To create or edit an account definition
In the Manager, select the SharePoint > Basic configuration data > Account definitions > Account definitions category.
-OR-
Click 
Enter the following data for an account definition:
|
Property |
Description |
|---|---|
|
Account definition |
Account definition name. |
|
User account table |
Table in the One Identity Manager schema that maps user accounts. |
|
Target system |
Target system to which the account definition applies. |
|
Required account definition |
Specifies the required account definition. TIP: You can enter this account definition for the associated Active Directory or LDAP domain here. In this case, an Active Directory or LDAP user account is created for the identity first. If this exists, the SharePoint user account is added. Implement this behavior on a custom basis. Customize TSB_PersonHasAccountDef_AutoCreate_SPSUser to do this. |
|
Description |
Text field for additional explanation. |
|
Manage level (initial) |
Manage level to use by default when you add new user accounts. |
|
Risk index |
For more information, see the One Identity Manager Risk Assessment Administration Guide. |
|
Service item |
|
|
IT Shop |
Specifies whether the account definition can be requested through the IT Shop. This account definition can be requested through the Web Portal and allocated by defined approval processes. The resource can also be assigned directly to identities and roles outside the IT Shop. |
|
Only for use in IT Shop |
Specifies whether the account definition can only be requested through the IT Shop. This account definition can be requested through the Web Portal and allocated by defined approval processes. The account definition cannot be directly assigned to roles outside the IT Shop. |
|
Automatic assignment to identities |
Specifies whether the account definition is automatically assigned to all internal identities. To automatically assign the account definition to all internal identity, use the Enable automatic assignment to identities The account definition is assigned to every identity that is not marked as external. Once a new internal identity is created, they automatically obtain this account definition. To automatically remove the account definition assignment from all identities, use the Disable automatic assignment to identities. The account definition cannot be reassigned to identities from this point on. Existing account definition assignments remain intact. |
|
Retain account definition if permanently disabled |
Specifies the account definition assignment to permanently deactivated identities. Option set: The account definition assignment remains in effect. Option not set (default): The account definition assignment is not in effect. |
|
Retain account definition if temporarily disabled |
Specifies the account definition assignment to temporarily deactivated identities. Option set: The account definition assignment remains in effect. Option not set (default): The account definition assignment is not in effect. |
|
Retain account definition on deferred deletion |
Specifies the account definition assignment on deferred deletion of identities. Option set: The account definition assignment remains in effect. Option not set (default): The account definition assignment is not in effect. |
|
Retain account definition on security risk |
Specifies the account definition assignment to identities posing a security risk. Option set: The account definition assignment remains in effect. Option not set (default): The account definition assignment is not in effect. |
|
Resource type |
|
|
Spare field 01 - spare field 10 |
Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields. |
|
Groups can be inherited |
Specifies whether the user account can inherit groups through the linked identity. If the option is set, the user account inherits groups through hierarchical roles, in which the identity is a member, or through IT Shop requests.
|
|
Roles can be inherited |
|
Specify the manage level for an account definition for managing user accounts. The user account’s manage level specifies the extent of the identity’s properties that are inherited by the user account. This allows an identity to have several user accounts in one target system, for example:
Default user account that inherits all properties from the identity.
Administrative user account that is associated to an identity but should not inherit the properties from the identity.
One Identity Manager supplies a default configuration for manage levels:
Unmanaged: User accounts with the Unmanaged manage level are linked to the identity but they do no inherit any further properties. When a new user account is added with this manage level and an identity is assigned, some of the identity's properties are transferred initially. If the identity properties are changed at a later date, the changes are not passed onto the user account.
Full managed: User accounts with the Full managed manage level inherit defined properties of the assigned identity. When a new user account is created with this manage level and an identity is assigned, the identity's properties are transferred in an initial state. If the identity properties are changed at a later date, the changes are passed onto the user account.
NOTE: The Full managed and Unmanaged manage levels are analyzed in templates. You can customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to amend the templates to include manage level approaches.
Specify how an identity's temporary deactivation, permanent deactivation, deletion, and security risks affect its user accounts and group memberships at each manage level.
Identity user accounts can be locked when they are disabled, deleted, or rated as a security risk so that permissions are immediately withdrawn. If the identity is reinstated at a later date, the user accounts are also reactivated.
You can also define group membership inheritance. Inheritance can be discontinued if desired when, for example, the identity’s user accounts are disabled and therefore cannot be members in groups. During this time, no inheritance processes should be calculated for this identity. Existing group memberships are deleted.
IMPORTANT: The Unmanaged manage level is assigned automatically when you create an account definition and it cannot be removed.
To assign manage levels to an account definition
In the Manager, select the SharePoint > Basic configuration data > Account definitions > Account definitions category.
Select an account definition in the result list.
Select the Assign manage level task.
In the Add assignments pane, assign the manage level.
TIP: In the Remove assignments pane, you can remove assigned manage levels.
To remove an assignment
Select the manage level and double-click 
Save the changes.
To edit a manage level
In the Manager, select the SharePoint > Basic configuration data > Account definitions > Manage levels category.
Select the manage level in the result list. Select Change main data.
- OR -
Click
Edit the manage level's main data.
Save the changes.
Enter the following data for a manage level.
| Property | Description |
|---|---|
|
Manage level |
Name of the manage level. |
|
Description |
Text field for additional explanation. |
|
IT operating data overwrites |
Specifies whether user account data formatted from IT operating data is automatically updated. Permitted values are:
|
|
Retain groups if temporarily disabled |
Specifies whether user accounts of temporarily deactivated retain their group memberships. |
|
Lock user accounts if temporarily disabled |
Specifies whether user accounts of temporarily deactivated identities are locked. |
|
Retain groups if permanently disabled |
Specifies whether user accounts of permanently deactivated identities retain group memberships. |
|
Lock user accounts if permanently disabled |
Specifies whether user accounts of permanently deactivated identities are locked. |
|
Retain groups on deferred deletion |
Specifies whether user accounts of identities marked for deletion retain their group memberships. |
|
Lock user accounts if deletion is deferred |
Specifies whether user accounts of identities marked for deletion are locked. |
|
Retain groups on security risk |
Specifies whether user accounts of identities posing a security risk retain their group memberships. |
|
Lock user accounts if security is at risk |
Specifies whether user accounts of identities posing a security risk are locked. |
|
Retain groups if user account disabled |
Specifies whether disabled user accounts retain their group memberships. |
NOTE:*) SharePoint user accounts cannot be locked!
When an identity is disabled, deleted, or rated as a security risk their SharePoint user accounts remain enabled. For logging into a SharePoint site collection, you need to know if the user account referenced as an authentication object is locked or disabled. To prevent a disabled, deleted, or security risk identity logging into a SharePoint site collection, manage the user accounts linked as authentication objects using account definitions.
© ALL RIGHTS RESERVED. Feedback 使用条款 隐私 Cookie Preference Center
