立即与支持人员聊天
与支持团队交流

Identity Manager On Demand - Starling Edition Hosted - Identity Management Base Module Administration Guide

Basics for mapping company structures in One Identity Manager Dynamic roles Departments, cost centers, and locations
One Identity Manager users for managing departments, cost centers, and locations Basic information for departments, cost centers, and locations Creating and editing departments Creating and editing cost centers Creating and editing locations Setting up IT operating data for departments, cost centers, and locations Assigning identities, devices, and workdesks to departments, cost centers, and locations Assigning company resources to departments, cost centers, and locations Creating dynamic roles for departments, cost centers, and locations Dynamic roles with incorrectly excluded identities Assign organizations Specifying inheritance exclusion for departments, cost centers, and locations Assigning extended properties to departments, cost centers, and locations Certifying departments, cost centers, and locations Reports about departments, cost centers, and locations
Identity administration
One Identity Manager users for managing identities Basics for managing identities Creating and editing identities Assigning company resources to identities Displaying the origin of identities' roles and entitlements Analyzing role memberships and identity assignments Deactivating and deleting identities Deleting all personal data Limited access to One Identity Manager Changing the certification status of identities Displaying the identities overview Displaying and deleting identities' Webauthn security keys Determining the language for identities Determining identities working hours Manually assigning user accounts to identities Entering tickets for identities Assigning extended properties to identities Reports about identities Basic configuration data for identities
Managing devices and workdesks Managing resources Setting up extended properties Configuration parameters for managing departments, cost centers, and locations Configuration parameters for managing identities Configuration parameters for managing devices and workdesks

Identity's central password

An identity's central password can be used for logging into the target systems and for logging in to One Identity Manager. Depending on the configuration, an identity's central password is replicated to their user accounts and their system user password.

  • To publish the change in an identity's central user password to all existing user accounts of the identity, check in the Designer if the QER | Person | UseCentralPassword configuration parameter is set. If not, set the configuration parameter.

  • To copy an identity's central password to their system user password for logging in, in the Designer, check if the QER | Person | UseCentralPassword | SyncToSystemPassword configuration parameter is set. If not, set the configuration parameter.

  • If an identity’s system user account has to be unlocked when the central password is provided, use the Designer to check if the QER | Person | UseCentralPassword | SyncToSystemPassword | UnlockByCentralPassword configuration parameter is set. If not, set the configuration parameter.

NOTE:

  • The Password policy for central password of identities password policy is applied to an identity's central password. Ensure that the password policy does not violate the target system's specific password policies.

  • Use the QER | Person | UseCentralPassword | CheckAllPolicies configuration parameter to specify whether the identity’s central password is tested against all the target system’s password policies in which the identity has user accounts. This test is only carried out in the Password Reset Portal.

  • An identity's central password is published to a user account only if the user account's target system is synchronized by the One Identity Manager.

  • If a target system is read-only, an identity's central password is not propagated to user accounts in that target system.

  • An identity's central password is not replicated to privileged user accounts of the identity.

  • If a password cannot be changed due to an error, the identity receives a corresponding email notification.

  • To replicate an identity's central password to a password column of a customer-specific user account table, in the Designer, define a ViewAddOn for the QERVPersonCentralPwdColumn view. The database view returns the password column of the user account tables. The user account table must have a reference to the identity (UID_Person) and a XMarkedForDeletion column. For more information about customizing the One Identity Manager schema, see the One Identity Manager Configuration Guide.

  • If you want to map additional user-specific features, overwrite the QER_Publish_CentralPassword script. For more information about working with scripts, see the One Identity Manager Configuration Guide.

  • The central password, the system user password, and the user account passwords can be changed by using the Password Reset Portal. For more information, see the One Identity Manager Web Designer Web Portal User Guide and the One Identity Manager Web Application Configuration Guide.

Related topics

Creating and editing identities

In the Manager, you can enter the main data of identities in the Identities category. The identities are filtered according to different criteria.

  • Identities: All activated and temporarily deactivated identities.

  • Inactive identities: All permanently deactivated identities.

  • Locked identities: All identities that are locked due to incorrect password input.

  • Security incidents: All identities that are classified as security threats.

  • Certification: All identities by certification status.

  • Data source: All identities by import data source.

  • Identity: All identities according to their identity type.

NOTE: Identity properties loaded from a target system can only be edited to a limited degree in One Identity Manager. Certain properties are locked because this target system is the primary system. The source from which the main data is imported determines which properties are locked.

Ensure you fill out all compulsory fields when you edit the main data. Certain main data is inherited by the identity user account through templates.

To create an identity

  1. In the Manager, select the Identities > Identities category.

  2. Click in the result list.

  3. On the main data form, edit the main data of the identity.

  4. Save the changes.

To edit main data of an identity

  1. In the Manager, select the Identities > Identities category.

  2. Select an identity in the result list and run the Change main data task.

  3. Edit the identity's main data.

  4. Save the changes.
Detailed information about this topic

General main data of identities

Enter the following general main data of an identity. This data applies to personal and job-related identity data.

Table 28: General main data

Property

Description

First name

Identity's first name.

Last name

Identity's last name.

Middle name

Second middle name.

Form of address

Identity's form of address. This is automatically set depending on gender.

Title

Identity's title.

Surname prefix

Identity's surname prefix, for example du, or von.

Preferred name

Identity's preferred name.

Initials

Identity's initials. These are automatically taken from first and last names.

Gender

Identity's gender.

Date of birth

Identity's date of birth.

Name at birth

Identity's name at date.

Job description

Title of the position within your company.

Generational affix

  • Affix, for example Senior or Junior.

  • Language

    Language used for sending email notifications to the identity. This setting is also used for Web Portal's display.

    Language for value formatting

    Language used to display values, for example, date, time, or number formats. The setting is taken into account when email notifications are sent to the identity. This setting is also used for Web Portal's display.

    Sub-organization

    Note about sub-organizations to which the Identity belongs.

    Permanently disabled

    Specifies whether identity is actively used. If an identity is permanently inactive, all its entitlements as a One Identity Manager user are revoked.

    NOTE: Identities that are permanently deactivated can no longer log in to One Identity Manager.

    Certification status

    Specifies whether the identity's main data was approved by the identity's manager. Certification status is set through certification procedures. The following certification status are permitted:

    • New: The identity was newly added to the One Identity Manager database.
    • Certified: The identity's main data was granted approval by the manager.
    • Denied: The identity's main data was denied approval by the manager. The identity is permanently disabled.

    VIP

    Labels the identity as important.

    Security risk

    Specifies whether the identity is considered a risk for the company.

    Resource inheritance can be prevented for identities that are classified as security risks. Configure the behavior in the resource properties.

    Permissions inheritance can be prevented for identities that are classified as security risks. The user accounts of the identity can be locked. Configure this in the account definition properties. For more information about account definitions, see the One Identity Manager Target System Base Module Administration Guide.

    NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

    No inheritance

    Specifies whether the identity inherits company resources through roles. If the option is set, inheritance is prevented. Company resources the identity receives through IT Shop requests are not assigned either. Direct assignments remain intact.

    If the configuration parameter QER | Attestation | UserApproval is set, this option is set depending on the option Disabled permanently. If the identity is permanently disabled, the option No inheritance is set through a formatting rule.

    External

    Specifies whether the identity is company internal or external. If this option is set, the identity is an external employee, for example. External identities are excluded from automatic account definition assignment in the default version of One Identity Manager.

    Employee type

    More accurate classification of the identity taking their contractual relationship with the company into account. Permitted values are Employee, Trainee, Contractor, Consultant, Partner, Customer, Other, Manual laborer.

    Contact email address

    Email address to which the registration link is sent when a new user account is created using the Self-Registration Web Portal.

    Company

    Enter a company. Use the next to the field to add a new company.

    Workdesk

    Identity's workdesk.

    Risk index (calculated)

    A risk index is calculated to evaluate the risk of an identity based on their permissions. An identity's risk index is determined from the risk indexes of their user accounts. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

    Description

    Text field for additional explanation.

    Comment

    Text field for additional explanation.

    Spare field no. 01 ... Spare field no. 10

    Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

    Related topics

    Organizational main data of identities

    Enter the following general main data of an organization.

    Table 29: Organizational main data

    Property

    Description

    Personnel number

    Identity's personnel number.

    Primary department

    Department to which the identity is primary assigned. The identity can obtain company resources through this assignment if One Identity Manager is configured respectively.

    Furthermore, IT operating data for user accounts and mailboxes can be determined though the department.

    Primary cost center

    Cost center to which the identity is primarily assigned. The identity can obtain company resources through this assignment if One Identity Manager is configured respectively.

    Furthermore, IT operating data for user accounts and mailboxes can be determined though the cost center.

    Primary business roles

    Business role to which the identity is assigned. The identity can obtain company resources through this assignment if One Identity Manager is configured respectively.

    Furthermore, IT operating data for user accounts and mailboxes can be determined though the business role.

    NOTE: This property is available if the Business Roles Module is installed.

    Security identification

    Security code for the identity for, for example, access permission.

    User account creation date

    Date on which to create the user account in the target system. This date should be earlier than the entry date. Use custom processes to automatically create user accounts in One Identity Manager on this date.

    Entry date

    Date the identity started at the company. This is filled with the current date when the identity is added.

    End date

    Date the identity started at the company. Enter an end date for the identity to lock their user account at a specific point in time. The end date is checked regularly by the schedule Lock accounts of identities that have left the company. When the end date arrives, the identity is locked.

    Company member

    Additional information about the identity’s affiliation.

    Temporarily inactive

    Specifies whether the identity is temporarily absent from the company If this option is set, enter the time period for the temporary absence.

    NOTE: Identities that are temporarily deactivated can no longer log in to One Identity Manager.

    Reason for absence

    Reason for temporarily deactivating the identity.

    Temporarily inactive from

    Date from which temporary deactivation applies.

    Temporarily inactive until

    Date until which temporary deactivation applies. A Enable temporarily disabled accounts schedule is implemented that monitors the end date of the temporary deactivation. When this date is reached the identity and their user accounts are re-enabled.

    Last working day

    Enter the date of the last working day if, for example, an identity leaves the company on a specific day but has access to their data until this date.

    NOTE: The date of the last working day is copied to the identity’s user accounts as the expiration date. This overwrites the existing account expiration date.

    Manager

    The manager of an identity can realize several tasks in One Identity Manager such as:

    • Edit main data of the identities for which they are responsible

    • Certify the main data of the identities for which they are responsible

    • Attest company resources assigned to the identities for which they are responsible

    • Granting or denying approval to requests of identities in the IT Shop for which they are responsible

    Identity cannot be assigned as their own manager.

    Sponsor

    When a new identity is added through the Web Portal, you can make additional notes like the manager or sponsor.

    Related topics
    相关文档

    The document was helpful.

    选择评级

    I easily found the information I needed.

    选择评级