Chat now with support
Chat with Support

Identity Manager 9.2.1 - Cloud Access Governance Administration Guide

Basic Data for managing Azure Cloud System

To manage an Azure cloud system environment in One Identity Manager, the following basic data is relevant.

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign the identities who are authorized to read all Azure related objects and the Active directory User, Group and Service Principal objects for the Azure Active Directory tenants in One Identity Manager to this application role. Define additional application roles if you want to limit the edit or view permissions for target system managers to individual tenants. The application roles must be added under the default application role.

For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers

  • The One Identity Manager administrator assigns identities to be target system managers.
  • These target system managers add identities to the default application role for target system managers. Target system managers with the default application role are authorized to edit all tenants in One Identity Manager.
  • Target system managers can authorize other identities within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual connections.

Default Application Roles for Target System Managers

Table 12: Default Application Roles for Target System Managers

Users

Tasks

Target system managers

Target system managers must be assigned to Target systems | Azure Cloud Access Governance or a sub-application role. Users with this application role:

Assume administrative tasks for the target system.

  • Read objects like user accounts, groups, service principals, Management groups, subscriptions, resource groups, resource, roles and role assignments.

  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other identities within their area of responsibility as target system managers and create child application roles if required.

To initially specify identities to be target system administrators

  1. Log in to One Identity Manager as Manager administrator (Base role | Administrators).

  2. Select One Identity Manager Administration | Target systems | Administrators.

  3. Select Assign identities.

To add the first identities to the default application as target system managers

  1. Log into One Identity Manager as Target System Administrator (Target systems | Administrators).

  2. Select One Identity Manager Administration | Target systems | Azure Cloud Access Governance.

  3. Select Assign identities in the Task view.

  4. Assign the identities you want and save the changes.

To authorize other identities as target system managers when you are a target system manager

  1. Log into One Identity Manager as target system manager.

  2. Select the application role in Azure Cloud Access Governance | Basic configuration data | Target system managers.

  3. Select Assign identities.

  4. Assign the identities you want and save the changes.

To specify target system managers for individual clients

  1. Log into One Identity Manager as target system manager.

  2. Select Azure Cloud Access Governance | Tenants.

  3. Select the client from the result list.

  4. Select Change master data.

  5. On the General tab, select the application role in the Azure Cloud System manager field.

    NOTE: In case the Azure Cloud Target System Manager field is not present, install the AAD.Forms.vif refer to KB article (CIM Enhancement for AAD Module).

  6. Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Azure Cloud Access Governance parent application role.

    2. Click OK to add the new application role.

  7. Save the changes.

  8. Assign identities to this application role who are permitted to edit the client in One Identity Manager.

 

Azure Active Directory Tenant

You must provide details about your organization the first time you register for a Microsoft cloud service. This detailed information is used to make a new Azure Active Directory partition. The organization represents one Azure Active Directory tenant. In One Identity Manager, you can edit the main data of each Azure Active Directory tenant.

However, you cannot create new Azure Active Directory tenants in One Identity Manager.

General Master Data for Microsoft Azure Connection

To edit CIM Target system manager for Azure Active Directory tenant data

  1. In the Manager, select the Azure Active Directory > Tenants category.

  2. In the result list, select the Azure Active Directory tenant.

  3. Select the Change main data task.

  4. Edit the Azure Cloud Target System Manager field for Azure Active Directory tenant.

  5. Save the changes.

Detailed information about this topic

More details can be found in Azure Active Directory Synchronization Admin Guide

 

Managing Azure Cloud System Objects

The following are the Azure objects that are synchronized from the target azure tenant.

Azure Scope Objects

Root Scope(/)

RootScope is the top most level scope above the management group. If the user's access is elevated, the user is assigned the User Access Administrator role in Azure at root scope (/). All role assignments defined at the rootscope will be inherited at all levels below. Role assignments at the rootscope can be defined using Azure PowerShell, Azure CLI, or the REST API.

Management Group

Management Groups provide a scope above Subscriptions. All Subscriptions within a Management Group inherit conditions applied at the management group. Governance policies can be applied to Management Group so that Subscriptions inherit it. By default, all Azure Tenants automatically have a Root Management Group created.

Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it.

Azure management groups support Azure role-based access control for all resource accesses and role definitions. These permissions are inherited to child resources that exist in the hierarchy.

Subscription

Azure Subscriptions are the container that hosts all Azure Resources. It is the Resource access and billing boundary

Resource Groups

Azure Resource Group is a container that holds the related resources needed for a particular solution. Resource Groups are created under an Azure Subscription.

The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region.

Resources

Azure Resource is the entity such as virtual machine that is managed by Azure.

These are the building blocks of an Azure IT environment. The resources are organized into Resource Groups inside of an Azure subscription. There are billable and non-billable resources. Billable resources have a Meter attached to them that runs while the resource is provisioned.

Roles

Azure Roles is a collection of permissions and defines the following:

  • List of Actions that can be performed the Resource

  • List of Actions that are excluded from the allowed list of Actions

  • List of Actions that can be performed on the underlying data

  • List of Actions that are excluded from the allowed list of data actions

Role definitions are created at a particular scope (Management Group / Subscriptions / Resource Group) and can be assigned to AAD Users / AAD Service Principal / AAD Managed Identities at the scope at which Role was created or at a child scope level. Example: The Built in Owner role was created at the Root Management Scope level. This role can be assigned to an AADUser at the Management scope level or at a child scope level such as Subscription or Resource.

Built in Roles

Built in Roles are created by Azure at Root Management Group Scope and cannot be modified.

Custom Roles

Custom Roles can be created and assigned multiple scopes at Management Group / Subscriptions / Resource Group level.

Locations / Regions

Azure Regions contain the Azure Data Centers. When a Resource Group / Resource is created we select the Azure Region where the resource is created, and its data resides

Resource Types

Azure Resource Provider is a service that supplies resources. Example Microsoft.Compute. Resource Types are resources available through the Resource Provider. Example VMs. Each Resource Type is available for deployment on certain regions. The API lists the regions on which a particular Resource Type is available for deployment.

Role Assignments

Built in Roles and Custom Roles can be assigned to AAD User, AAD Service Principal, AAD Group and Managed Identities at various scopes. The roles are also inherited based on scope hierarchy.

 

 

Role Assignment to Security Principals

Role assignment to Security Principals helps you to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals at a particular scope.

You can assign and remove roles from a security principal in One Identity Manager, which can be provided to target system by provisioning.

To add role assignment to a user, group, service principal or managed identity, you can assign the role directly or it can be added indirectly through the IT Shop.

Assigning Azure Roles directly to the AAD Security Principal

Azure Role can be assigned to the AAD security principal directly.

To assign Azure Role directly to the AAD User

  1. In One Identity Manager, navigate to Azure Active Directory.
  2. Select the User account to which the Azure role must be assigned.
  3. Select Assign Azure Role Scope Mapping from Tasks.
  4. To add the Role, select the role scope mapping from the Add assignments list.
  5. Save the changes.

To assign Azure Role directly to the AAD Group

  1. In One Identity Manager, navigate to Azure Active Directory.
  2. Select the Group to which the Azure role must be assigned.
  3. Select Assign Azure Role Scope Mapping from Tasks.
  4. To add the Role, select the role scope mapping from the Add Assignments list.
  5. Save the changes.

To assign Azure Role directly to the AAD Service Principal

  1. In One Identity Manager, navigate to Azure Active Directory.
  2. Select the Service Principal to which the Azure role must be assigned.
  3. Select Assign Azure Role Scope Mapping from Tasks.
  4. To add the Role, select the role scope mapping from the Add Assignments list.
  5. Select the Role Scope mapping from the dropdown list.
  6. Save the changes.

To add new Role Scope Mapping

A new Role Scope Mapping for Role Assignment can also be created from Tenant node from Azure Cloud Access Governance in One Identity Manager.

  1. In One Identity Manager, navigate to Azure Cloud Access Governance.
  2. To view/add Role Scope Mapping for specific tenant, Click on Tenants
  3. Extend the node of Tenant where you want to add the Role Scope Mapping
  4. Select Role Scope Mapping
  5. To add new Role Scope mapping click on ‘+’ button.
  6. Click on Add new dynamic key button 
  7. Select Scope from Table and item from scope as per requirement.
  8. Click on Ok.
  9. Save the changes.
  10. To view/add for All Tenants, after clicking on Node ‘Tenants’ follow the same procedure from Step 4

Assigning Azure Roles to the AAD Security Principal through ITShop

Azure Role can be assigned to the AAD Security Principal through ITShop. Identity with Azure Active Directory account can raise request for Role Assignment for his own user account, any AAD Group and any AAD Service Principal belonging to the tenant.

Once the request is raised, the owner of the scope object for which role assignment request is created (scope here refers to management group, subscription, resource group or resource) approves the request.

The way approval works is that if the owner of the scope object is not found, then request for approval is sent to the owner of the parent scope object and so on in the hierarchy and if none of the scope object owners are configured, the request for approval goes to the Target System Manager.

The hierarchy for approval workflow is:

Resource Scope Owner -> Resource Group Scope Owner -> Subscription Scope Owner -> Management Group Scope Owner -> Parent Management Group Scope Owner -> Tenant Root Scope Owner -> Target System Manager.

To assign Azure Role to the AAD Security Principal through ITShop

  1. Login in to ITShop portal
  2. Add new request
  3. Request Product from ITShop to Add to cart:
    1. Azure Infrastructure Azure AD Group Role Assignment, Azure Infrastructure Azure AD Service Principal Role Assignment, Azure Infrastructure Azure AD User Role Assignment.
  4. Enter required values:
    1. AAD Organization Name, AAD Group/Service Principal/User Name, Azure Scope, Azure Roles
  5. Click Submit.
  6. Once approved by approver, the role assignment will be done.

Remove Azure Roles directly from AAD Security Principal

Azure Role Assignments can be removed for an AAD User, AAD Group or AAD Service Principal. Using One Identity Managers role assignments done at Root Scope can also be removed.

To remove Azure Role from the AAD User

  1. In One Identity Manager, navigate to Azure Active Directory.
  2. Select the User account from which the Azure role must be assigned.
  3. Select Assign Azure Role Scope Mapping from Tasks.
  4. To remove the Role Assignment, select the role scope mapping from the Remove Assignments list.
  5. Save the changes.

To remove Azure Role from the AAD Group

  1. In One Identity Manager, navigate to Azure Active Directory.
  2. Select the Group from which the Azure role must be removed.
  3. Select Assign Azure Role Scope Mapping from Tasks.
  4. To remove the Role Assignment, select Azure Role Assignment to be removed from the list.
  5. Save the changes.

To remove Azure Role from AAD Service Principal

  1. In One Identity Manager, navigate to Azure Active Directory.
  2. Select the Service Principal from which the Azure role must be removed.
  3. Select Assign Azure Role Scope Mapping from Tasks.
  4. To remove the Role Assignment, select Azure Role Assignment to be removed from the list.
  5. Save the changes.

Remove Azure Roles from AAD Security Principal through IT Shop

To remove Azure Role for an AAD Security Principal through ITShop

  1. Login to the ITShop portal as the user who raised the ITShop request
  2. Go to request history
  3. Click on Details
  4. Click on Unsubscribe Product
  5. Add comment and Save

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating