Chat now with support
Chat with Support

Identity Manager 9.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Displaying permissions for tables

In the Permissions Editor, the Summary of all permissions view displays the permissions groups that have permissions for the selected column. The permissions in this view cannot be edited.

NOTE: To display the Summary of all permissions view, go to the Permissions Editor and enable View > Object permissions menu. The view is displayed in the lower area of the Permissions Editor.

To display all permissions for a table and its columns

  1. In the Designer, select the table in the Permissions > By tables category.

  2. Start the Permissions Editor using the Edit permissions for table task.

    The Summary of all permissions view displays the permissions groups that have permissions for the selected table.

    TIP: To display a permissions filter completely, click a condition in the view.

  3. (Optional) To display all the column permissions, open the table entry in the upper part of the Permissions Editor and select a column.

    The Summary of all permissions view displays the permissions groups that have permissions for the selected column.

Editing table permissions

Use the table permissions to grant permissions to display, insert, edit, and delete the objects. You can define conditions to further limit the permissions for the objects. You can use the conditions, for example, to link the editability of the identities to their last names. For instance, users can be given read-only access to the identities whose last names begin with A-F, whereas they can edit identities with last names beginning with G-Z.

NOTE: Permissions are always edited in the Permissions Editor for the permissions group that you selected in the Permissions Editor toolbar in the Permissions group menu. If you wish to grant permissions for another permissions group, first select this permissions group in the menu and then edit the permissions.

To edit the table permissions for a permissions group

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit translation in database task.

  3. In the Permissions Editor toolbar in the Permissions group menu, select the permissions group for which you want to grant the permissions.

  4. Select the table at the top of the Permissions Editor.

    TIP: Use Shift + select or Ctrl + select to select multiple tables.

  5. In the Permissions section, edit the permissions for the permissions group.

    • To insert new permissions, select the New context menu and enable the associated check boxes. Grant the following permissions:

      • Viewable: The table data is displayed.

      • Insertable: New data can be added to the table.

      • Editable: Table data can be edited.

      • .Deletable: Table data can be deleted

      NOTE: If you grant the Insertable, Editable, or Deletable permissions, the Viewable permission is also granted.

    • To withdraw permissions, disable the associated checkbox.

    • Use the Delete context menu, to withdraw all permissions from a table.

  6. (Optional) To specify other conditions for table permissions, go to the lower part of the Permissions Editor and switch to the Group permissions for table view and select the Permissions filter tab.

    NOTE: You can only define permissions filters for the tables that map application data.

    • Enter the conditions as valid WHERE clauses for database queries. You can enter the following permissions filters.

      • Viewing Condition: Limiting condition for displaying data sets.

      • Edit condition: Limiting condition for editing data sets.

      • Insert condition: Limiting condition for inserting data sets.

      • Deletion condition: Limiting condition for deleting data sets.

      Example: Permissions filter

      A user should be able to see all identities, but only edit the identities whose last names begin with B. Specify the limiting edit condition as follows, for example:

      Lastname like 'B%'

      TIP: Use the SQL check button to test the condition. This checks the syntax. The number of objects that match the condition is returned.

  7. Select the Database > Commit to database and click Save.

Related topics

Editing column permissions

IMPORTANT:

  • If you grant permissions to columns, you must also grant the permissions to the tables. For example, a column is only viewable if the table is also viewable.

  • To insert objects into a table, the Insert permission is required at least for the mandatory fields in the table.

  • If you grant Insert or Edit permissions, View permissions are also granted.

  • Column definition allows you to use scripts to conditionally display or edit a column. For example, in this way you can control whether or not a column, on a main data form in the Manager, is displayed or can be edited only if another column has a specific value. The script does not change the user’s permissions but simply the behavior if the object is loaded in one of the One Identity Manager tools. For more information about editing column definitions, see the One Identity Manager Configuration Guide.

NOTE: Permissions are always edited in the Permissions Editor for the permissions group that you selected in the Permissions Editor toolbar in the Permissions group menu. If you wish to grant permissions for another permissions group, first select this permissions group in the menu and then edit the permissions.

To edit column permissions for a permissions group

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit permissions task.

  3. In the Permissions Editor toolbar in the Permissions group menu, select the permissions group for which you want to grant the permissions.

  4. Select the table at the top of the Permissions Editor and select the column.

    TIP: Use Shift + select or Ctrl + select to select multiple columns.

  5. In the Permissions section, edit the permissions for the permissions group.

    • To insert new permissions, select the New context menu and enable the associated check boxes. Grant the following permissions:

      • Viewable: The column is displayed.

      • Editable: The value in the column can be changed.

      • Insertable: The value of the column can be edited when adding a new data record. Once the data record has been saved it can no longer be edited.

    • To withdraw permissions, disable the associated checkbox.

    • Use the Delete context menu item, to delete all permissions from a column.

  6. Select the Database > Commit to database and click Save.

Related topics

Copying table permissions and column permissions

To transfer the permissions of a permissions group quickly from one table to another table, you can copy the table permissions and column permissions. Two methods are provided in the Permissions Editor to do this:

  • Copy and Insert: This method copies permissions of the source table (source column) of a permissions group. The permissions are copied for the permissions group that you selected in the Permissions Editor toolbar in the Permissions group menu.

    All copied permissions are inserted for the target table (target column). Already existing permissions for the target table (target column) remain the same.

  • Copy all permissions and Paste all permissions: This method copies all source table (source column) permissions. The initial selection of the permissions group in the Permissions Editor makes no difference here. All permissions from all permissions groups for the source table (source column) are applied.

    All copied permissions are inserted for the target table (target column). Existing permissions for target table (target column) that do not exist for the source table (source column) are removed from the target table (target column).

To copy permissions of a permission group

  1. In the Designer, select the Permissions category.

  2. Start the Permissions Editor using the Edit permissions task.

  3. In the Permissions Editor toolbar in the Permissions group menu, select the permissions group for which you want to grant the permissions.

  4. To transfer the table permissions.

    1. Select the table at the top of the Permissions Editor from which you want to transfer the permissions.

    2. Use the Copy context menu item to copy the permissions to the clipboard.

    3. Select the table at the top of the Permissions Editor from which you want to transfer the permissions.

    4. Use the Insert context menu to insert the permissions.

    5. If necessary, repeat step c) and d) for other tables.

  5. To transfer the column permissions

    1. Select the table at the top of the Permissions Editor and select the column from which you want to transfer permissions.

    2. Use the Copy context menu to copy the permissions.

    3. Select the table at the top of the Permissions Editor and select the column for which you want to transfer permissions.

    4. Use the Insert context menu to insert the permissions.

    5. If necessary, repeat step c) and d) for other columns.

  6. Select the Database > Commit to database and click Save.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating