立即与支持人员聊天
与支持团队交流

Identity Manager 8.2.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Decentralized identity

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module can be used to log in using a decentralized identity.

Credentials

The employee's email address and decentralized identity.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The employee exists in the One Identity Manager database.

  • The decentralized identity is entered in the employee main data.

  • The default email address or the contact email address is in the employee's main data.

  • The system user is entered in the employee's main data.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

To identify the employee, the email address provided during login is verified against the default email address and the contact email address.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.

  • If this configuration parameter is set, the employee’s subidentity is used for authentication.

The user interface and permissions are loaded through the system user that is directly assigned to the logged in employee.

Changes to the data are assigned to the logged in employee.

Decentralized Identity (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module can be used to log in using a decentralized identity.

Credentials

The employee's email address and decentralized identity.

Prerequisites

  • The employee exists in the One Identity Manager database.

  • The decentralized identity is entered in the employee main data.

  • The default email address or the contact email address is in the employee's main data.

  • The employee is assigned at least one application role.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

To identify the employee, the email address provided during login is verified against the default email address and the contact email address.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.

  • If this configuration parameter is set, the employee’s subidentity is used for authentication.

A dynamic system user is determined from the employee's application roles. The user interface and the permissions are loaded through this system user.

Changes to the data are assigned to the logged in employee.

Editing authentication modules

Before you can use an authentication module for logging on, the following prerequisites must be fulfilled:

  1. The authentication module must be enabled.

  2. The authentication module must be assigned to the application.

  3. The assignment of the authentication module to the application must be enabled.

This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module also have the required program function to use the program.

Detailed information about this topic

Enabling authentication modules

NOTE: After the initial schema installation, only the System user and Component authenticator authentication modules and the role-based authentication modules are enabled in One Identity Manager.

To use an authentication module for logging in, you must enable the authentication module.

To enable an authentication module

  1. In the Designer, select the Base data > Security settings > Authentication modules category.

  2. In the List Editor, select the authentication module.

  3. In the Properties view, set the Activated property to True.

  4. Select the Database > Save to database and click Save.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级