Handling of Active Directory objects in the Web Portal
One Identity Manager enables its users to perform various tasks simply using a Web Portal.
-
Managing user accounts and identities
An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized identity, such as a manager.
-
Managing group assignments
When a group is assigned to an IT Shop shelf, the group can be requested by the customers of the shop in the Web Portal. The request undergoes a defined approval process. The group is not assigned until it has been approved by an authorized identity.
In the Web Portal, managers and administrators of organizations can assign groups to the departments, cost centers, or locations for which they are responsible. The groups are passed on to all persons who are members of these departments, cost centers, or locations.
If the Business Roles Module is available, managers, and administrators of business roles can assign groups in the Web Portal to the business roles for which they are responsible. The groups are passed on to all persons who are members of these business roles.
If the System Roles Module is available, supervisors of system roles can assign groups to the system roles in the Web Portal. The groups are passed on to all persons to whom these system roles are assigned.
-
Attestation
If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.
-
Governance administration
If the Compliance Rules Module is available, you can define rules that identify the invalid group memberships and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check rule violations and to grant exception approvals.
If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.
-
Risk assessment
You can use the risk index of groups to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.
-
Reports and statistics
The Web Portal provides a range of reports and statistics about the identities, user accounts, and their entitlements and risks.
For more information about the named topics, see Managing Active Directory user accounts and identities, Managing memberships in Active Directory groups, Default solutions for requesting Active Directory groups and group memberships and refer to the following guides:
-
One Identity Manager Web Portal User Guide
-
One Identity Manager Attestation Administration Guide
-
One Identity Manager Compliance Rules Administration Guide
-
One Identity Manager Company Policies Administration Guide
-
One Identity Manager Risk Assessment Administration Guide
Default solutions for requesting Active Directory groups and group memberships
In One Identity Manager, standard products and default approval workflows are provided for requesting Active Directory groups and membership in these groups through the IT Shop. Permissions in this target system are therefore issued by defined approval processes. In the Web Portal, product owners and target system managers can edit properties of these groups and request changes.
For more information about this, see the One Identity Manager Web Portal User Guide.
Adding Active Directory groups
By requesting this standard product, you can add new security groups or distribution groups in the Active Directory. The requester provides information about the name, container, and domain, if known, of the request. Based on this information, the target system manager specifies the container in which the group will be added and grants approval for the request. The group is created in One Identity Manager and published to the target system.
Prerequisite
If the QER | ITShop | AutoPublish | ADSGroup configuration parameter is set, the group is added to the IT Shop and the assigned to the shelf Identity & Access Lifecycle | Active Directory groups. The group is assigned to the service category Security group or Distribution group respectively.
Table 59: Default objects for requesting an Active Directory group
|
Products |
Creating an Active Directory security group
Creating an Active Directory distribution group |
|
Service category |
Active Directory groups |
|
Shelf |
Identity & Access Lifecycle > Group Lifecycle |
|
Approval policies/approval workflows |
Approval of Active Directory group create requests |
Changing Active Directory groups
Product owners and target system managers can request updates to the group type and group scope of Active Directory groups in the Web Portal. The target system manager must grant approval for these changes. The changes are published in the target system.
Prerequisites
Table 60: Default objects for changing an Active Directory group
|
Product |
Modifying an Active Directory group |
|
Service category |
Not assigned |
|
Shelf |
Identity & Access Lifecycle > Group Lifecycle |
|
Approval policies/approval workflows |
Approval of Active Directory group change requests |
