立即与支持人员聊天
与支持团队交流

Identity Manager 9.1 - Administration Guide for Connecting to a Universal Cloud Interface

Managing Universal Cloud Interface environments Synchronizing a cloud application in the Universal Cloud Interface
Setting up initial synchronization with a cloud application in the Universal Cloud Interface Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Provisioning object changes Managing cloud user accounts and employees Managing assignments of cloud groups and system entitlements Login information for cloud user accounts Mapping cloud objects in One Identity Manager
Cloud target systems Container structures Cloud user accounts Cloud groups Cloud system entitlements Cloud permissions controls Reports about objects in cloud target systems
Handling cloud objects in the Web Portal Basic data for managing a Universal Cloud Interface environment Configuration parameters for managing cloud target systems Default project template for cloud applications in the Universal Cloud Interface

Providing an administrative user account for multiple employees

Prerequisite
  • The user account must be labeled as a shared identity.

  • A pseudo employee must exist. The pseudo employee must be labeled as a shared identity and must have a manager.

  • The employees who are permitted to use the user account must be labeled as a primary identity.

To prepare an administrative user account for multiple employees

  1. Label the user account as a shared identity.

    1. In the Manager, select the Cloud Target Systems > target system > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity menu, select Shared identity.

  2. Link the user account to a pseudo employee.

    1. In the Manager, select the Cloud Target Systems > target system > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, select the pseudo employee from the Employee menu.

      TIP: If you are the target system manager, you can choose to create a new pseudo employee.

  3. Assign the employees who will use this administrative user account to the user account.

    1. In the Manager, select the Cloud Target Systems > target system > User accounts category.

    2. Select the user account in the result list.

    3. Select the Assign employees authorized to use task.

    4. In the Add assignments pane, add employees.

      TIP: In the Remove assignments pane, you can remove assigned employees.

      To remove an assignment

      • Select the employee and double-click .

Related topics

Privileged user accounts

Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).

NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.

  2. If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.

  3. Specify the effect of temporarily or permanently disabling or deleting, or the security risk of an employee on its user accounts and group memberships for each manage level.

  4. Create a formatting rule for the IT operating data.

    You use the mapping rule to define which rules are used to map IT operating data for user accounts and which default values are used if no IT operating data can be determined through a person's primary roles.

    The type of IT operating data required depends on the target system. The following settings are recommended for privileged user accounts:

    • In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.

    • You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.

    • To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount column with a default value of 0 and set the Always use default value option.

  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to employees who work with privileged user accounts.

    When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, specify how the login names are formatted in the template.

  • To use a prefix for the login name, in the Designer, set the TargetSystem | CSM | Accounts | PrivilegedAccount | SAMAccountName_PrefixTargetSystem configuration parameter.

  • To use a postfix for the login name, in the Designer, set the TargetSystem | CSM | Accounts | PrivilegedAccount | SAMAccountName_Postfix configuration parameter.

These configuration parameters are evaluated in the default installation, if a user account is marked with the Privileged user account property (IsPrivilegedAccount column). The user account login names are renamed according to the formatting rules. This also occurs if the user accounts are labeled as privileged using the Mark selected user accounts as privileged schedule. If necessary, modify the schedule in the Designer.

Related topics

Setting deferred deletion for cloud target system user accounts

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

  • Target system specific deferred deletion: Deferred deletion can be configured individually for each target system. This deferred deletion overrides global deferred deletion.

    To enable deferred deletion separately for each target system

    1. In the Manager, configure deferred deletion for the target system.

      1. In the Manager, select the Cloud target systems > Basic configuration data > Cloud target systems category.

      2. In the result list, select a target system and run the Change main data task.

      3. On the General tab, under Deferred deletion [days], enter the deferred deletion value in days.

      4. Save the changes.
    2. In the Designer, create a Script (deferred deletion) in the CSMUser table.

      Example:

      Deferred deletion of user accounts in a cloud target system depends on the deferred deletion of the target system (UNSRootB.DeleteDelayDays). The following script is given in the CSMUser table.

      If $FK(UID_CSMRoot).DeleteDelayDays:Int$ > 0 Then

      Value = $FK(UID_CSMRoot).DeleteDelayDays:Int$

      End If

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the CMSUser table.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For more information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

Related topics

Managing assignments of cloud groups and system entitlements

Groups and system entitlements represent the objects used in the cloud application to control access to the cloud resources. A user account obtains the necessary permissions to access cloud resources by assigning it to groups and system entitlements.

In One Identity Manager, you can assign cloud groups and system entitlements directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the groups and system entitlements through the Web Portal. To do this, groups and system entitlements are provided in the IT Shop.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级