立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for Connecting Unix-Based Target Systems

Managing Unix-based systems Synchronizing Unix-based target systems Managing Unix user accounts and identities Managing memberships in Unix groups Login credentials for Unix user accounts Mapping Unix objects in One Identity Manager Handling of Unix objects in the Web Portal Basic data for Unix-based target systems Configuration parameters for managing Unix-based target systems Default project template for Unix-based target systems Unix connector settings

Specifying deferred deletion for Unix user accounts

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or locked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

    In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the UNXAccount table.

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the UNXAccount table.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For more information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

Managing memberships in Unix groups

Unix user accounts can be grouped into Unix groups that can be used to regulate access to resources.

In One Identity Manager, you can assign Unix groups directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the groups through the Web Portal. To do this, groups are provided in the IT Shop.

Detailed information about this topic

Assigning Unix groups to Unix user accounts

Unix groups can be assigned directly or indirectly to Unix user accounts.

In the case of indirect assignment, identities and Unix groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. The Unix groups assigned to an identity are calculated from the position in the hierarchy and the direction of inheritance. If you add an identity to roles and that identity owns an Unix user account, the Unix user account is added to the Unix group.

Furthermore, Unix groups can be requested through the Web Portal. To do this, add identities to a shop as customers. All Unix groups are assigned to this shop can be requested by the customers. Requested Unix groups are assigned to the identities after approval is granted.

You can use system roles to group Unix groups together and assign them to identities as a package. You can create system roles that contain only Unix groups. You can also group any number of company resources into a system role.

To react quickly to special requests, you can assign Unix groups directly to Unix user accounts.

For more information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of Unix groups to Unix user accounts

In the case of indirect assignment, identities and Unix groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. When assigning Unix groups indirectly, check the following settings and modify them if necessary.

  1. Assignment of identities and Unix groups is permitted for role classes (departments, cost centers, locations, or business roles).

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  2. Settings for assigning Unix groups to Unix user accounts.

    • The Unix user account is linked to an identity.

    • The Unix user account is labeled with the Groups can be inherited option.

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of identities not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级