立即与支持人员聊天
与支持团队交流

Identity Manager 9.1.3 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Permissions for running methods

If a task definition is assigned a program function (QBMMethodHasFeature table) users can only run this task if they have the necessary permissions groups. An error occurs if the user does not own this program function and tries to run it.

To make a task definition available to users using a program function

  1. Create a new program function.

    1. In the Designer, select the Permissions > Program functions category.

    2. Select the Object > New menu item.

    3. Enter the following information:

      • Program function: Name of the program function.

      • Description: Short description of the program function.

      • Function group: Property for grouping program functions.

  2. Connect the program function with the task definition events that the user will trigger.

    1. In the Designer, select the Permissions > Program functions category.

    2. Select the View > Select table relations menu item and enable the QBMMethodHasFeature table.

    3. In the List Editor, select the newly created program function.

    4. In the Tasks edit view, assign the task definitions.

  3. Assign the program functions to the custom permissions group whose systems users will run these scripts.

    1. In the Designer, select the Permissions > Program functions category.

    2. Select the View > Select table relations menu item and enable the DialogGroupHasFeature table.

    3. In the List Editor, select your newly created program function.

    4. Assign the permissions group in the Permissions groups edit view.

  4. Select the Database > Commit to database and click Save.

Related topics

Permissions for triggering processes

The basic permissions for triggering processes are granted to the logged in user by the Common_TriggerEvents program function.

In One Identity Manager, triggering of events on stored processes is linked to the permissions concept. Users can only trigger events on objects like this if they own edit permissions for them. This can lead to table users who only have viewing permissions not being able to trigger additional events for processes.

In this case, it is possible to connect the object events (QBMEvent table) with a program function (QBMFeature table). An event (JobEventGen table), which is defined for a process, is linked with an object event (JobEventGen.UID_QBMEvent column). The object events are linked to a program function (QBMEventHasFeature table). Users with this program function can trigger the object event and therefore the process too independent of their permissions.

TIP: The Common_TriggerSpecificEvents program function allows you to trigger specific events from the front-end. You can assign this program function to custom object events that any user can trigger. The program function is allocated to the QBM_BaseRigt permissions group.

To control triggering a process through a program function

  1. Create a new program function.

    1. In the Designer, select the Permissions > Program functions category.

    2. Select the Object > New menu item.

    3. Enter the following information:
      • Program function: Name of the program function.

      • Description: Short description of the program function.

      • Function group: Property for grouping program functions.

  2. Connect the program function with object events that the user will trigger.

    1. In the Designer, select the Permissions > Program functions category.

    2. Select the View > Select table relations menu item and enable the QBMEventHasFeature table.

    3. In the List Editor, select the newly created program function.

    4. In the Object events edit view, assign the object events.

  3. Assign the required program functions to the custom permissions group whose systems users will trigger these events.

    1. In the Designer, select the Permissions > Program functions category.

    2. Select the View > Select table relations menu item and enable the DialogGroupHasFeature table.

    3. In the List Editor, use Ctrl + select to select your new program function and the Common_TriggerEvents program function.

    4. Assign the permissions group in the Permissions groups edit view.

  4. Select the Database > Commit to database and click Save.

Related topics

Modifying permissions for running actions in the Launchpad

One Identity Manager supplies a number of Launchpad actions that you can use to start applications by using the Launchpad. You can also start your own applications over the Launchpad.

If some actions in the Launchpad should not be made available to all users, you can manage the permissions by assigning Launchpad actions to program functions (QBMLaunchActionHasFeature table). Only tasks containing actions that the user's program function permissions permit him to run are shown in the Launchpad.

To assign a program function to Launchpad actions

  1. In the Designer, select the Permissions > Program functions category.

  2. Select the View > Select table relations menu item and enable the QBMLaunchActionHasFeature table.

  3. In the List Editor, select the program function.

  4. In the Launchpad action edit view, assign the actions.

  5. Select the Database > Commit to database and click Save.

One Identity Manager authentication modules

One Identity Manager uses different authentication modules for logging in to administration tools. Authentication modules identify the system users to be used and load the user interface and database resource editing permissions depending on their permission group memberships.

  • The permissions assigned to the system user are found from the permissions groups for logging into One Identity Manager tools with an authentication module that expects a defined system user.

  • Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the employee memberships in the One Identity Manager application roles are determined during login. Assignments of permissions groups to One Identity Manager application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

Before you can use an authentication module for logging on, the following prerequisites must be fulfilled:

  1. The authentication module must be enabled.

  2. The authentication module must be assigned to the application.

  3. The assignment of the authentication module to the application must be enabled.

This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module also have the required program function to use the program.

NOTE: After the initial schema installation, only the System user and Component authenticator authentication modules and the role-based authentication modules are enabled in One Identity Manager.

Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.

NOTE: Authentication modules are defined in the One Identity Manager modules and are not available until the modules are installed.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级