Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Active Directory contacts

A contact is a non-security principal. That means a contact cannot log into a domain. For example, a contact represents a user out the organization and is mainly used for distribution groups or email purposes.

Related topics

Creating and editing Active Directory contacts

A contact can be connected to an identity in One Identity Manager. You can also manage contacts separately from identities.

NOTE:

  • It is recommended to use account definitions to set up contacts for company identities. If an account definition is used to set up a contact, some of the main data described in the following is composed of the identity’s main data using templates. The amount of data, in this case, is based on the default manage level of the account definitions. The templates supplied should be customized as required.

  • If identities receive their contacts through account definitions, the identities must have a central user account and obtain their IT operating data through assignment to a primary department, primary location or a primary cost center.

To create a contact

  1. In the Manager, select the Active Directory > Contacts category.

  2. Click in the result list.

  3. Edit the contact's main data.

  4. Save the changes.

To edit a contact

  1. In the Manager, select the Active Directory > Contacts category.

  2. Select the contact in the result list and run the Change main data task.

  3. Edit the contact's main data.

  4. Save the changes.

To manually assign or create a contact for an identity

  1. In the Manager, select the Identities > Identities category.

  2. Select the identity from the result list and run the Assign Active Directory contacts task.

  3. Assign a contact.

  4. Save the changes.
Detailed information about this topic

General main data for Active Directory contacts

Enter the following general main data.

Table 42: General main data
Property Description

Identity

Identity that uses the contact.

  • An identity is already entered if the contact was generated by an account definition.

  • If you are using automatic identity assignment, when you save the contact, the system searches for an associated identity and adds it to the contact.

  • If you create the contact manually, you can select the identity from the menu.

    The menu displays activated and deactivated identities by default. If you do not want to see any deactivated identities, set the QER | Person| HideDeactivatedIdentities configuration parameter.

NOTE: If you assign a deactivated identity to a user account, the contact might be locked or deleted depending on the configuration.

NOTE: To enable working with identity types, the identities and the contacts also need identity types. You can only link contacts that have an identity type assigned to them, to identities of the same identity type.

No link to an identity required

Specifies whether the contact is intentionally not assigned an identity. The option is automatically set if a contact is included in the exclusion list for automatic identity assignment or a corresponding attestation is carried out. You can set the option manually. Enable the option if the contact does not need to be linked with an identity (for example, if several identities use the contact).

If attestation approves these contacts, these contacts will not be submitted for attestation in the future. In the Web Portal, contact that are not linked to an identity can be filtered according to various criteria.

Not linked to an identity

Indicates why the No link to an identity required option is enabled for this contact. Possible values:

  • By administrator: The option was set manually by the administrator.

  • By attestation: The contact was attested.

  • By exclusion criterion: The contact is not associated with an identity due to an exclusion criterion. For example, the contact is included in the exclude list for automatic identity assignment (configuration parameter PersonExcludeList).

Account definition

Account definition through which the contact was created.

Use the account definition to automatically populate contact main data and to specify a manage level for the contact. One Identity Manager finds the IT operating data of the assigned identity and uses it to populate the corresponding fields in the contact.

NOTE: The account definition cannot be changed once the contact has been saved.

To create the contact manually through an account definition, enter an identity in the Identity field. You can select all the account definitions assigned to this identity and through which no contact has been created for this identity.

Manage level

Contact's manage level. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.

First name

The contact’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name

The contact's last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Initials

The contact’s initials. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Title

Contact’s academic title. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Display name

The contact’s display name. The display name is made up of the contact’s first and last names.

Structural object class

Structural object class representing the object type. Possible values:

  • CONTACT: Default object class for contacts.

  • POSIXACCOUNT: Object class for contacts with additional POSIX (Portable Operating System Interface) properties.

Name

The contact’s identifier. The identifier is made up of the contact’s first and last names.

Distinguished name

Contact's distinguished name. The distinguished name is formatted from the contact's identifier and the container and cannot be changed.

Domain

Domain in which to create the contact.

Container

Container in which to create the contact. If you have assigned an account definition, the container is determined from the company IT data for the assigned identity depending on the manage level of the user account. The distinguished name for the contact is determined by a template when the container is selected.

Email address

Contact's email address. If you assigned an account definition, the email address is made up of the identity’s default email address depending on the manage level of the user account.

Risk index (calculated)

Maximum risk index value of all assigned groups. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information, see the One Identity Manager Risk Assessment Administration Guide.

Category

Category for the contact to inherit groups. Groups and be selectively inherited by contacts. To do this, the groups and contacts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Identity type

Contact's type of identity.

NOTE: To enable working with identity types, the identities and the user accounts also need identity types. You can only link user accounts that have an identity type assigned to them, to identities of the same identity type.

Groups can be inherited

Specifies whether the identity's groups are inherited. If this option is set, contacts inherit groups through hierarchical roles.

If you add an identity with a contact to an apartment, for example, and you have assigned groups to this department, the contact inherits the groups.

Protected from accidental deletion

Specifies whether to protect the contact against accidental deletion. If the option is set, the permissions for deleting the contact are removed in Active Directory. The contact cannot be deleted or moved.

Related topics

Contact data for Active Directory contacts

Enter the data used by this contact for contacting the identity by telephone.

Table 43: Contact data
Property Description

Phone

Telephone number.

Phone private

Private telephone number.

Fax

Fax number.

Mobile phone

Mobile number.

Pager

Pager number.

Website

Website.

IP telephone number

IP telephone number.

Comment

Text field for additional explanation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating