立即与支持人员聊天
与支持团队交流

Identity Manager 9.1.3 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Certification of applications roles

NOTE: This function is only available if the Attestation Module is installed.

The certification status of application roles can be set manually or by regular attestation. To set certification status by attesting, configure the attestation policies accordingly.

To manually change the certification status of an application role

  1. In the Manager, edit the application role's main data.

  2. In the Certification status field, enter the required value.

  3. Save the changes.

To change the certification status of application roles by attestation

  1. In the Manager, select the Attestation > Attestation policies category.

  2. In the result list, select the attestation policy whose attestation runs will adjust the certification status.

  3. If the certification status is to change to Certified when attestation is approved, enable the Set certification status to "Certified".

  4. If the certification status is to be changed to Denied when attestation is denied, enable Set certification status to "Denied".

  5. Save the changes.

One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added application roles in the One Identity Manager database. Attestation is performed only for application roles with the New certification status. If the attestation is approved, the certificate status of the attested application role is set to Certified and otherwise, to Denied.

NOTE: If the attestation was denied, only the certification status changes. Other behavioral changes, for example in the inheritance calculation, are not associated with this and can be implemented on a custom basis.

This function is only available if the Target System Base Module is installed. For more information about certifying new roles and organizations, see the One Identity Manager Attestation Administration Guide.

Detailed information about this topic

Reports about application roles

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for application roles.

Table 18: Reports about application roles
Report Description

Overview of all assignments

This report identifies all departments, cost centers, locations, business roles or IT Shop structures in which employees from the selected application role are also members. For more information about analyzing role memberships, see the One Identity Manager Identity Management Base Module Administration Guide.

Show historical memberships

This report lists all members of the selected application role and the length of their membership.

Granting One Identity Manager schema permissions through permissions groups

Permissions for accessing tables and columns of the One Identity Manager schema are themselves mapped in the schema through permissions groups. You can assign permissions groups to system users and to application roles.

Permissions groups are also used to control access to parts of the user interface, such as, menu items, forms, tasks, and program functions. When a user logs in to One Identity Manager tools, all available menus, forms, and methods are loaded depending on the system user's permissions groups, displaying a user interface customized for this system user. For more detailed information about editing the user interface, see the One Identity Manager Configuration Guide.

One Identity Manager provides permissions groups and system users with a predefined user interface and special permissions for One Identity Manager schema's tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties.

Detailed information about this topic
Related topics

Predefined permissions groups and system users

One Identity Manager provides permissions groups and system users with a predefined user interface and special permissions for One Identity Manager schema's tables and columns. These predefined configurations are maintained by the schema installation and cannot be edited apart from a few properties.

Table 19: Predefined permissions groups
Permissions group Description

Permissions group QBM_BaseRights

The QBM_BaseRights permissions group defines the base rights that are required for a system user to log in to the One Identity Manager tools. This permissions group is always assigned implicitly.

Permission group VID_Features

The VID_Features permissions group covers all program functions required for starting the One Identity Manager tools. The permissions group covers additional program functions for running special functions in One Identity Manager.

Permission group VID_View

The VI_View permissions group has viewing permissions for all tables and columns that map application data.

NOTE: Assign viewing permissions of custom schema extensions to the permissions group.

Permission group VID_Everyone

The VI_Everyone permissions group is assigned to elements of the overview forms that use links to the corresponding menu items. These permissions groups also provide functions for Web Portal users.

NOTE: Assign the permissions group to your custom system users such that the overview form is fully displayed to the users.

Permissions groups for One Identity Manager application data

The permissions groups have permissions on the tables and the columns that map application data. These permissions groups are equipped with menu items, forms, tasks, and program functions which allows the application data to be edited with, for example, the Manager.

Permissions groups for One Identity Manager system data

The permissions groups have permissions on the tables and the columns that map the One Identity Manager's system data. These permissions groups are equipped with menu items, forms, tasks, and program functionality which allows the application data to be edited, for example, with Designer editors.

The vid permissions group has all edit permissions for the system configuration with the Designer.

Role-based permissions group VI_4_ALLUSER

The VI_4_ALLUSER permissions group provides the base permissions as well as menu items, forms, tasks, and program functions to enable the application data to be edited with the Manager and the Web Portal. This permissions group is always assigned implicitly.

Role-based permissions group VI_4_ADMIN_LOOKUP

The vi_4_ADMIN_LOOKUP permissions group has the viewing permissions for all tables and columns of the application data.

NOTE: Assign viewing permissions of custom schema extensions to the permissions group.

Role-based permissions group QER_OperationsSupport

The QER_OperationsSupport permissions group has special permissions for working with the Operations Support Web Portal. The permissions group is assigned to the OperationsSupportWebPortal application. The permissions of the permissions group apply only in the Operations Support Web Portal.

Role-based permissions groups

Role-based permissions groups have permissions on the tables and the columns that map application data. These permissions groups are equipped with menu items, forms, tasks, and program functionality which allow the application data to be edited with the Manager and the Web Portal. These permissions groups are linked to the One Identity Manager application roles and simplify administration of access permissions in the One Identity Manager role model.

Table 20: Predefined system users
System users Description

Dynamic system user

Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions groups to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

System user sa

The sa system user is used exclusively by the One Identity Manager Service. This system user is not assigned to a permissions group but has all the permissions, tasks, and program functionality.

System user viadmin

The viadmin system user is the default system user in One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools.

IMPORTANT: Do not use the viadmin system user in a live environment. Create your own system user with the appropriate permissions.

The system user has all of the specified permissions and the complete user interface. The system user implicitly receives the authorizations and user interface parts of the custom permissions groups. The system user has the permission to set up an employee as a One Identity Manager administrator for the role-based login. The system user is not a member of the application role themselves.

System user Synchronization

The Synchronization system user has the necessary permissions to set up and run target system synchronizations using an application server.

System user viHelpdesk

The viHelpdesk system user has the necessary permissions and the user interface to use the Manager to access One Identity Manager helpdesk resources.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级