立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory environments Synchronizing an Active Directory environment
Setting up initial synchronization with an Active Directory domain Adjusting the synchronization configuration for Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Active Directory user accounts and identities
Account definitions for Active Directory user accounts and Active Directory contacts Assigning identities automatically to Active Directory user accounts Supported user account types Updating identities when Active Directory user account are modified Automatic creation of departments and locations based on user account information Specifying deferred deletion for Active Directory user accounts and Active Directory contacts
Managing memberships in Active Directory groups Login credentials for Active Directory user accounts Mapping Active Directory objects in One Identity Manager
Active Directory domains Active Directory container structures Active Directory user accounts Active Directory contacts Active Directory groups Active Directory computers Active Directory security IDs Active Directory printers Active Directory sites Reports about Active Directory objects
Handling of Active Directory objects in the Web Portal Basic data for managing an Active Directory environment Configuration parameters for managing an Active Directory environment Default project template for Active Directory Processing methods of Active Directory system objects Active Directory connector settings

Effectiveness of membership in Active Directory user groups

When groups are assigned to user accounts an identity may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
  • One Identity Manager does not check if membership of an excluded group is permitted in another group ( table).

The effectiveness of the assignments is mapped in the ADSAccountInADSGroup and BaseTreeHasADSGroup tables by the XIsInEffect column.

Example: The effect of group memberships
  • Group A is defined with permissions for triggering requests in a domain. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.

Jo User1 has a user account in this domain. They primarily belong to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to them secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.

By using suitable controls, you want to prevent an identity from being able to trigger a request and to pay invoices. That means, groups A, B, and C are mutually exclusive. An identity that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 14: Specifying excluded groups (ADSGroupExclusion table)

Effective group

Excluded group

Group A

Group B

Group A

Group C

Group B

Table 15: Effective assignments

Identity

Member in role

Effective group

Pat Identity1

Marketing

Group A

Jan User3

Marketing, finance

Group B

Jo User1

Marketing, finance, control group

Group C

Chris User2

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Jo User1. It is published in the target system. If Jo User1 leaves the "control group" business role at a later date, group B also takes effect.

The groups A and C are in effect for Chris User2 because the groups are not defined as mutually exclusive. That means that the identity is authorized to trigger requests and to check invoices. If this should not be allowed, define further exclusion for group C.

Table 16: Excluded groups and effective assignments

Identity

Member in role

Assigned group

Excluded group

Effective group

Chris User2

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  • Mutually exclusive groups belong to the same domain

To exclude a group

  1. In the Manager, select the Active Directory > Groups category.

  2. Select a group in the result list.

  3. Select the Exclude groups task.

  4. In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.

    - OR -

    In the Remove assignments pane, remove the groups that are no longer mutually exclusive.

  5. Save the changes.

Active Directory group inheritance based on categories

Groups and be selectively inherited by user accounts and contacts in One Identity Manager. The groups and user accounts (contacts) are divided into categories in the process. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains tables that map the user accounts (contact) and the groups. Specify your categories for user account (contacts) in the table for user accounts (contacts). Enter your categories for groups in the group table. Each table contains the Position 1 to Position 31 category positions.

Every user account (contact) can be assigned to one or more categories. Each group can also be assigned to one or more categories. If at least one user account (contact) category position matches an assigned structural profile, the structural profile is inherited by the user account (contact). If the group or user account (contact) is not in classified into categories, the group is also inherited by the user account (contact).

NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when assigning groups to user accounts and contacts.

Table 17: Category examples
Category position Categories for user accounts Categories for groups

1

Default user

Default entitlements

2

System users

System user entitlements

3

System administrator

System administrator entitlements

Figure 2: Example of inheriting through categories.

To use inheritance through categories

  1. In the Manager, define the categories in the domain.

  2. Assign categories to user accounts and contacts through their main data.

  3. Assign categories to groups through their main data.

Related topics

Overview of all assignments

The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are identities who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Example:
  • If the report is created for a resource, all roles are determined in which there are identities with this resource.

  • If the report is created for a group or another system entitlement, all roles are determined in which there are identities with this group or system entitlement.

  • If the report is created for a compliance rule, all roles are determined in which there are identities who violate this compliance rule.

  • If the report is created for a department, all roles are determined in which identities of the selected department are also members.

  • If the report is created for a business role, all roles are determined in which identities of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.

  • Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain identities with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are identities with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.

  • Double-click a control to show all child roles belonging to the selected role.

  • By clicking the button in a role's control, you display all identities in the role with the base object.

  • Use the small arrow next to to start a wizard that allows you to bookmark this list of identities for tracking. This creates a new business role to which the identities are assigned.

Figure 3: Toolbar of the Overview of all assignments report.

Table 18: Meaning of icons in the report toolbar

Icon

Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Login credentials for Active Directory user accounts

When new user accounts are created in One Identity Manager, the passwords needed to log in to the target system are created immediately also. Various options are available for assigning the initial password. Predefined password policies are applied to the passwords, and you can adjust these policies to suit your individual requirements if necessary. You can set up email notifications to distribute the login credentials generated to users.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级