立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Basics for managing identities

The following terminology is used in connection with managing identities in One Identity Manager.

Table 26: Terms for managing identities

Term

Explanation

Identity

An identity usually represents a real person. In addition, identities that do not represent real people, such as machine identities or service identities, can be mapped in One Identity Manager.

Main identity/subidentity

Describes how an identity is associated to another identity. Here, the main identity is the parent identity and the subidentity is the child identity. A main identity is a primary identity and always represents a real person. A subidentity is a virtual identity that is set up for a specific purpose.

Primary identity

A primary identity represents a real person. The identity can have user accounts and permissions assigned to it. Primary identities can be used as main identities.

Organizational identity

A virtual identity for mapping different organizational role of a person in the company, such as subcontracts with other functional areas. The identity can have user accounts and permissions assigned to it. An organizational identity must be assigned a main identity.

Personalized administrator identity

A virtual identity for mapping administrative roles of a person in the company. This identity requires allocation of administrative user accounts and permissions. A main identity must be assigned to a personal administrator identity.

Sponsored identity

Virtual identity that represents an additional, functionally related identity. This identity requires allocation of user accounts and permissions that are tied to an additional function, such as permissions in a training or test environment. An additional identity must be assigned a manager.

Shared identity

Virtual identity for mapping function-related, cross-organizational roles in a company, such as the IT support group or the IT representatives of an company. A group identity can be used as a subidentity of mulitple main identities. An group identity must be assigned a manager.

Service identity

Virtual identity that maps to a system administrative role in an organization. Service identities are assigned to service accounts and permissions. A service identity must be assigned a manager.

Machine identity

Virtual identity that represents a machine or a non-human entity. A machine identity can have user accounts and permissions assigned to it. An machine identity must be assigned a manager.

Detailed information about this topic

Main identities and subidentities

Sometimes, in large companies, employees may to have different identities for their work such as ones that result from different contracts for different branches. These identities can differ in their affiliation to departments, or cost centers, or in their access permissions for example. External employees at different locations can also be used and represented with different identities in the system.

To map individual identities and group them at a central location, you can define main identities and subidentities in One Identity Manager. For example, if an identity has several user accounts in one target system that must be assigned to different groups, create a separate subidentity for each user account with a link to the main identity.

It is possible to test the identity’s permitted permissions per subidentity or for the main identity within the bounds of an identity audit by including all subidentities. For more information, see the One Identity Manager Compliance Rules Administration Guide.

Main identities and subidentities can be used to log in to One Identity Manager via various authentication modules. For more information, see the One Identity Manager Authorization and Authentication Guide.

Main identity
  • A main identity can be assigned to one or more machine roles.

  • A main identity is a primary identity and always represents a real person.

  • A main identity is the central location where identities are brought together for different purposes.

  • Main identities can be assigned user accounts and permissions and can initiate requests in the IT Shop.

Subidentity
  • A subidentity is always connected to a main identity.

  • A subidentity is a virtual identity that is set up for a specific purpose, such as for an administrative user account or to map different roles in the company.

  • Enter a main identity for the subidentity using Main identity on the identity’s main data form.

  • A subidentity can be assigned user accounts and permissions and can initiate requests in the IT Shop.

  • In order to improve the assignment of authorizations to the target systems, the subidentities can be divided into different identity types.

Identity's central user account

The identity’s central user account is used to form the user account login name in the active system. The central user account is still used for logging into the One Identity Manager tools.

In the One Identity Manager default installation, the central user account is made up of the first and the last name of the identity. If only one of these is known, then it is used for the central user account. There is always a check to see if a central user account with that value already exists. If this is the case, an incremental number is added to the end of the value.

Table 27: Example of forming of central user accounts
First name Last name Central user account

Alex

 

ALEX

 

Miller

MILLER

Alex

Miller

ALEXM

Alex

Meyer

ALEXM1

Use the QER | Person | CentralAccountGlobalUnique configuration parameter to define how to map the central user account.

  • If this configuration parameter is set, the central user account for an identity is formed uniquely in relation to the central user accounts of all identities and the user account names of all permitted target systems.

  • If the configuration parameter is not set, it is only formed uniquely related to the central user accounts of all identities. This is the default.

Identity's default email address

The identity’s default email address is displayed on the mailboxes in the activated target system. In the One Identity Manager default installation, the default email address is formed from the identity’s central user account and the default mail domain of the active target system.

The default mail domain is determined using the QER | Person | DefaultMailDomain configuration parameter.

  • In the Designer, set the configuration parameter and enter the default mail domain name as a value.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级