains the category positions position 1 to position 63.
Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category items matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when groups are directly assigned to user accounts.
Table 15: Category examples
1 |
Default user |
Default permissions |
2 |
System users |
System user permissions |
3 |
System administrator |
System administrator permissions |
Figure 2: Example of inheriting through categories.
To use inheritance through categories
-
In the Manager, define the categories in the site collection.
-
Assign categories to user accounts through their main data.
-
Assign categories to groups through their main data.
Related topics
Overview of all assignments
The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are identities who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Example:
-
If the report is created for a resource, all roles are determined in which there are identities with this resource.
-
If the report is created for a group or another system entitlement, all roles are determined in which there are identities with this group or system entitlement.
-
If the report is created for a compliance rule, all roles are determined in which there are identities who violate this compliance rule.
-
If the report is created for a department, all roles are determined in which identities of the selected department are also members.
-
If the report is created for a business role, all roles are determined in which identities of the selected business role are also members.
To display detailed information about assignments
-
To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
-
Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain identities with the selected base object.
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are identities with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.
-
Double-click a control to show all child roles belonging to the selected role.
-
By clicking the button in a role's control, you display all identities in the role with the base object.
-
Use the small arrow next to to start a wizard that allows you to bookmark this list of identities for tracking. This creates a new business role to which the identities are assigned.
Figure 3: Toolbar of the Overview of all assignments report.
Table 16: Meaning of icons in the report toolbar
|
Show the legend with the meaning of the report control elements |
|
Saves the current report view as a graphic. |
|
Selects the role class used to generate the report. |
|
Displays all roles or only the affected roles. |
Mapping SharePoint Online objects in One Identity Manager
You use One Identity Manager to manage all objects of the SharePoint Online that are required for the optimization of access control in the target system. These objects are imported into the One Identity Manager database during synchronization. You cannot display or edit their properties in the Manager.
Detailed information about this topic
SharePoint Online tenants
A SharePoint Online tenant is the base object of a SharePoint Online system. A SharePoint Online tenant must have a direct relationship to an Azure Active Directory tenant. There is only one tenant for each connected SharePoint Online system.
SharePoint Online tenants are used to configure provisioning processes, automatic assignment of identities to user accounts, and to pass down groups to user accounts through categories within a SharePoint Online.
NOTE: SharePoint Online tenants cannot be created in One Identity Manager. The Synchronization Editor sets up SharePoint Online the tenants in the One Identity Manager database.
Detailed information about this topic