立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Target System Base Module Administration Guide

Basic mechanisms for identity and user account administration The Unified Namespace

Define Search Criteria for Identity Assignment

Figure 5: Search criteria for identity assignment

NOTE: One Identity Manager supplies a default mapping for identity assignment. Only carry out the following steps when you want to customize the default mapping.

To define search criteria for identity assignment

  1. In the Manager, select the Target system type > <target system> category.

  2. Select the target system in the result list and run the Define search criteria for identity assignment task.

  3. Select the object definition for the mapping.

    NOTE: Object definitions for user accounts that can have search criteria applied to them are predefined. For example, if you require other objects definitions that limit a preselection of user accounts, set up the respective custom object definitions in the Designer. For more information, see the One Identity Manager Configuration Guide.

    1. To add a new object definition, click Add > Criteria. Use the Apply to menu item to select the object definition that the search criteria was defined for.

      The search criteria is applied to all user accounts if no object definition is selected.

    2. To change the object definition of an existing search criterion, select the search criterion in the Search criteria view. Use the Apply to menu item to select the object definition that the search criteria was defined for.

      If the existing selection is deleted, the search criterion is applied to all user accounts.

  4. Select the object properties to map.

    • Identity column: Select the column in the Identity table on which the search is carried out.

    • User account column: Select the column in the user account table that supplies the value for searching for a person.

  5. Define the formatting rule to limit the search criteria.

    In the Add format menu, select a format template. Define the formatting rule to apply to the search string. You can combine different format templates.

    Table 3: Format templates
    Format template Meaning

    Character range

    Characters in the character string to be used as the search criterion.

    Crop to fixed length

    Defines the length of the character string to search for. Use fill characters at the beginning or end of the string to ensure it reaches the fixed length.

    Remove leading or trailing characters

    Characters that are to be removed at the start or end of the character string. The remaining string forms the search criteria.

    Split value

    Characters for which the character string should be split and for which the remaining parts should be used as a search criterion.

  6. Test the format rules.

    In the Format preview view, enter a character string to which the formatting is applied. Use this to test the effects of your search criteria formatting.

  7. Apply the formatting rules.

    Enable Use format on the columns on which to limit the search criteria.

  8. Save the changes.

Different object properties can be joined for search criteria. Both AND and OR operators can be used.

Example: AND operator

To assign identities to Notes user accounts, the surname as well as first name must be the same for the identity and the user account. The following table columns are mapped:

AND

Person.Firstname – NotesUser.Firstname

Person.LastName – NotesUser.LastName

Example: OR operator

To assign identities to Active Directory user accounts, either the identity's central user account and the user account's login name must be identical or the identity's full name and the user account's display name. The following table columns are mapped:

OR

Person.CentralAccount – ADSAccount.SAMAccountName

Person.InternalName – ADSAccount.DisplayName

To link object properties in search criteria

  1. In the Search criteria view, select the operator to which you want to add another object property. Click Change operator to select the operator for the link.

  2. Click Add > Criteria.

  3. Select the object properties to map.

  4. Select the object properties to be mapped.

  5. If you want to nest links, click Add > AND operator or Add > OR operator and rerun steps 2 to 4.

  6. Save the changes.

To delete search criteria

  1. Mark the search criteria and click Delete.

  2. Save the changes.
Related topics

Finding identities and directly assigning them to user accounts

Based on the search criteria, you can create a suggestion list for the assignment of identities to user accounts and make the assignment directly. User accounts are grouped in different views for this.

  • Suggested assignments: This view lists all user accounts to which One Identity Manager can assign an identity. All identities are shown that were found using the search criteria and can be assigned.

  • Assigned user accounts: This view lists all user accounts to which an identity is assigned.

  • No identity assignment: This view lists all user accounts to which no identity is assigned and for which no identity was found using the search criteria.

NOTE: To display disabled user accounts or deactivated identities in the view, enable the Even locked accounts are mapped option.

If you assign a deactivated identity to a user account, it might be locked or deleted depending on the configuration.

To apply search criteria to user accounts

  • At the bottom of the Define search criteria for identity assignment form, click Reload.

    All possible assignments based on the search criteria are found in the target system for all user accounts. The three views are updated.

TIP: By double-clicking on an entry in the view, you can view the user account and identity main data.

The assignment of identities to user accounts creates connected user accounts (Linked state). To create managed user accounts (Linked configured state), you can assign an account definition at the same time.

To assign identities directly to user accounts

  • Click Suggested assignments.

    1. Click the Selection box of all user accounts to which you want to assign the suggested identities. Multi-select is possible.

    2. (Optional) Select an account definition in the Assign this account definition menu, and select a manage level in the Assign this account manage level menu.

    3. Click Assign selected.

    4. Confirm the security prompt with Yes.

      The identities determined using the search criteria are assigned to the selected user accounts. If an account definition was selected, this is assigned to all selected user accounts.

    - OR -

  • Click No identity assignment.

    1. Click Select identity for the user account to which you want to assign an identity. Select an identity from the menu.

    2. Click the Selection box of all user accounts to which you want to assign the selected identities. Multi-select is possible.

    3. (Optional) Select an account definition in the Assign this account definition menu, and select a manage level in the Assign this account manage level menu.

    4. Click Assign selected.

    5. Confirm the security prompt with Yes.

      The identities displayed in the Identity column are assigned to the selected user accounts. If an account definition was selected, this is assigned to all selected user accounts.

To remove assignments

  • Click Assigned user accounts.

    1. Click the Selection box of all the user accounts with the identity assignment you want to delete. Multi-select is possible.

    2. Click Remove selected.

    3. Confirm the security prompt with Yes.

      The assigned identities are removed from the selected user accounts.

Modifying scripts for automatic identity assignment

Automatic identity assignments are controlled through scripts. In SEARCH mode, these scripts assign existing identities to the user accounts based on the defined search criteria. The scripts for CREATE mode also define the properties that are initialized when a new identity is generated. These scripts are implemented in a default One Identity Manager installation for each target system type. The name of this script is:

<target system type>_PersonAuto_Mapping_<account type>

where:

<target system type> = short name of the addressed target system type

<account type> = Table containing the user accounts

TIP: You can customize scripts to extend search criteria for automatic identity assignment or the properties of new identities. The scripts can be overwritten. To do this, create a copy of the existing script and customize the copy.

In automatic identity assignment in CREATE mode, some properties of the user account are transferred to the new identity. Initializing the identity properties is done using the script. Initializing the properties when an identity is being created for a user account is done by evaluating the entry in the table DialogNotification. In this table the connected properties are mapped as a bidirectional pair through the formatting rules. Evaluation of entries in DialogNotification are exemplified in the following by showing initialization of an identity’s surname:

Example:

The last name of an Active Directory user account is made up of the surname of the identity.

Value template for ADSAccount.Surname:

Value = $FK(UID_Person).Lastname$

If the identity’s surname changes, the last name of the Active Directory user also changes. The column Person.Lastname is therefore the sender and the column ADSAccount.Surname is the receiver.

Relationship as in the table Dialognotification:

Person.Lastname -- > ADSAccount.Surname

The table DialogNotification can be used to help with the initialization of the properties for a new identity in that the relationships can be removed in reverse. The surname of an identity can be replaced with the surname of the Active Directory user. Thus, certain presets for the identity can be automatically generated. However, only explicit relationships can be removed.

Example:

The display name of an Active Directory user account should be made up of the surname and the first name of an identity.

Relationships as in the table DialogNotification:

Person.Lastname -- > ADSAccount.Displayname

Person.Firstname -- > ADSAccount.Displayname

The Person.Firstname and Person.Lastname cannot be determined from the ADSAccount.Displayname, since this is a compound value.

You can use the script TSB_PersonAuto_GetPropMappings to make it easier to map identity properties to user account properties. This script evaluates the relationship of the properties as used in the table DialogNotification. The script creates a VB.Net script code and the possible assignments, when it is run by the System Debugger. This code can subsequently be inserted into the script <target system type>_PersonAuto_Mapping_<account type>.

Example: Generated TSB_PersonAuto_GetPropMappings script

' PROPERTY MAPPINGS ADSAccount - Person

' ADSAccount.Initials -- > Person.Initials

' ADSAccount.Locality-- > Person.City

...

Try

myPers.PutValue("Initials", myAcc.GetValue("Initials").String)

Catch ex As Exception

End Try

Try

myPers.PutValue("City", myAcc.GetValue("Locality").String)

Catch ex As Exception

End Try

...

Deactivating and deleting identities and user accounts

How identities are handled, particularly in the case of permanent or partial withdrawal of an identity, varies between individual companies. There are companies that never delete identities, and only deactivate them when they leave the company. Other firms want to delete identities, but only after they have ensured that all their user accounts have been deleted. Different requirements could also apply to user account group memberships.

The handling of user accounts and their group memberships when identities are deactivated or deleted depends on how the user accounts are managed.

The following scenarios apply:

  • User accounts are linked to identities and managed through account definitions.

  • User accounts are linked to identities. No account definition is applied.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级