立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

System users

NOTE: This authentication module is available if the Configuration Module is installed.

Credentials

The system user's identifier and password.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

Set as default

Yes

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

No

Remarks

The user interface and the permissions are loaded through the system user.

Data modifications are attributed to the system user.

IMPORTANT: The viadmin system user is available by default. The system user has the predefined user interface and access permissions to database resources. You must not use or change the user interface and the permissions structure of the system user in live systems because this system user is overwritten with each schema update as it is from a system user template.

TIP: Create your own system user with the appropriate permissions. This can be done on initial installation of the One Identity Manager database. This system user can compile an initial One Identity Manager database and can be used to log into the administration tools for the first time.

Generic single sign-on (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials

The authentication module uses the login data of the user currently logged in on the workstation.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • The identity is assigned at least one application role.

  • The user account exists in the One Identity Manager database and the identity is entered in the user account's main data.

Set as default

No

Single sign-on

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager searches for the user account according to the configuration and finds the identity assigned to the user account.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Changes to the data are assigned to the logged in identity.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 28: Configuration parameters for the authentication module
Configuration parameter Meaning

QER | Person | GenericAuthenticator

Specifies whether authentication through single sign-on is supported.

QER | Person | GenericAuthenticator | SearchTable

Table in the One Identity Manager schema which stores the user information. The table must contain a foreign key with the name UIDPerson (or CCC_UID_Person) that references the Person table.

Example: ADSAccount

QER | Person | GenericAuthenticator | SearchColumn

Column from the One Identity Manager table (SearchTable) that is used to search for user name of the current user.

Example: CN

QER | Person | GenericAuthenticator | EnabledBy

Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.

QER | Person | GenericAuthenticator | DisabledBy

Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.

Example: AccountDisabled

Identity

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials

Identity's central user account and password.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The identity exists in the One Identity Manager database.

  • The central user account is entered in the identity main data.

  • The system user is entered in the identity's main data.

  • The system user password is entered in the identity main data.

Set as default

Yes

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

The user interface and permissions are loaded through the system user that is directly assigned to the logged in identity.

Changes to the data are assigned to the logged in identity.

Identity (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

Credentials

Identity's central user account and password.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • The central user account is entered in the identity main data.

  • The system user password is entered in the identity main data.

  • The identity is assigned at least one application role.

Set as default

Yes

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Changes to the data are assigned to the logged in identity.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级