One Identity Manager Identity Management Base

One Identity Manager 8.0
Identity Management Base Module
Administration Guide
Copyright 2017 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity do not make any commitment to update the information contained
in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
WARNING: A WARNING icon indicates a potential for property damage,
personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss
of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting
information.
One Identity Manager Identity Management Base Module Administration Guide
Updated - November 2017
Version - 8.0
Contents
Basics for Mapping Company Structures in One Identity Manager
Hierarchical Role Structure Basics
9
10
Direction of Inheritance within a Hierarchy
10
Discontinuing Inheritance
12
Basics for Assigning Company Resources
14
Direct Assignment
14
Indirect Assignment
14
Secondary Assignment
15
Primary Assignment
16
Assigning through Dynamic Roles
17
Assigning through IT Shop Requests
18
Basics for Calculating Inheritance
18
Calculating Inheritance through Hierarchical Roles
19
Calculation of Assignments
21
Preparing Hierarchical Roles for Company Resource Assignments
Possible Assignments of Company Resources through Roles
22
23
Permit Assignments of Employees, Devices, Workdesks and Company Resources 25
Using Roles to Limit Inheritance
26
Inheritance Exclusion: Specifying Conflicting Roles
28
Managing Departments, Cost Centers and Locations
30
One Identity Manager Users for Organizations
30
Base Data for Structuring Departments, Cost Centers and Locations
32
Roles Classes
33
Role Types
35
Functional areas
35
Attestors
36
Approvers and Approvers (IT)
37
Editing Departments
39
General Master Data for a Department
39
Contact Data for Departments
41
Functional Area and Risk Assessment
42
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
3
Editing Cost Centers
43
General Master Data for Cost Center
43
Functional Area and Risk Assessment
46
Editing Locations
47
General Master Data for a Location
47
Location Address Information
49
Configuring a Location's Network
50
Directions to Location
50
Functional Area and Risk Assessment
51
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations
52
Assigning Company Resources to Departments, Cost Centers and Locations
53
Setting Up IT Operating Data
55
Modifying IT Operating Data
58
Additional Tasks for Managing Departments, Cost Centers and Locations.
59
Creating Dynamic Roles for Departments, Cost Centers and Locations
59
Assign Organizations
60
Specifying Inheritance Exclusion for Roles
61
Specify Role Relations
63
Reports about Departments, Cost Centers and Locations
64
Working with Dynamic Roles
65
Editing Dynamic Roles
66
Dynamic Role Master Data
67
Test Condition of a Dynamic Role
68
Calculating Role Memberships
68
Additional Tasks for Dynamic Roles
70
Dynamic Role Overview
70
Start Immediate Recalculation of Role Memberships
70
Employee Administration
72
One Identity Manager Users for Employee Administration
73
Basic Configuration Data for Employees
74
Business Partners
75
Creating Custom Mail Templates for Notifications
76
General Properties of a Mail Template
77
Creating and Editing an Email Definition
79
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
4
Customizing Email Signatures
79
Password Policies
80
Predefined Password Policies
80
Editing Password Policies
81
Custom Scripts for Password Requirements
84
Restricted Passwords
86
Testing a Password
86
Testing Generating a Password
87
Assigning a Password Policy
87
Entering Employee Master Data
88
General Employee Master Data
89
Organizational Employee Master Data
91
Address Data
93
Miscellaneous Employee Master Data
94
Employee's Central User Account
97
Employee's Central Password
98
Change Password Question
99
Mutual Aid for Resetting Passwords
100
Employee's Default Email Address
101
Disabling and Deleting Employees
101
Temporarily Deactivating Employees
102
Permanently Deactivating Employees
102
Re-enable an Employee
103
Deferred Deletion of Employees
104
Assigning Company Resources to Employees
104
Assigning Employees to Departments, Cost Centers and Locations
107
Assigning Employees to Business Roles
108
Adding Employees to IT Shop Custom Nodes
109
Assigning Application Roles to Employees
110
Assigning Resources Directly to Employees
110
Assigning Applications directly to Employees
111
Assigning System Roles Directly to Employees
111
Origin of an Employee's Roles and Entitlements
112
Analyzing Role Memberships and Employee Assignments
114
Mapping Multiple Employee Identities
115
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
5
Limited Access to One Identity Manager
117
Changing the Certification Status of an Employee
117
Additional Tasks for Managing Employees
118
Employee Overview
119
Manually Assigning User Accounts to Employees
119
Entering Calls for an Employee
120
Assigning Extended Properties
120
Determining an Employee‘s Language
121
Determining an Employee‘s Working Hours
122
Employee Reports
123
Managing Devices and Workdesks
125
Base Data for Device Management
125
Device Model
126
General Master Data for a Device Model
127
Inventory Data for a Device Model
128
Business Partners
129
Device status
130
Workdesk Status
131
Workdesk Type
132
Setting up a Device
132
General Master Data for Devices
134
Device Networking Data
137
Assigning Company Resources to Devices
138
Assigning Devices to Departments, Cost Centers and Locations
139
Assigning Devices to Business Roles
141
Additional Tasks for Managing Devices
141
Overview of Devices
141
Assigning Service Agreements and Enter Calls
142
How to Set up a Workdesk
142
General Master Data for a Workdesk
143
Workdesk Location Information
145
Additional Information about a Workdesk
145
Assigning Company Resources to Workdesks
146
Assigning Workdesks to Departments, Cost Centers and Locations
147
Assigning Workdesks to Business Roles
148
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
6
Assigning Applications Directly to Workdesks
149
Assigning System Roles Directly to Workdesks
150
Additional Tasks for Managing Workdesks
151
Workdesk Overview
151
Assigning Devices to Workdesks
151
Assigning Employees to Workdesks
152
Assigning Service Agreements and Enter Calls
152
Asset Data for Devices
153
Basic Data for Asset Management
153
Asset classes
154
Asset types
154
Data for Investments and Investment Plans
154
Editing Device Asset Data
155
Master Data for Asset Data
156
Commercial Data
157
Managing Resources
159
One Identity Manager Users for Managing Resources
160
Base Data for Resources
161
Resource Types
161
Processing status
161
Default Processing Status
163
Editing Resources
163
Resource Master Data
163
Assigning Resources to Employees
165
Assigning Employees to Departments, Cost Centers and Locations
165
Assigning Resources to Business Roles
166
Assigning Resources Directly to Employees
166
Adding Resources to the IT Shop
167
Adding Resources to System Roles
168
Additional Tasks for Managing Resources
168
Resource Overview
169
Assigning Extended Properties to Resources
169
Editing Multi Request Resources
169
Multi-Request Resource Master Data
170
Assigning Multi Request Resources to Employees
171
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
7
Adding Multi Request Resources to the IT Shop
172
Reports about Resources
173
Set up Extended Properties
174
One Identity Manager Users for Managing Extended Properties
174
Create Property Groups
175
Edit Extended Properties
176
Extended Property Master Data
176
Specifying Scoped Boundaries
177
Additional Tasks for Managing Extended Properties
178
Extended Property Overview
178
Assign Objects
178
Assign Property Groups
179
Appendix: Configuration Parameters for Managing Departments, Cost
Centers and Locations
180
Appendix: Configuration Parameters for Managing Applications
183
Appendix: Configuration Parameters for Managing Devices and
Workdesks
187
Appendix: Authentication Modules for Logging into the One Identity
Manager
189
About us
204
Contacting us
204
Technical support resources
204
Index
205
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
8
1
Basics for Mapping Company
Structures in One Identity Manager
One Identity Manager supplies employees in a company with company resources, for
example, permissions or applications, according to their function. To do this, the company
structures are represented in hierarchical role form in the One Identity Manager.
Roles are objects through which company resources can be assigned. Employees, devices
and workdesks are assigned to roles as members. Members can obtain their company
resources through these roles when the One Identity Manager is appropriately configured.
Company resource assignments are not made to individual employees, devices or
workdesks but centrally and then inherited automatically through a predefined
distribution list.
In One Identity Manager the following roles are defined for mapping company structures:
l
Departments, Cost Centers and Locations
Departments, cost centers, locations, and business roles are each mapped to their
own hierarchy under the heading "Organizations". This is due to their special
significance for daily work schedules in many companies.
l
Business roles
Business roles map company structures with similar functionality that exist in
addition to departments, cost centers, and locations. This might be projects groups,
for example.
NOTE: This function is only available if the Business Roles Module is installed.
l
Application Roles
Application roles are used to grant One Identity Manager object access rights to One
Identity Manager users. For more detailed information, see the One Identity Manager
Application Roles Administration Guide.
Detailed information about this topic
l
Hierarchical Role Structure Basics on page 10
l
Basics for Assigning Company Resources on page 14
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
9
l
Basics for Calculating Inheritance on page 18
l
Preparing Hierarchical Roles for Company Resource Assignments on page 22
Hierarchical Role Structure Basics
Departments, cost centers, locations and application roles are arranged hierarchically.
Assigned company resources are inherited by members through these hierarchies.
Company resource assignments are not made to individual employees, devices or
workdesks but centrally and then inherited automatically through a predefined
distribution list.
Hierarchies can either be created following the top-down or the bottom-up model in the
One Identity Manager. In the top-down model, roles are defined based on the area of
activity and the company resources required to fulfill the activities are assigned to the
roles. In the case of the bottom-up model, company resource assignments are analyzed
and the roles result from this.
Detailed information about this topic
l
Direction of Inheritance within a Hierarchy on page 10
l
Discontinuing Inheritance on page 12
Direction of Inheritance within a Hierarchy
The direction of inheritance decides the distribution of company resources within a
hierarchy. One Identity Manager knows basically two directions of inheritance:
l
Top-down inheritance
The default structure within a company is realized through top-down inheritance in
One Identity Manager. With its help, a company’s multilevel form can be represented
with main departments and respective subdepartments.
l
Bottom-up inheritance
Where as in "top-down" inheritance assignments are inherited in the direction of
more detailed classifications, "bottom-up" inheritance operates in the other
direction. This inheritance direction was introduced to map project groups in
particular. The aim being, to provide someone coordinating several project groups
with the company resources in use by each of the project groups.
The effect on the allocation of company resources is explained in the following example for
assigning an application.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
10
Example for Assigning Company Resources Top-Down
In the diagram above a section of a company’s structure is illustrated. Applications
assigned to the respective departments are also entered. An employee in retail is assigned
all the applications that are allocated to their department and all those on the full structure
path. In this case that is internet software, address administration, mail, and text editing.
Figure 1: Assignment through Top-Down Inheritance
Example for Assigning Company Resources Bottom-Up
The next figure shows bottom-up inheritance based on a project framework. Applications
assigned to the respective project groups are also entered. An employee from the project
group "Project lead" receives applications from the project group as well as those from the
projects groups below. In this case, it is project management, CASE tool, development
environment, assembler tool and prototyping tool.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
11
Figure 2: Assignment through Bottom-Up Inheritance
Discontinuing Inheritance
There are particular cases where you may not want to have inheritance over several
hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy.
The point at which the inheritance should be discontinued within a hierarchy is specified by
the option Block inheritance. The effects of this depend on the chosen direction of
inheritance.
l
l
Roles marked with the option Block inheritance do not inherit any assignments
from parent levels in top-down inheritance. It can, however, pass on its own directly
assigned company resources to lower level structures.
In bottom-up inheritance, the role labeled with the option "Block inheritance" inherits
all assignments from lower levels in the hierarchy. However, it does not pass any
assignments further up the hierarchy.
Example for Discontinuing Inheritance Top-Down
If the option Block inheritance is set for the department "Sales" in the top-down
example, it results in sales employees being assigned address administration and
employees in the retail department, address administration and internet software, but
neither is assigned mail or text editing applications. Applications in the department
"Overall organization" are, however, not assigned to retail and dealers.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
12
Figure 3: Discontinuing Inheritance Top-Down
Example for Discontinuing Inheritance Bottom-Up
An employee from the project group "Programming" receives applications from the project
group as well as those from the projects groups underneath. in this case, the development
environment, assembler tool and the prototyping tool. If the project group "Programming"
has labeled with the option Block inheritance, it no longer passes down inheritance. As a
result, only the CASE tool is assigned to employees in the project group "Project lead"
along with the application project management. Applications from the projects groups
"Programming", "System programming" and "Interface design" are not distributed to the
project lead.
Figure 4: Discontinuing Inheritance Bottom-Up
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
13
Basics for Assigning Company
Resources
You can assign company resources to employees, devices and workdesks in the One
Identity Manager. You can use different assignments types to assign company resources.
Assignments types are:
l
Direct Assignment
l
Indirect Assignment
l
Assigning through Dynamic Roles
l
Assigning through IT Shop Requests
Direct Assignment
Direct assignment of company resources results from the assignment of a company
resource to an employee, device or a workdesk, for example. Direct assignment of
company resources makes it easier to react to special requirements.
Figure 5: Schema of a direct assignment based on the example of an employee
Indirect Assignment
In the case of indirect assignment of company resources, employees, devices and
workdesks are arranged in departments, cost centers, locations, business roles or
application roles. The total of assigned company resources for an employee, device or
workdesk is calculated from the position within the hierarchies, the direction of inheritance
(top-down or bottom-up) and the company resources assigned to these roles. In the
Indirect assignment methods a difference between primary and secondary assignment is
taken into account.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
14
Figure 6: Schema of an indirect assignment based on the employee example
Related Topics
l
Secondary Assignment on page 15
l
Primary Assignment on page 16
Secondary Assignment
You make a secondary assignment by classifying an employee, a device or a workdesk
within a role hierarchy. Secondary assignment is the default method for assigning and
inheriting company resources through roles. Specify on the role classes (department,
location, cost center, business roles, application role) whether a secondary assignment of
company resources to employees, device and workdesk is possible.
Figure 7: Secondary Assignment Inheritance Schema
Related Topics
l
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
15
Primary Assignment
You make a primary assignment by referencing a department, cost center or location
through a foreign key to the employee, device and workdesk objects. To do this, you use
input fields for roles on the employee, device and workdesk master data forms. Primary
assignment inheritance can be enable through configuration parameters. Primary
assignment is enabled by default for employee objects.
Figure 8: A Primary Assignment Schema
NOTE: Changes to the configuration parameter result in the inheritance data being
recalculated! That means: if the primary assignment is disabled at a later date, the
inheritance data created in this way will be removed from the database.
Table 1: Configuration Parameters for Primary Assignment
Configuration Parameter
Active Meaning
QER\Structures\Inherite\Person
Employees can inherit through
primary assignments.
QER\Structures\Inherite\Person\FromDepartment
Employees inherit assignments
from their primary department
(Person.UID_Department).
QER\Structures\Inherite\Person\FromLocality
Employees inherit assignments
from their primary location
(Person.UID_Locality).
QER\Structures\Inherite\Person\FromProfitCenter
Employees inherit assignments
from their primary cost center
(Person.UID_ProfitCenter).
QER\Structures\Inherite\Hardware
Devices can inherit through
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
16
Configuration Parameter
Active Meaning
primary assignments.
QER\Structures\Inherite\Hardware\FromDepartment
Devices inherit assignments from
their primary department
(Hardware.UID_Department).
QER\Structures\Inherite\Hardware\FromLocality
Devices inherit assignments from
their primary location
(Hardware.UID_Locality).
QER\Structures\Inherite\Hardware\FromProfitCenter
Devices inherit assignments from
their primary cost center
(Hardware.UID_ProfitCenter).
QER\Structures\Inherite\Workdesk
Workdesks can inherit though
primary assignment.
QER\Structures\Inherite\Workdesk\FromDepartment Workdesks inherit assignments
from their primary department
(Workdesk.UID_Department).
QER\Structures\Inherite\Workdesk\FromLocality
Workdesks inherit assignments
from their primary location
(Workdesk.UID_Locality).
QER\Structures\Inherite\Workdesk\FromProfitCenter Workdesks inherit assignments
from their primary cost center
(Workdesk.UID_ProfitCenter).
Assigning through Dynamic Roles
Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles
are used to specify role memberships dynamically. Employees, devices and workdesks are
not permanently assigned to a role, just when they fulfill certain conditions. A check is
performed regularly to assess which employees, devices or workdesks fulfill these
conditions. The means the role memberships change dynamically. For example, company
resources can be assigned dynamically to all employees in a department in this way; if an
employee leaves the department they immediately lose the resources assigned to them.
Related Topics
l
Working with Dynamic Roles on page 65
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
17
Assigning through IT Shop Requests
Assignment through the IT Shop is a special case of indirect assignment. Add employees to
a shop as customers so that company resources can be assigned through IT Shop requests.
All company resources assigned as product to this shop can be requested by the customers.
Requested company resources are assigned to the employees after approval is granted.
Role memberships can be requested through the IT Shop as well as company resources.
Figure 9: Assignment Schema through Requests
Basics for Calculating Inheritance
Calculation of object assigned through inheritance is done by the DBQueue Processor.
Tasks are added to the DBQueue when assignments relevant to inheritance are made.
These tasks are processed by the DBQueue Processor and result in follow-on tasks for the
DBQueue or in processes for process component "HandleObjectComponent" in the Job
queue. Resulting assignments of permissions to user accounts in the target system are
inserted, modified or deleted during process handling.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
18
Figure 10: Overview of Inheritance Calculation
Detailed information about this topic
l
Calculating Inheritance through Hierarchical Roles on page 19
l
Calculation of Assignments on page 21
Calculating Inheritance through
Hierarchical Roles
Employees, devices and workdesks can only be members in roles that are extensions of
the BaseTree table. These role are display in views, each of which represents a certain of
the table BaseTree. The One Identity Manager data model contains the following views:
Table 2: BaseTree Table Views
View
Meaning
Department
Graphical representation of departments
locality
Graphical representation of locations
PROFITCENTER
Graphical representation of cost centers
AERole
Application Role Mapping
NOTE: Because the views are sections of the table BaseTree, all the inheritance
mechanisms described below also apply to the views.
Inheritance comes from the table BaseTree. The BaseTree table can map any number of
hierarchical role structures using the UID_Org - UID_ParentOrg relationship. The complete
transitive closure of the tree is stored in the table BaseTreeCollection. As transitive
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
19
closure, all roles that the given role is inherited from, are labeled in a full list. Depending
on the section of the table BaseTree there is a corresponding, so-called Collection table
containing the transitive closure section.
The following relations apply in the table BaseTreeCollection:
l
UID_Org is the role that inherits.
l
UID_ParentOrg is the role that passes down inheritance.
This principle also applies to bottom-up trees that pass inheritance from bottom to top,
even if the parent relationship from the BaseTree table appears to be reversed. The
recursive loop is also included in the transitive closure as base element. That means that
each role inherits from itself.
Each role in a role hierarchy must be related to the table OrgRoot ("Role classes").
BaseTreeRoot is the anchor for transitive closures. Meaning transitive closures are only ever
formed for one role class. Roles from different role classes may not be in one and the same
role hierarchical or point to each other through a parent-child relationship.
Figure 11: Representation of a Hierarchical Structure with a Transitive Closure
using the Example of an OrgCollection
A role inherits everything that is assigned to its the parents in the transitive closure
including those things assigned to itself. If the number of roles from which the role has
inherited something changes, the assigned objects are recalculated for all members of this
role. If the number of assigned objects of one class changes, the objects assigned in this
class are recalculated for all members of the role. If an application is assigned to a parent
application, the members of the table BaseTreeHasApp are recalculated.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
20
The members of a role inherit all assignments that belong to them according to the table
BaseTree and also previous structures according to the table BaseTreeCollection through
primary and secondary role structures.
Calculation of Assignments
When inheritance is calculated, an entry is made for each assignment in the corresponding
assignment table. Each table, in which assignments are mapped, has a column XOrigin. The
origin of an assignment is stored in this column as a bit field. Each time an entry is made in
the assignment table the bit position is changed according to the assignment type. Each
assignment type changes only its allocated bit position.
That means:
l
Bit 0: direct assignment.
l
Bit 1: indirect assignment but not through a dynamic role.
l
Bit 2: assignment through a dynamic role.
l
Bit 3: assignment through an assignment request.
The column XIsInEffect shows whether an assignment is in effect. For example, if an
employee is disabled, marked for deletion or classified as a security risk, inheritance of
company resources can be prohibited for this employee. The group assignment is
maintained, this assignment, however, will not be put in effect.
The DBQueue Processor monitors changes to the column XOrigin. The column XIsInEffect
is recalculated when changes are made to the value in XOrigin.
Table 3: Possible Values for Column XOrigin
Bit Bit
3
2
Bit
1
Bit
0
Value in
XOrigin
Meaning
0
0
0
1
1
Only directly assigned.
0
0
1
0
2
Only indirectly assigned.
0
0
1
1
3
Directly and indirectly assigned.
0
1
0
0
4
Assigned through dynamic roles.
0
1
0
1
5
Assigned directly and through dynamic roles.
0
1
1
0
6
Assigned indirectly and through dynamic roles.
0
1
1
1
7
Assigned directly, indirectly and through dynamic
roles.
1
0
0
0
8
Assignment request
1
0
0
1
9
Assignment request and direct assignment.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
21
Bit Bit
3
2
Bit
1
Bit
0
Value in
XOrigin
Meaning
1
0
1
0
10
Assignment request and indirect assignment.
1
0
1
1
11
Assignment request, direct and indirect assignment.
1
1
0
0
12
Assignment request and through dynamic roles.
1
1
0
1
13
Assignment request, directly and through dynamic
roles.
1
1
1
0
14
Assignment request, indirectly and through dynamic
roles.
1
1
1
1
15
Assignment request, directly, indirectly and through
dynamic roles.
Preparing Hierarchical Roles for
Company Resource Assignments
One Identity Manager supplies a configuration, which support immediate usage of
hierarchical roles for departments, cost centers, locations and application roles.
However, it may be necessary to make additional role assignments depending on the
company structure.
You should check the following settings and make adjustments as required:
l
Specify whether employees, devices and workdesks and company resources may be
assigned to roles.
Employee, device, workdesk and company resource assignments are predefined for
departments, cost centers, location and application roles.
l
Define the direction of inheritance with the hierarchy.
Top-down inheritance is defined for departments, cost centers, locations and
application roles.
l
Limit inheritance for specific roles if necessary.
You can specify whether inheritance of company resources can be limited for single
employees, devices or workdesks.
l
Define mutually exclusive roles if required.
You can prevent employees, devices or workdesks being added to roles which
contain mutually excluding company resources by specifying "conflicting roles".
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
22
Detailed information about this topic
l
l
Possible Assignments of Company Resources through Roles on page 23
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
l
Using Roles to Limit Inheritance on page 26
l
Inheritance Exclusion: Specifying Conflicting Roles on page 28
Possible Assignments of Company Resources
through Roles
Employees, devices and workdesks can inherit company resources though indirect
assignment. To do this, employees, devices and workdesks may be members of as many
roles as required. Employees, devices and workdesks obtain the necessary company
resources through defined rules.
To assign company resources to roles, apply the appropriate tasks to the roles.
The following table shows the possible assignments of company resources to employees,
workdesks and devices using roles.
NOTE: Company resources are defined in the One Identity Manager modules and are
not available until the modules are installed.
Table 4: Possible Assignments of Company Resources through Roles
Assignable
Company
Resource
Members in Roles
Employees
Workdesks
Resources
possible
-
Account definitions
possible
Groups of
custom target
systems
possible (assigns to all an employee's custom defined
target systems user accounts, for which group
inheritance is authorized)
-
Active Directory
groups
possible (assigns to all an employee's Active Directory
user accounts and Active Directory contacts, for which
group inheritance is authorized)
-
SharePoint
groups
possible (assigns to all an employee's SharePoint user
accounts)
-
SharePoint roles
possible (assigns to all an employee's SharePoint user
accounts)
-
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
23
Assignable
Company
Resource
Members in Roles
Employees
Workdesks
LDAP groups
possible (assigns to all an employee's LDAP user
accounts, for which group inheritance is authorized)
-
Notes groups
possible (assigns to all an employee's Notes user
accounts)
-
SAP groups
possible (assigns to all an employee's SAP user
accounts in the same SAP client.
-
SAP profiles
possible (assigns to all an employee's SAP user
accounts in the same SAP client.
-
SAP roles
possible (assigns to all an employee's SAP user
accounts in the same SAP client.
-
Structural
profiles
possible (assigns to all an employee's SAP user
accounts in the same SAP client.
-
BI analysis
authorizations
possible (assigns to all an employee's BI user accounts
in the same system)
-
Azure Active
Directory groups
possible (assigns to all an employee's Azure Active
Directory user accounts, for which group inheritance is
authorized)
-
Azure Active
possible (assigns to all an employee's Azure Active
Directory Admin- Directory user accounts, for which group inheritance is
istrator Roles
authorized)
-
Azure Active
Directory
Subscriptions
possible (assigns to all an employee's Azure Active
Directory user accounts, for which group inheritance is
authorized)
-
Disabled Azure
Active Directory
service plans
possible (assigns to all an employee's Azure Active
Directory user accounts, for which group inheritance is
authorized)
-
Unix groups
possible (assigns to all an employee's Unix groups)
-
System roles
possible
possible
Subscribable
reports
possible
-
Applications
possible
possible
Related Topics
l
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
24
Permit Assignments of Employees, Devices,
Workdesks and Company Resources
The default method for assigning company resources is through secondary assignment. For
this, employees, devices and workdesks as well as company resources are added to roles
through secondary assignment.
Use role classes to specify how and if employees, devices, workdesks and company
resource are permitted as secondary assignments to roles. Role classes form the basis of
mapping from hierarchical roles in the One Identity Manager. Role classes are used to
group similar roles together. The following role classes are available by default in the One
Identity Manager:
l
Department
l
Cost center
l
Location
l
Application Role
Secondary assignment of objects to role in a role class is defined by the following options:
l
Assignment allowed
This option specifies whether assignments of respective object types to roles of this
role class are allowed in general.
l
Direct assignment allowed
Use this option to specify whether respective object types can be assigned directly to
roles of this role class. Set this option if, for example, resources are assigned to
departments, cost centers or locations over the assignment form in the Manager.
NOTE: If this option is not set, the assignment of each object type is only
possible through requests in the IT Shop or dynamic roles.
Example
To assign employees in Manager directly to a department, set the option Assignment
allowed and the option Direct assignment allowed on the role class "department" for
the entry "employees".
If employees can only obtain membership in a department through the IT Shop, set the
option Assignment allowed but not the option Direct assignment allowed on the role
class "department" for the entry "employees". A corresponding assignment resource must
be available in the IT Shop.
NOTE: Employee, device, workdesk and company resource assignments are
predefined for departments, cost centers, location and application roles.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
25
To configure secondary assignment to roles of a role class
1. Select the role class under Basic configuration data | Role classes.
2. Select the task Configure role assignments.
3. Use the column Allow assignments to specify whether assignment is
generally allowed.
NOTE: You can only reset the option Assignment allowed if there are no
assignments of the respective objects to roles of this role class and none can
arise through existing dynamic roles.
4. Use the column Allow direct assignments to specify whether a direct assignment
is allowed.
NOTE: You can only reset the option Direct assignment allowed if there are
no direct assignments of the respective objects to roles of this role class.
5. Save the changes.
Using Roles to Limit Inheritance
There are particular cases where you may not want to have inheritance over several
hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy.
The effects of this depend on the chosen direction of inheritance.
l
l
Roles marked with the option Block inheritance do not inherit any assignments
from parent levels in top-down inheritance. It can, however, pass on its own directly
assigned company resources to lower level structures.
In bottom-up inheritance, the role labeled with the option Block inheritance
inherits all assignments from lower levels in the hierarchy. However, it does not pass
any assignments further up the hierarchy.
To discontinue inheritance
1. Open the role's master data form.
2. Set the option Block inheritance.
3. Save the changes.
Company resource inheritance for single roles can be temporarily prevented. You can use
this behavior, for example, to assign all required company resources to a role. Inheritance
of company resources does not take place, however, unless inheritance is permitted for the
role, for example, by running a defined approval process.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
26
To prevent a role from inheriting
1. Open the role's master data form.
2. Set the option
l
Employees do not inherit
l
Devices do not inherit
- OR -
l
Workdesks do not inherit
3. Save the changes.
Inheritance of company resources can be done in the same way for single employees,
devices or workdesks. You can use this behavior to correct data after importing employees
before and then apply inheritance.
To prevent an employee from inheriting
1. Open the employee's master data form.
2. Set the option No inheritance.
The employee does not inherit company resources through roles.
NOTE: This option does not affect direct assignments! Company resource direct
assignments remain assigned.
3. Save the changes.
To prevent an device from inheriting
1. Open the device's master data form.
2. Set the option No inheritance.
The device does not inherit company resources through roles.
NOTE: This option does not affect direct assignments! Company resource direct
assignments remain assigned.
3. Save the changes.
To prevent a workdesk from inheriting
1. Open the workdesk's master data form.
2. Set the option No inheritance.
The workdesk does not inherit company resources through roles.
NOTE: This option does not affect direct assignments! Company resource direct
assignments remain assigned.
3. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
27
Related Topics
l
Discontinuing Inheritance on page 12
Inheritance Exclusion: Specifying
Conflicting Roles
You can define conflicting roles to prevent employees, devices or workdesks from being
assigned to several roles at the same time and from obtaining mutually exclusive company
resources through these roles. At the same time, you specify which application roles,
departments, cost centers and locations need to be mutually exclusive. This means you
may not assign these roles to one and the same employee (device, workdesk).
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned
to the same employee (device, workdesk). Definitions made on parent or child roles
do not affect the assignment.
Example
Cost center B is named as conflicting role to cost center A. Jenna Miller and Hans Peters are
members of cost center A. Louise Lotte is a member of cost center B. Hans Peters cannot
be assigned to cost center B. Apart from that, One Identity Manager prevents Jenna Miller
and Louise Lotte from being assigned to cost center A.
Figure 12: Members in Conflicting Roles
To configure inheritance exclusion
l
Set the configuration parameter "QER\Structures\ExcludeStructures" in the Designer
and compile the database.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
28
Related Topics
l
Specifying Inheritance Exclusion for Roles on page 61
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Basics for Mapping Company Structures in One Identity Manager
29
2
Managing Departments, Cost
Centers and Locations
Departments, cost centers, locations, and business roles are each mapped to their own
hierarchy under the heading "Organizations". This is due to their special significance for
daily work schedules in many companies. Various company resources can be assigned to
organizations, for example, authorizations in different SAP systems or applications. You
can add employees to single roles as members. Employees obtain their company resources
through these assignments when the One Identity Manager is appropriately configured.
Detailed information about this topic
l
Editing Departments on page 39
l
Editing Cost Centers on page 43
l
Editing Locations on page 47
l
Setting Up IT Operating Data on page 55
l
l
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
Preparing Hierarchical Roles for Company Resource Assignments on page 22
One Identity Manager Users for
Organizations
The following users are used for the administration of departments, cost centers
and locations.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
30
Table 5: Users
User
Task
Administrators
for
organizations
Administrators must be assigned to the application role Identity
Management | Organizations | Administrators.
Users with this application role:
l
l
l
l
One Identity
Manager
administrators
l
l
l
Approvers for
organizations
Set up and edit departments, cost centers and locations.
Assign company resources to departments, cost centers and
locations.
Administrate application roles for role approvers, role approvers
(IT) and attestors.
Set up other application roles as required.
Create customized permissions groups for application roles for
role-based login to administration tools in the Designer, as
required.
Create system users and permissions groups for non-role based
login to administration tools, as required.
Enable or disable additional configuration parameters in the
Designer, as required.
l
Create custom processes in the Designer, as required.
l
Create and configures schedules, as required.
l
Create and configure password policies, as required.
Attestors must be assigned to the application role Identity
Management | Organizations | Attestors or a child application
role.
Users with this application role:
l
l
Attest correct assignment of company resources to departments,
cost centers and locations for which they are responsible.
Can view master data for departments, cost centers and
locations but cannot edit them.
NOTE: This application role is available if the module Attestation
Module is installed.
Approvers for
organizations
Approvers must be assigned to the application role Identity
Management | Organizations | Approvers or a child application
role.
Users with this application role:
l
Are approvers for the IT Shop.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
31
User
Task
l
Approvers (IT)
for
organizations
Approve request from departments, cost centers and locations
for which they are responsible.
IT role approvers must be assigned to the application role Identity
Management | Organizations | Role approvers (IT) or a child
application role.
Users with this application role:
l
l
Are IT role approvers for the IT Shop.
Approve request from departments, cost centers and locations
for which they are responsible.
Base Data for Structuring Departments,
Cost Centers and Locations
The following basic information is relevant for building up hierarchical roles in One
Identity Manager.
l
Configuration Parameter
Use configuration parameters to configure the behavior of the system's basic
settings. One Identity Manager provides default settings for different configuration
parameters. Check the configuration parameters and modify them as necessary to
suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each
One Identity Manager module can also install configuration parameters. You can find
an overview of all configuration parameters in the category Base data | General |
Configuration parameters in the Designer.
l
Roles Classes
Role classes form the basis of mapping from hierarchical roles in the One Identity
Manager. Role classes are used to group similar roles together.
l
Role Types
Create role types in order to classify roles. Roles types can be used to map roles in
the user interface, for example.
l
Functional areas
To analyze rule checks for different areas of your company in the context of identity
audit, you can set up functional areas. Functional areas can be assigned to roles. You
can enter criteria that provide information about risks from rule violations for
functional areas and roles.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
32
l
Attestors
In One Identity Manager, you can assign employees to departments, cost centers and
locations that can be brought in as attestors in attestation cases when the approval
workflow is set up accordingly. To do this, assign the departments, cost centers and
locations to application roles for attestors. A default application role for attestors is
available in One Identity Manager. Assign employees that are authorized to attest
permissions, requests or other data stored in the One Identity Manager to this
application role. You may create other application roles as required. For more
detailed information about implementing and editing application roles, see the One
Identity Manager Application Roles Administration Guide.
l
Approvers and Approvers (IT)
In One Identity Manager, you can assign employees to departments, cost centers and
locations that can be brought in as approvers in approval procedures for IT Shop
requests when the approval workflow is set up accordingly. To do this, assign the
departments, cost centers and locations to application roles for approvers. Default
application roles for approvers and approvers (IT) are available in One Identity
Manager. Assign employees that are authorized to approve requests in the IT Shop to
this application role. You may create other application roles as required. For more
detailed information about implementing and editing application roles, see the One
Identity Manager Application Roles Administration Guide.
Detailed information about this topic
l
Roles Classes on page 33
l
Role Types on page 35
l
Functional areas on page 35
l
Attestors on page 36
l
Approvers and Approvers (IT) on page 37
l
Appendix: Configuration Parameters for Managing Departments, Cost Centers and
Locations on page 180
Roles Classes
Role classes form the basis of mapping from hierarchical roles in the One Identity
Manager. Role classes are used to group similar roles together. Following role classes are
provided by default for mapping organizations in One Identity Manager.
l
Department
l
Cost center
l
Location
NOTE: You cannot delete the default role classes. However, you can edit their master
data.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
33
To edit role classes
1. Select the category Organizations | Basic configuration data | Role classes.
2. Select the role class in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the role class's master data.
4. Save the changes.
Enter the following master data for a role class.
Table 6: Role Class Properties
Property
Description
Role classes
Role class description The role class is displayed under this name in the
navigation view.
Attestors
Applications role whose members are authorized to approve attestation
instances for all roles in this role class.
To create a new application role, click . Enter the application role
name and assign a parent application role.
NOTE: This property is available if the Attestation Module is
installed.
Description
Spare text box for additional explanation.
Inherited top
down
Direction of inheritance top-down.
Inherited
bottom-up
Direction of inheritance bottom-up
Assignment
allowed
Specifies whether assignments of respective object types to roles of this
role class are allowed in general.
Assignment
not allowed
Specifies whether respective object types can be assigned directly to
roles of this role class.
Top-down inheritance is defined for departments, cost centers, locations
and application roles.
Related Topics
l
Attestors on page 36
l
Direction of Inheritance within a Hierarchy on page 10
l
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
34
Role Types
Create role types in order to classify roles. Roles types can be used to map roles in the
user interface, for example.
To edit role types
1. Select the category Organizations | Basic configuration data | Role types.
2. Select the role type in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the role type's master data.
4. Save the changes.
Enter the following master data for a role type:
Table 7: Role Type Properties
Property
Description
Role type
Role type description
Description
Spare text box for additional explanation.
Functional areas
To analyze rule checks for different areas of your company in the context of identity audit,
you can set up functional areas. Functional areas can be assigned to hierarchical roles and
service items. You can enter criteria that provide information about risks from rule
violations for functional areas and hierarchical roles. To do this, you specify how man rule
violations are permitted in a functional area or a role. You can enter separate assessment
criteria for each role, such as a risk index or transparency index.
Example for using Functional Areas
The risk of rule violation should be analyzed for cost centers. Proceed as follows:
1. Set up functional areas.
2. Assign cost centers to the functional areas.
3. Define assessment criteria for the cost centers.
4. Define assessment criteria for the functional areas.
5. Assign compliance rules required for the analysis to the functional area.
6. Use the One Identity Manager report function to create a report that prepares the
result of rule checking for the functional area by any criteria.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
35
To edit functional areas
1. Select the category Organizations | Basic configuration data |
Functional areas.
2. Select the functional area in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Edit the function area master data.
4. Save the changes.
Enter the following data for a functional area.
Table 8: Functional Area Properties
Property
Description
Functional area
Description of the functional area
Parent Functional
area
Parent functional area in a hierarchy.
Max. number of
rule violations
List of rule violation valid for this functional area. This value can be
evaluated during the rule check.
Select a parent functional area from the list in order to organize
your functional areas hierarchically.
NOTE: This input field is available if theCompliance Rules
Module exists.
Description
Spare text box for additional explanation.
Related Topics
l
One Identity Manager Compliance Rules Administration Guide
Attestors
Installed Modules: Attestation Module
In One Identity Manager, you can assign employees to departments, cost centers and
locations that can be brought in as attestors in attestation cases when the approval
workflow is set up accordingly. To do this, assign the departments, cost centers and
locations to application roles for attestors. A default application role for attestors is
available in One Identity Manager. Assign employees that are authorized to attest
permissions, requests or other data stored in the One Identity Manager to this application
role. You may create other application roles as required. For more detailed information
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
36
about implementing and editing application roles, see the One Identity Manager Application
Roles Administration Guide.
Table 9: Default Application Roles for Attestors
User
Task
Approvers for
organizations
Attestors must be assigned to the application role Identity
Management | Organizations | Attestors or a child application role.
Users with this application role:
Attest correct assignment of company resources to departments,
cost centers and locations for which they are responsible.
l
Can view master data for departments, cost centers and locations
but cannot edit them.
l
NOTE: This application role is available if the module Attestation
Module is installed.
To specify attestors
1. Select the category Organizations | Basic configuration data | Attestors.
2. Select Assign employees in the task view.
3. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
4. Save the changes.
Related Topics
l
Roles Classes on page 33
l
One Identity Manager Attestation Administration Guide
Approvers and Approvers (IT)
In One Identity Manager, you can assign employees to departments, cost centers and
locations that can be brought in as approvers in approval procedures for IT Shop requests
when the approval workflow is set up accordingly. To do this, assign the departments, cost
centers and locations to application roles for approvers. Default application roles for
approvers and approvers (IT) are available in One Identity Manager. Assign employees
that are authorized to approve requests in the IT Shop to this application role. You may
create other application roles as required. For more detailed information about
implementing and editing application roles, see the One Identity Manager Application Roles
Administration Guide.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
37
Table 10: Default Application Roles for Approvers
User
Task
Approvers for
organizations
Approvers must be assigned to the application role Identity
Management | Organizations | Approvers or a child application
role.
Users with this application role:
l
l
Are approvers for the IT Shop.
Approve request from departments, cost centers and locations for
which they are responsible.
Approvers (IT) IT role approvers must be assigned to the application role Identity
for
Management | Organizations | Role approvers (IT) or a child
organizations
application role.
Users with this application role:
l
l
Are IT role approvers for the IT Shop.
Approve request from departments, cost centers and locations for
which they are responsible.
To specify a role approver or role approver (IT)
1. Select the category Organizations | Basic configuration data | Approver.
- OR Select the category Organizations | Basic configuration data | Approver (IT).
2. Select Assign employees in the task view.
3. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
4. Save the changes.
Related Topics
l
l
Anwendungsrollen bearbeiten
One Identity Manager IT Shop Administration Guide
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
38
Editing Departments
To edit departments
1. Select the category Organizations | Departments.
2. Select the department in the result list. Select Change master data in the
task view.
- OR Click
in the result list toolbar.
3. Edit the department's master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for a Department on page 39
l
Contact Data for Departments on page 41
l
Functional Area and Risk Assessment on page 42
l
Setting Up IT Operating Data on page 55
General Master Data for a Department
Enter the following data for a department.
Table 11: General Master Data for a Department
Property
Description
Department
Name of the department
Short name
Short name of the department
Object ID
Unique department object ID. The object ID is required, for example, in
SAP systems for assigning employees to departments.
Parent
department
Parent of department in the hierarchy.
Role type
Role types for more detailed classification.
Location
Location to which the department is primary assigned.
Default printer
server
Printer server for the department. Select a server from the menu to
assign it to the department.
To organize departments hierarchically, select the parent department
in the menu. Leave this field empty if the department is at the top level
of the department hierarchy.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
39
Property
Description
NOTE: This property is only available if the Active Directory
Module is installed.
Manager
Manager responsible for the department.
Deputy
manager
Assistant manager of the department.
Attestors
Applications role whose members are authorized to approve attestation
cases for this department.
To create a new application role, click . Enter the application role
name and assign a parent application role.
NOTE: This property is available if the Attestation Module is
installed.
Cost center
Cost center to which the department is primary assigned.
Role approver
Application role whose members approve IT Shop requests for
members of this department.
To create a new application role, click . Enter the application role
name and assign a parent application role.
Role approver
(IT)
Application role whose members approve IT Shop requests for
members of this department.
To create a new application role, click . Enter the application role
name and assign a parent application role.
Description
Spare text box for additional explanation.
Comment
Spare text box for additional explanation.
Remarks
Spare text box for additional explanation.
Certification
status
Certification status of the department. You can select the following
certification statuses:
l
l
l
New – The department was newly added to the One Identity
Manager database.
Certified – Department master data was granted approval by the
manager.
Denied – Department master data was denied approval by the
manager.
Import data
source
Target system or data source, from which the data set was imported.
Full name
Full name of the department include parent departments.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
40
Property
Description
Disabled
Specifies whether the department is actively used. Set this option if the
department is not used. This option does not have any effect on the
calculation of inheritance.
Block inheritance
Specifies whether inheritance for this department can be discontinued.
Set this option to discontinue inheritance within the department
hierarchy.
X500 nodes
Select this option to label a department for exporting to an X500
schema.
Employees do
not inherit
Specifies whether employee inheritance should be temporarily
prevented for this department.
Devices do not
inherit
Specifies whether device inheritance should be temporarily prevented
for this department.
Workdesks do
not inherit
Specifies whether workdesk inheritance should be temporarily
prevented for this department.
Dynamic roles
not allowed
Specifies whether a dynamic role can be created for the department.
Spare fields no.
01.....spare
field no. 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
Spare date no.
01.....spare
field no. 03
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
Related Topics
l
Role Types on page 35
l
Attestors on page 36
l
Approvers and Approvers (IT) on page 37
l
Using Roles to Limit Inheritance on page 26
l
Creating Dynamic Roles for Departments, Cost Centers and Locations on page 59
Contact Data for Departments
Enter the following contact data for departments Select the
button next to the input field
to activate it and add add data. Use the
button to remove data from a list.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
41
Table 12: Contact Data for Departments
Property
Description
Email addresses
Email addresses for the department.
Visitors address
Department address for visitors.
Visiting hours
Department hours for visitors.
Phone hours
Department telephone hours.
Business hours
Department business hours.
Zip code
Department's zip code.
Functional Area and Risk Assessment
Here, you can enter values to classify the department, which analyzes the risk of a
department with respect to identity audit.
Table 13: Master Data of a Department's Functional Area
Property
Description
Country
Country. You require this to determine the employee’s language and
working hours.
State
State. You require this to determine the employee’s language and working
hours.
Functional
area
Department functional area This data is required for department's risk
assessment.
Risk index
(calculated)
A risk index is calculated for the department risk assessment based on
assigned company resources. This property is only visible when the
configuration parameter QER\CalculateRiskIndex is set.
Transparency Specifies how well you can trace department assignments. Use the slider
index
to enter a value between 0 and 1.
0 ... no transparency
1 ... full transparency
Max. number
of rule
violations
Specify how many rule violations are permitted for this department. The
value can be evaluated when compliance rules are checked.
Turnover for
this unit
Turnover for this department.
NOTE: This property is only available if the Compliance Rules
Module is installed.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
42
Property
Description
Earnings for
this unit
Earnings for this department.
Related Topics
l
Determining an Employee‘s Language on page 121
l
Determining an Employee‘s Working Hours on page 122
l
Functional areas on page 35
l
One Identity Manager Risk Assessment Administration Guide
l
One Identity Manager Compliance Rules Administration Guide
Editing Cost Centers
To edit a cost center
1. Select the category Organizations | Cost centers.
2. Select the cost center in the result list. Select Change master data in the
task view.
- OR Click
in the result list toolbar.
3. Edit the data cost center's master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for Cost Center on page 43
l
Functional Area and Risk Assessment on page 46
l
Setting Up IT Operating Data on page 55
General Master Data for Cost Center
Enter the following data for a cost center.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
43
Table 14: General Master Data for Cost Center
Property
Description
Cost center
Cost center name.
Short name
Cost center short name.
Parent cost
center
Parent of cost center in the hierarchy.
Role type
Role types for more detailed classification.
Manager
Manager responsible for the cost center.
Deputy
manager
Deputy cost center manager.
Attestors
Applications role whose members are authorized to approve attestation
cases for this cost center.
To organize cost centers hierarchically, select the parent cost center in
the menu. Leave this field empty if the cost center is at the top level of
the cost center hierarchy.
To create a new application role, click . Enter the application role
name and assign a parent application role.
NOTE: This property is available if the Attestation Module is
installed.
Department
Department to which the cost center is primary assigned.
Location
Location to which the cost center is primary assigned.
Role approver
Application role whose members approve IT Shop requests for
members of this cost center.
To create a new application role, click . Enter the application role
name and assign a parent application role.
Role approver
(IT)
Application role whose members approve IT Shop requests for
members of this cost center.
To create a new application role, click . Enter the application role
name and assign a parent application role.
Description
Spare text box for additional explanation.
Comment
Spare text box for additional explanation.
Remarks
Spare text box for additional explanation.
Certification
status
Certification status of the cost center. You can select the following
certification statuses:
l
New – The cost center was newly added to the One Identity
Manager database.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
44
Property
Description
l
l
Certified – Cost center master data was granted approval by the
manager
Denied – Cost center master data was denied approval by the
manager.
Import data
source
Target system or data source, from which the data set was imported.
Disabled
Specifies whether the cost center is actively used. Set this option if the
cost center is not used. This option does not have any effect on the
calculation of inheritance.
Block
inheritance
Specifies whether inheritance for this cost center can be discontinued.
Set this option to discontinue inheritance within the cost center
hierarchy.
X500 nodes
Select this option to label a cost center for exporting to an X500
schema.
Employees do
not inherit
Specifies whether employee inheritance should be temporarily
prevented for this cost center.
Devices do not
inherit
Specifies whether device inheritance should be temporarily prevented
for this cost center.
Workdesks do
not inherit
Specifies whether workdesk inheritance should be temporarily
prevented for this cost center.
Dynamic roles
not allowed
Specifies whether a dynamic role can be created for the cost center.
Spare fields no.
01.....spare
field no. 10
Additional company specific information. Use the Designer to
customize display names, formats and templates for the input fields.
Spare date no.
01.....spare
field no. 03
Additional company specific information. Use the Designer to
customize display names, formats and templates for the input fields.
Related Topics
l
Role Types on page 35
l
Attestors on page 36
l
Approvers and Approvers (IT) on page 37
l
Using Roles to Limit Inheritance on page 26
l
Creating Dynamic Roles for Departments, Cost Centers and Locations on page 59
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
45
Functional Area and Risk Assessment
Here, you can enter values to classify the cost center, which analyzes the risk of a cost
center with respect to identity audit.
Table 15: Master Data of a Cost Center's Functional Area
Property
Description
Country
Country. You require this to determine the employee’s language and
working hours.
State
State. You require this to determine the employee’s language and working
hours.
Functional
area
Cost center's function area. This data is required for cost center's risk
assessment.
Risk index
(calculated)
A risk index is calculated for the cost center risk assessment based on
assigned company resources. This property is only visible when the
configuration parameter QER\CalculateRiskIndex is set.
Transparency Specifies how well you can trace cost center assignments. Use the slider
index
to enter a value between 0 and 1.
0 ... no transparency
1 ... full transparency
Max. number
of rule
violations
Specify how many rule violations are permitted for this cost center. The
value can be evaluated when compliance rules are checked.
Turnover for
this unit
Turnover for the cost center.
Earnings for
this unit
Earnings for the cost center.
NOTE: This property is only available if the Compliance Rules
Module is installed.
Related Topics
l
Determining an Employee‘s Language on page 121
l
Determining an Employee‘s Working Hours on page 122
l
Functional areas on page 35
l
One Identity Manager Risk Assessment Administration Guide
l
One Identity Manager Compliance Rules Administration Guide
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
46
Editing Locations
To edit locations
1. Select the category Organizations | Locations.
2. Select the location in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the location’s master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for a Location on page 47
l
Location Address Information on page 49
l
Configuring a Location's Network on page 50
l
Directions to Location on page 50
l
Functional Area and Risk Assessment on page 51
l
Setting Up IT Operating Data on page 55
General Master Data for a Location
Enter the following data for a location.
Table 16: General Master Data for a Location
Property
Description
Location
Name of the location.
Short name
Short name of the location.
Name
Additional name for the location.
Parent location
Parent of location in the hierarchy.
To organize locations hierarchically, select the parent location in the
menu. Leave this field empty if the location is at the top level of the
location hierarchy.
Role type
Role types for more detailed classification.
Manager
Manager responsible for the location.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
47
Property
Description
Deputy manager
Assistant manager of the location.
Attestors
Applications role whose members are authorized to approve
attestation cases for this location.
To create a new application role, click . Enter the application role
name and assign a parent application role.
NOTE: This property is available if the Attestation Module is
installed.
Department
Department to which the location is primary assigned.
Cost center
Cost center to which the location is primary assigned.
Additional
remarks
Spare text box for additional explanation.
Role approver
Application role whose members approve IT Shop requests for
members of this location.
To create a new application role, click . Enter the application role
name and assign a parent application role.
Role approver
(IT)
Application role whose members approve IT Shop requests for
members of this location.
To create a new application role, click . Enter the application role
name and assign a parent application role.
Description
Spare text box for additional explanation.
Comment
Spare text box for additional explanation.
Remarks
Spare text box for additional explanation.
Certification
status
Certification status of the location. You can select the following
certification statuses:
l
l
l
New – The location was newly added to the One Identity
Manager database.
Certified – Location master data was granted approval by the
manager.
Denied – Location master data was denied approval by the
manager.
Import data
source
Target system or data source, from which the data set was imported.
Disabled
Specifies whether the location is actively used. Set this option if the
location is not used. This option does not have any effect on the
calculation of inheritance.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
48
Property
Description
Block
inheritance
Specifies whether inheritance for this location can be discontinued. Set
this option to discontinue inheritance within the location hierarchy.
X500 nodes
Select this option to label a location for exporting to an X500 schema.
Employees do
not inherit
Specifies whether employee inheritance should be temporarily
prevented for this location.
Devices do not
inherit
Specifies whether device inheritance should be temporarily prevented
for this location.
Workdesks do
not inherit
Specifies whether workdesk inheritance should be temporarily
prevented for this location.
Dynamic roles
not allowed
Specifies whether a dynamic role can be created for the location.
Spare fields no.
01.....spare field
no. 10
Additional company specific information. Use the Designer to
customize display names, formats and templates for the input fields.
Spare date no.
01.....spare field
no. 03
Additional company specific information. Use the Designer to
customize display names, formats and templates for the input fields.
Related Topics
l
Role Types on page 35
l
Attestors on page 36
l
Approvers and Approvers (IT) on page 37
l
Using Roles to Limit Inheritance on page 26
l
Creating Dynamic Roles for Departments, Cost Centers and Locations on page 59
Location Address Information
Enter the following master data for contacting the location.
Table 17: Location's Address Data
Property
Description
Address
Postal address of the location.
Street
Street or road.
Building
Building
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
49
Property
Description
Zip code
Zip code.
Town
City.
Country
Country. You require this to determine the employee’s language and
working hours.
State
State. You require this to determine the employee’s language and
working hours.
Phone
Telephone number of the location.
Quick dial
Telephone short entry (without code).
Fax
Fax number of the location.
Room
Room.
Comment
(room)
Spare text box for additional explanation.
Related Topics
l
Determining an Employee‘s Language on page 121
l
Determining an Employee‘s Working Hours on page 122
Configuring a Location's Network
Enter the location‘s network configuration data.
Table 18: Location Network Data
Property
Description
IP offset
IP offset of the location.
Subnet mask
Subnet mask of the location.
Directions to Location
Enter another address and a description of the way to reach the location. Select the
button next to the input field to activate it and add add data. Use the
button to remove
data from the list.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
50
Table 19: Directions to Location
Property
Description
Visitors address
Location address for visitors.
Travel directions
Travel directions to the location.
Functional Area and Risk Assessment
Here, you can enter values to classify a location for analyzing the risk of a location in the
context of identity audit.
Table 20: Master Data of a Location's Functional Area
Property
Description
Functional
area
Location's function area. This data is required for location's risk
assessment.
Risk index
(calculated)
A risk index is calculated for the location risk assessment based on
assigned company resources. This property is only visible when the
configuration parameter QER\CalculateRiskIndex is set.
Transparency Specifies how well you can trace location assignments. Use the slider to
index
enter a value between 0 and 1.
0 ... no transparency
1 ... full transparency
Max. number
of rule
violations
Specify how many rule violations are permitted for this location. The
value can be evaluated when compliance rules are checked.
Turnover for
this unit
Turnover for this location.
Earnings for
this unit
Earnings for this location.
NOTE: This property is only available if the Compliance Rules
Module is installed.
Related Topics
l
Functional areas on page 35
l
One Identity Manager Risk Assessment Administration Guide
l
One Identity Manager Compliance Rules Administration Guide
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
51
Assigning Employees, Devices and
Workdesks to Departments, Cost
Centers and Locations
Assign employees, devices and workdesks to departments, cost centers and locations.
Employees, devices and workdesks can obtain their company resources through these
organizations.
To add employees, devices and workdesks to a hierarchical role
1. Select the category Organizations | <Role class>.
2. Select the role in the result list.
3. Select the appropriate task.
l
Assign Employees
l
Assigning Devices
l
Assign workdesks
4. Assign the objects in Add assignments.
- OR Remove the objects in Remove assignments.
5. Save the changes.
TIP: Use dynamic roles to assign employees, devices and workdesks to departments,
cost centers and locations automatically.
Related Topics
l
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
l
Creating Dynamic Roles for Departments, Cost Centers and Locations on page 59
l
Assigning Employees to Departments, Cost Centers and Locations on page 107
l
Assigning Devices to Departments, Cost Centers and Locations on page 139
l
Assigning Workdesks to Departments, Cost Centers and Locations on page 147
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
52
Assigning Company Resources to
Departments, Cost Centers and
Locations
The default method of assigning employees, devices and workdesks is indirect assignment.
This allocates an employee, a device or a workdesk to departments, cost centers or
locations. The total of assigned company resources for an employee, a device or workdesk
is calculated from their position within the hierarchy, the direction of inheritance and the
company resources assigned to these roles.
Indirect assignment is divided into:
l
Secondary Assignment
You make a secondary assignment by classifying an employee, a device or a
workdesk within a role hierarchy. Secondary assignment is the default method for
assigning and inheriting company resources through roles.
IMPORTANT: Whether secondary assignment of company resources is possible
depends on the role classes.
If an employee, device or a workdesk fulfill the requirements of a dynamic role, the
object is added dynamically to the corresponding company structure and can obtain
company resources through it.
l
Primary Assignment
You make a primary assignment by referencing a department, cost center or location
through a foreign key to the employee, device and workdesk objects. Primary
assignment inheritance can be enable through configuration parameters.
You must assign company resources to departments, cost centers or locations so that
employees, devices and workdesks can inherit company resources. The following table
shows the possible company resources assignments.
NOTE: Company resources are defined in the One Identity Manager modules and are
not available until the modules are installed.
Table 21: Possible Assignments of Company Resources to Roles
Company Resource
Available in Module
Resources
always
Account definitions
Target System Base Module
Groups of custom target systems
Target System Base Module
Active Directory groups
Active Directory Module
SharePoint groups
SharePoint Module
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
53
Company Resource
Available in Module
SharePoint roles
SharePoint Module
LDAP groups
LDAP Module
Notes groups
IBM Notes Module
SAP groups
SAP R/3 User Management module Module
SAP profiles
SAP R/3 User Management module Module
SAP roles
SAP R/3 User Management module Module
Structural profiles
SAP R/3 Structural Profiles Add-on Module
BI analysis authorizations
SAP R/3 Analysis Authorizations Add-on
Module
System roles
System Roles Module
Subscribable reports
Report Subscription Module
Applications
Application Management Module
Azure Active Directory groups
Azure Active Directory Module
Azure Active Directory administrator roles
Azure Active Directory Module
Azure Active Directory subscriptions
Azure Active Directory Module
Disabled Azure Active Directory service
plans
Azure Active Directory Module
Unix groups
Unix Based Target Systems Module
To add company resources to a hierarchical role
1. Select the category Organizations | <Role class>.
2. Select the role in the result list.
3. Select the task to assign the corresponding company resource.
4. Assign company resources in Add assignments.
- OR Remove company resource in Remove assignments.
5. Save the changes.
Detailed information about this topic
l
l
Basics for Assigning Company Resources on page 14
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
54
Related Topics
l
l
l
Possible Assignments of Company Resources through Roles on page 23
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Working with Dynamic Roles on page 65
Setting Up IT Operating Data
In order for an employee to create user accounts with the manage level "Full managed",
the necessary IT operating data must be determined. The operating data required to
automatically supply an employee with IT resources is shown in the departments,
locations, cost centers, and business roles. An employee is assigned to one primary
location, one primary department, one primary cost center or one primary business role.
The necessary IT operating data is ascertained from these assignments and used in
creating the user accounts. Default values are used if valid IT operating data cannot be
found over the primary roles.
You can also specify IT operating data directly for a specific account definition.
Example:
Normally, each employee in department A obtains a default user account in the domain
A. In addition, certain employees in department A obtain administrative user accounts in
the domain A.
Create an account definition A for the default user account of the domain A and an account
definition B for the administrative user account of domain A. Specify the property
"Department" in the IT operating data formatting rule for the account definitions A and B in
order to determine the valid IT operating data.
Specify the effective IT operating data of department A for the domain A. This IT
operating data is used for standard user accounts. In addition, specify the effective
account definition B IT operating data for department A. This IT operating data is used for
administrative user accounts.
To specify IT operating data
1. Select the category Organizations | <Role class>.
2. Select the role in the result list.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
55
3. Select Edit IT operating data in the task view and enter the following data.
Table 22: IT Operating Data
Property
Description
Organization/Business Department, cost center, location or business role for
role
which the IT operating data is valid.
Effects on
IT operating data application scope. The IT operating data
can be used for a target system or a defined account definition.
To specify an application scope
a. Click
next to the text box.
b. Select the table under Table, which maps the target
system or the table TSBAccountDef for an account
definition.
c. Select the concrete target system or concrete
account definition under Effects on.
d. Click OK.
Column
User account property for which the value is set.
Columns using the script template TSB_ITDataFromOrg in
their template are listed. For more detailed information,
see the One Identity Manager Target System Base Module
Administration Guide.
Value
Concrete value which is assigned to the user account
property.
4. Save the changes.
The IT operating data necessary in the One Identity Manager default configuration for
automatically creating or changing employee user accounts and mailboxes in the target
system is itemized in the following table.
NOTE: IT operating data is dependent on the target system and is contained in One
Identity Manager modules. The data is not available until the modules are installed.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
56
Table 23: Target System Dependent IT Operating Data
Target system type
IT Operating Data
Active Directory
Container
Home server
Profile Server
Terminal home server
Terminal profile server
Groups can be inherited
Identity
Privileged user account
Microsoft Exchange
Mailbox database
LDAP
Container
Groups can be inherited
Identity
Privileged user account
IBM Notes
Server
Certificate
Template for mail file
Identity
SharePoint
Authentication mode
Groups can be inherited
Identity
Privileged user account
Custom target systems
Container (per target system)
Groups can be inherited
Identity
Privileged user account
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
57
Target system type
IT Operating Data
Azure Active Directory
Groups can be inherited
Identity
Privileged user account
Change password the next time you log in
Cloud target system
Container (per target system)
Groups can be inherited
Identity
Privileged user account
Unix-based target system
Login shell
Groups can be inherited
Identity
Privileged user account
Exchange Online
Groups can be inherited
G Suite
Organizational unit
Groups can be inherited
Privileged user account
Change password the next time you log in
Related Topics
l
One Identity Manager Target System Base Module Administration Guide
Modifying IT Operating Data
If IT operating data changes, you must transfer these changes to the existing user
accounts. To do this, templates must be rerun on the affected columns. Before you can run
the templates, you can check what the effect of a change to the IT operating data has on
the existing user accounts. You can decide whether the change is transferred to the
database in the case of each affected column in each affected database.
Prerequisites
l
The IT operating data of a department, cost center or a location was changed.
- OR -
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
58
l
The default values in the IT operating data template were modified for an account
definition.
NOTE: If the assignment of an employee to a primary department, cost center or to a
primary location changes, the templates are automatically executed.
To execute the template
1. Select the category <target system type> | Basic configuration data |
Account definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Execute templates in the task view
This displays a list of all user account, which are created through the selected
account definition and whose properties are changed by modifying the IT
operating data.
Old value
Current value of the object property.
New
value
Value applied to the object property after modifying the IT operating
data.
Selection
Specifies whether the modification is applied to the user account.
4. Mark all the object properties in the selection column that will be given the
new value.
5. Click Apply.
The templates are applied to all selected user accounts and properties.
Additional Tasks for Managing
Departments, Cost Centers and
Locations.
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Creating Dynamic Roles for Departments,
Cost Centers and Locations
Use this task to define dynamic roles for single departments, cost centers or location. This
allows you to specify memberships in these roles.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
59
NOTE: The task Create dynamic role is only set for departments, cost centers and
locations, which do not have the option Dynamic roles not allowed set.
To create a dynamic role
1. Select the category Organizations | <Role class>.
2. Select the role in the result list.
3. Select Create dynamic role in the task view.
4. Enter the required master data.
5. Save the changes.
To edit a dynamic role
1. Select the category Organizations | <Role class> | Dynamic roles.
2. Select the role in the result list.
3. Open the role's overview form.
4. Select the form element Dynamic roles and click on the dynamic role.
5. Select Change master data in the task view.
6. Edit the dynamic role's master data.
7. Save the changes.
Related Topics
l
Working with Dynamic Roles on page 65
l
Editing Dynamic Roles on page 66
l
General Master Data for a Department on page 39
l
General Master Data for Cost Center on page 43
l
General Master Data for a Location on page 47
Assign Organizations
Use this task to map the relationships of a department, cost center of a location to other
roles. This task has the same effect as assigning a department, cost center or location on
the role master data form. The assignment is entered in the respective foreign key column
in the base table.
To assign a cost center or location to departments
1. Select the category Organizations | Cost centers or Organizations |
Locations.
2. Select the role in the result list.
3. Select Assign organizations.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
60
4. Select the Departments tab.
5. Assign departments in Add assignments.
The selected role is assigned to all departments as primary cost center or location.
- OR Remove the departments in Remove assignments.
6. Save the changes.
To assign a department or a location to cost centers
1. Select the category Organizations | Departments or Organizations |
Locations.
2. Select the role in the result list.
3. Select Assign organizations.
4. Select the Cost centers tab.
5. Assign cost centers in Add assignments.
The selected role is assigned to all cost centers as primary department or location.
- OR Remove the cost centers in Remove assignments.
6. Save the changes.
To assign a department or a cost center to locations
1. Select the category Organizations | Departments or Organizations | Cost
centers.
2. Select the role in the result list.
3. Select Assign organizations.
4. Select the Locations tab.
5. Assign locations in Add assignments.
The selected role is assigned to all locations as primary department or cost center.
- OR Remove the locations in Remove assignments.
6. Save the changes.
Specifying Inheritance Exclusion for Roles
You can define conflicting roles to prevent employees, devices or workdesks from being
assigned to several roles at the same time and from obtaining mutually exclusive company
resources through these roles. At the same time, you specify which application roles,
departments, cost centers and locations need to be mutually exclusive. This means you
may not assign these roles to one and the same employee (device, workdesk).
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
61
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned
to the same employee (device, workdesk). Definitions made on parent or child roles
do not affect the assignment.
To configure inheritance exclusion
l
Set the configuration parameter "QER\Structures\ExcludeStructures" in the Designer
and compile the database.
To define inheritance exclusion for a departments
1. Select the category Organizations | Departments.
2. Select the department in the result list.
3. Select Edit conflicting departments in the task view.
4. Assign the departments that are mutually exclusive to the selected department in
Add assignments.
- OR Remove the conflicting departments that are no longer mutually exclusive in
Remove assignments.
5. Save the changes.
To define inheritance exclusion for a cost center
1. Select the category Organizations | Cost centers.
2. Select the cost center in the result list.
3. Select Edit conflicting cost centers in the task view.
4. Assign the cost centers that are mutually exclusive to the selected cost center in Add
assignments.
- OR Remove the conflicting cost centers that are no longer mutually exclusive in Remove
assignments.
5. Save the changes.
To define inheritance exclusion for a cost center
1. Select the category Organizations | Locations.
2. Select the location in the result list.
3. Select Edit conflicting locations in the task view.
4. Assign the locations that are mutually exclusive to the selected location in Add
assignments.
- OR Remove the conflicting locations that are no longer mutually exclusive in Remove
assignments.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
62
Detailed information about this topic
l
Inheritance Exclusion: Specifying Conflicting Roles on page 28
Specify Role Relations
Table 24: Configuration Parameter for Editing Role Relations
Configuration parameter
Active Meaning
QER\Structures\RelatedStructures Preprocessor relevant configuration parameter for
controlling the model parts that specify relations
between roles. Changes to the parameter require
recompiling the database. If the parameter is set,
you can specify which roles are mutually exclusive.
Use this task to specify between which roles relations exist. This mapping is only for
informative use. Parent node definitions do not provide information about role relations of
subordinate roles.
To define relations between departments
1. Select the category Organizations | Departments.
2. Select the department in the result list.
3. Select the task Specify department relations.
4. Assign the departments for which relations exist in Add assignments.
5. Save the changes.
To define relations between cost centers
1. Select the category Organizations | Cost centers.
2. Select the cost center in the result list.
3. Select the task Specify cost center relations.
4. Assign the cost centers for which relations exist in Add assignments.
5. Save the changes.
To define relations between locations
1. Select the category Organizations | Locations.
2. Select the location in the result list.
3. Select the task Specify location relations.
4. Assign the locations for which relations exist in Add assignments.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
63
Reports about Departments, Cost
Centers and Locations
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for departments, cost centers and locations.
NOTE: Other sections may be available depending on the which modules are
installed.
Table 25: Reports about Departments, Cost Centers and Locations
Report
Description
Overview of all
Assignments
This report finds all the roles in which employees from the selected
department, cost center or location are also members.
Data quality of
department
members (cost
center members)
This report evaluates the data quality of employee data records. It
takes all employees in the department or cost center into account.
Show historical
memberships
This report lists all members of the selected department, cost center
or location and the duration of their membership.
Employees per
department
This report contains the number of employee per department. The
primary and secondary assignments to organizations are taken into
account. You can find this report in the category My One Identity
Manager.
Employees per
cost center
This report contains the number of employee per cost center. The
primary and secondary assignments to organizations are taken into
account. You can find this report in the category My One Identity
Manager.
Employees per
location
This report contains the number of employee per location. The
primary and secondary assignments to organizations are taken into
account. You can find this report in the category My One Identity
Manager.
Related Topics
l
Analyzing Role Memberships and Employee Assignments on page 114
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Departments, Cost Centers and Locations
64
3
Working with Dynamic Roles
Dynamic roles are used to specify role memberships dynamically. Employees, devices or
workdesks are not permanently assigned to a role, just when they fulfill certain
conditions. A check is performed regularly to assess which employees (devices or
workdesks) fulfill these conditions. The means the role memberships change dynamically.
For example, company resources can be assigned dynamically to all employees in a
department in this way; if an employee leaves the department they immediately lose the
resources assigned to them.
Role memberships through dynamic roles are implemented as indirect, secondary
assignments. Therefore secondary assignment of employees, devices and workdesks
to role classes must be permitted. If necessary, further configuration settings need
to be made.
Example of Dynamic Role Functionality
All external employees are added to a new dynamic role. These employees should be
assigned to a company resource ABC. The dynamic role is initially defined with the
following data:
Dynamic role
External employees
Description
All external employees
Object class
PERSON
Condition
IsExternal = 1
Department
A_1
The department A_1 is now assigned the resource ABC. All employees that fulfill the
condition at the time the dynamic role was defined, are assigned to department A_1 and
therefore inherit the resource ABC. Employees who fulfill the condition at a later date, are
assigned to department A_1 from that moment. Conversely, employees in department A_1
are removed the moment the are no longer known as external employees by One Identity
Manager. The resource ABC is no longer available to those employees assuming they have
not been assigned the resource through other channels.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
65
Detailed information about this topic
l
Editing Dynamic Roles on page 66
l
Calculating Role Memberships on page 68
Related Topics
l
l
l
Basics for Assigning Company Resources on page 14
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
Appendix: Configuration Parameters for Managing Departments, Cost Centers and
Locations on page 180
Editing Dynamic Roles
You can create dynamic roles for departments, cost centers, locations, business roles,
application roles and IT Shop nodes. This allows you to specify memberships in these roles.
To create a dynamic role
1. Select the role for which a dynamic role is to be created.
2. Select Create dynamic role in the task view.
3. Enter the required master data.
4. Save the changes.
To edit a dynamic role
1. Select the role for which the dynamic role was created.
2. Open the role's overview form.
3. Select the form element "dynamic roles" and click on the dynamic role.
4. Select Change master data in the task view.
5. Edit the data and then save the changes.
Related Topics
l
Creating Dynamic Roles for Departments, Cost Centers and Locations on page 59
For more information about dynamic roles for application roles, see the One Identity
Manager Application Roles Administration Guide.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
66
Dynamic Role Master Data
Enter the following data for a dynamic role.
Table 26: Dynamic Role Master Data
Property
Description
Role
Role (department, cost center, location, business role, IT Shop node,
application node) referenced by the dynamic role. This data is preset with
the selected role.
Object
class
Object class that the dynamic role applies to. Select either "Employee",
"Hardware" or "Workdesk".
NOTE: The combination of object class and role must be unique. It is
not possible that two dynamic roles from the same object class to
refer to one role.
Dynamic
role
Name of the dynamic role.
Calculation
schedule
Schedule, which triggers cyclical recalculation of the role membership. The
task "default schedule dynamic role check" is already defined in the
standard version of the One Identity Manager. All dynamic role
memberships are checked using this schedule and recalculation requests
are sent to the DBQueue Processor if necessary. Use the Designer to
customize schedules or set up new ones to meet your requirements. For
more information, see the One Identity Manager Configuration Guide.
Description Spare text box for additional explanation.
Condition
The condition defines which objects of the object class become members of
the selected role. The condition is defined as a valid Where clause for a
database query and has to relate to the selected object class. You can enter
the condition directly as an SQL query or use the wizard for entering
database queries. Alternatively, you can enter conditions for employee
objects with the filter designer.
IMPORTANT: If the condition includes a large number of objects to
assign, calculating memberships can place a heavy load on the
DBQueue Processor and consequently on the database server.
NOTE: If you add comments to the condition using the comment
characters ‘--’, ‘//’ or ‘%’, the DBQueue Processor cannot interpret the
dynamic roles correctly. The calculation will be aborted. Always use /*
... */ to enclose comments!
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
67
Related Topics
l
Editing Dynamic Roles on page 66
l
Test Condition of a Dynamic Role on page 68
l
Start Immediate Recalculation of Role Memberships on page 70
Test Condition of a Dynamic Role
You should test which objects fulfill the given condition before you save a dynamic role.
NOTE: This task is only visible when the dynamic role condition is displayed as SQL
query.
To test the SQL condition
1. Select the role for which the dynamic role was created.
2. Open the role's overview form.
3. Select the form element "dynamic roles" and click on the dynamic role.
4. Select Change master data in the task view.
5. Click
(Edit SQL) on the form.
This displays the condition as SQL query.
6. Select Test condition in the task view.
All the objects found by the condition are displayed on the master data form in the
Test result field.
Calculating Role Memberships
Table 27: Configuration Parameters for Calculating Dynamic Roles
Configuration parameter
Meaning
QER\Structures\DynamicGroupCheck
This configuration parameter controls the
generation of calculation tasks for dynamic roles.
If the configuration parameter is not set, the
subparameters do not apply.
QER\Structures\DynamicGroupCheck\ If the parameter is set, a calculation task for
CalculateImmediatelyPerson
modifications to employees or employee level
objects is queued immediately in the DBQueue
Processor. If the parameter is not set, the
calculation tasks are queued the next time the
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
68
Configuration parameter
Meaning
schedule is planned to run.
QER\Structures\DynamicGroupCheck\ If the parameter is set, a calculation task for
CalculateImmediatelyHardware
modifications to employees or employee level
objects is queued immediately in the DBQueue
Processor. If the parameter is not set, the
calculation tasks are queued the next time the
schedule is run.
QER\Structures\DynamicGroupCheck\ If the parameter is set, a calculation task for
CalculateImmediatelyWorkdesk
modifications to workdesks or workdesk level
objects is queued immediately in the DBQueue
Processor. If the parameter is not set, the
calculation tasks are started the next time the
schedule is planned to run.
In order to calculate role memberships, the One Identity Manager tests every dynamic role
to ensure that:
l
l
There is at least one object that satisfies the condition but is not assigned to the role
There is at least one object that does not satisfy the condition but is assigned
to the role
If one of the conditions is fulfilled, a request to add or delete memberships is sent to the
DBQueue Processor. When the dynamic roles are tested, employee objects that are
marked for deletion are:
l
l
Not added to roles through dynamic roles even if the miscellaneous condition
is fulfilled.
Removed from the role even if the miscellaneous condition should be fulfilled
Tasks for recalculating memberships are set up depending on the configuration parameter
settings by:
l
Cyclical checking using a schedule
The task "default schedule dynamic role check" is already defined in the standard
version of the One Identity Manager. All dynamic role memberships are checked
using this schedule and recalculation requests are sent to the DBQueue Processor if
necessary. Checks are made at predefined intervals. Use the Designer to customize
schedules or set up new ones to meet your requirements. For more information, see
the One Identity Manager Configuration Guide.
l
Immediately an object has changed
Memberships are immediately checked by the DBQueue Processor and changed is
necessary when object properties are changed. To use this function, set the
configuration parameters
"QER\Structures\DynamicGroupCheck\CalculateImmediatelyPerson",
"QER\Structures\DynamicGroupCheck\ CalculateImmediatelyHardware" and
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
69
"QER\Structures\DynamicGroupCheck\ CalculateImmediatelyWorkdesk" in the
Designer.
Related Topics
l
Start Immediate Recalculation of Role Memberships on page 70
Additional Tasks for Dynamic Roles
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Dynamic Role Overview
You can see the most important information about a dynamic role on the overview form.
To obtain an overview of a dynamic role
1. Select the role for which the dynamic role was created.
2. Open the role's overview form.
3. Select the form element "dynamic roles" and click on the dynamic role.
4. Select Dynamic role overview in the task view.
Start Immediate Recalculation of Role
Memberships
By default, calculation of role membership is controlled with schedules. You can also start
the calculation for a single dynamic role immediately and independently of scheduled
calculation.
To calculate role membership immediately
1. Select the role for which the dynamic role was created.
2. Open the role's overview form.
3. Select the form element "dynamic roles" and click on the dynamic role.
4. Select Start recalculation immediately and close the prompt with OK.
This queues a processing task for the DBQueue Processor in the DBQueue.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
70
Detailed information about this topic
l
Calculating Role Memberships on page 68
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Working with Dynamic Roles
71
4
Employee Administration
The main component of One Identity Manager maps employees with their master data and
all available company resources. IT resources, such as devices, software and access
permissions in various target systems qualify as company resources. Resources such as
mobile telephones, company cars or keys can be mapped to employees as well.
Employees obtain company resources according to their function and their position with the
company structure. Company structures, such as departments, cost centers and location
are also mapped in the One Identity Manager. As are employee memberships in these
company structures. Once company resources are assigned to the company structures,
they are inherited by all the members. In this way, employees automatically be supplied
with all the necessary company resources.
If you manage access permissions on all One Identity Manager tools using application role,
you obtain all the information about current access permissions and employee
responsibilities with One Identity Manager.
One Identity Manager components for managing employees are available when the
configuration parameter "QER/Person" is set.
l
Check whether the configuration parameter is set in the Designer. If not, set the
configuration parameter.
Detailed information about this topic
l
Entering Employee Master Data on page 88
l
Disabling and Deleting Employees on page 101
l
Assigning Company Resources to Employees on page 104
l
Origin of an Employee's Roles and Entitlements on page 112
l
Analyzing Role Memberships and Employee Assignments on page 114
l
Mapping Multiple Employee Identities on page 115
l
Limited Access to One Identity Manager on page 117
l
Employee Reports on page 123
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
72
One Identity Manager Users for
Employee Administration
Following users are used for employee administration.
Table 28: User
User
Task
Employee
Employee administrators must be assigned to the application role
administrators Identity Management | Employees| Administrators.
Users with this application role:
Employee
managers
l
Can edit master data for all employees
l
Can assign a manager.
l
Can assign company resources to employees.
l
Check and authorize employee master data.
l
Create and edit risk index functions.
l
Edit password policies for employee passwords
The application Base roles | Employee managers is automatically
assigned to a user if the user is a manager or supervisor of employees,
departments, locations, cost centers, business roles or IT Shops.
Users with this application role:
l
Can edit master data for the objects they are responsible for and
assign company resources to them.
l
Can edit master data for their employees in the Web Portal.
l
Can add their staff members to the IT Shop.
l
l
Employee and department managers can add new employees in
the Web Portal.
Can view their staff's compliance rule violations in the Web Portal.
Members of this application role are determined through a dynamic role.
One Identity
Manager
administrators
l
l
l
l
Create customized permissions groups for application roles for
role-based login to administration tools in the Designer, as
required.
Create system users and permissions groups for non-role based
login to administration tools, as required.
Enable or disable additional configuration parameters in the
Designer, as required.
Create custom processes in the Designer, as required.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
73
User
Task
l
Create and configures schedules, as required.
l
Create and configure password policies, as required.
Basic Configuration Data for Employees
The following basic data is required for managing employees.
l
Configuration parameter
Use configuration parameters to configure the behavior of the system's basic
settings. One Identity Manager provides default settings for different configuration
parameters. Check the configuration parameters and modify them as necessary to
suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each
One Identity Manager module can also install configuration parameters. You can find
an overview of all configuration parameters in the category Base data | General |
Configuration parameters in the Designer.
l
Business Partners
When external employees are entered into the system a company must be named.
l
Mail templates
Login data for new user accounts in a target system can be sent to specified person
by email. In this case, two messages are sent with the user name and the initial
password. Mail templates are used to generate the messages.
l
Password policies
An employee's central password is formed from the target system specific user
accounts by respective configuration. The password policy "Employee central
password policy" defines the settings for the central password
(Person.CentralPassword).
Detailed information about this topic
l
Business Partners on page 75
l
Creating Custom Mail Templates for Notifications on page 76
l
Password Policies on page 80
l
Appendix: Configuration Parameters for Managing Applications on page 183
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
74
Business Partners
To manage external employees you require information about the business partner. Enter
data for the external company.
To edit the data of a business partner
1. Select the category Employees | Basic configuration data | Business
partners.
2. Select a company in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the business partner's master data.
4. Save the changes.
Enter the following data for a company:
Table 29: General Master Data for a Company
Property
Description
Company
Short description of the company for the views in One Identity Manager
tools.
Name
Full company name.
Surname prefix
Additional company name.
Short name
Company's short name.
Contact
Contact person for the company.
Partner
Specifies whether this is a partner company.
Customer
number
Customer number at the partner company.
Supplier
Specifies whether this is a supplier.
Customer
number
Customers number at supplier.
Leasing partner
Specifies whether this is a leasing provider or rental firm.
Manufacturer
Specifies whether this is a manufacturer.
Remarks
Spare text box for additional explanation.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
75
Table 30: Company address
Property
Description
Street
Street or road.
Building
Building
Zip code
Zip code.
Town
City.
State
State.
Country
Country.
Phone
Company's telephone number.
Fax
Company's fax number.
Email address
Company's email address.
Web page
Company's website.
Use the Browse button to open the website in the default web browser.
Creating Custom Mail Templates for
Notifications
A mail template consists of general master data such as target format, important or mail
notification confidentiality and one or more mail definitions. Mail text is defined in several
languages in the mail template. This ensures that the language of the recipient is taken into
account when the email is generated.
There is a One Identity Manager in the Mail Template Editor to simplify writing
notifications. You can use the Mail Template Editor to create and edit mail text in
WYSIWYG mode.
To edit mail templates
1. Select the category Employees | Basic configuration data | Mail templates.
2. Select the mail template in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
This opens the mail template editor.
3. Edit the mail template.
4. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
76
To copy a mail template
1. Select the category Employees | Basic configuration data | Mail templates.
2. Select the mail template you want to copy from the result list. Select Change
master data in the task view.
3. Select Copy mail template... in the task view.
4. Enter the name of the new mail template in Name of copy.
5. Click OK.
To display a mail template preview
1. Select the category Employees | Basic configuration data | Mail templates.
2. Select the template in the result list. Select Change master data in the task view.
3. Select Preview... in the task view.
4. Select the base object.
5. Click OK.
To delete a mail template
1. Select the category Employees | Basic configuration data | Mail templates.
2. Select the template in the result list.
3. Click
in the result list toolbar.
4. Confirm the security prompt with Yes.
Detailed information about this topic
l
Creating and Editing an Email Definition on page 79
l
Customizing Email Signatures on page 79
General Properties of a Mail Template
The following general properties are displayed for a mail template:
Table 31: Mail Template Properties
Property
Meaning
Mail template
Name of the mail template. This name will be used to display the mail
templates in the administration tools and in the Web Portal. Translate the
given text using the
button.
Base object
Mail template base object. A base object only needs to be entered if the
mail definition properties of the base object are referenced.
Report
Report, made available through the mail template.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
77
Property
Meaning
(parameter
set)
Description
Mail template description. Translate the given text using the
button.
Target format
Format in which to generate email notification. Permitted values are:
Value Description
Design type
Importance
HTML
The email notification is formatted in HTML format. HTML
format can contain formatting.
TXT
The email notification is formatted in text format. Text format
cannot contain any formatting.
Design in which to generate the email notification. Permitted values are:
Value
Description
Mail
template
The generated email notification contains mail text corresponding to the mail definition.
Report
The email notification is generated with the report
contained under Report (parameter set) as mail body.
Mail
template,
report as
attachment
The generated email notification contains mail text corresponding to the mail definition. The report entered in the
Report (parameter set) field is attached to the mail as
PDF file.
Importance for the email notification. Permitted values are "low",
"normal" and "high".
Confidentiality Confidentiality for the email notification. Permitted values are "normal",
"personal", "private" and "confidential".
Can unsubscribe
Specifies whether the recipient can unsubscribe email notification. If this
option is set, the emails can be unsubscribed through the Web Portal.
Disabled
Specifies whether this mail template is disabled.
Mail definitions
Unique name for the mail definition.
Language
culture
Language which applies to the mail template.
Subject
Subject of the email message
Mail body
Content of the email message.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
78
Creating and Editing an Email Definition
Mail texts can be defined in these different languages in a mail template. This ensures that
the language of the recipient is taken into account when the email is generated.
To create a new mail definition
1. Open the mail template in Mail Template Editor.
2. Click the
button next to the Mail definition list.
3. Select the language culture you want the mail definition to apply to from the
Language culture menu.
All active language cultures are shown in the list.To use other languages, enable the
corresponding countries in the Designer. For more information, see theOne Identity
Manager Configuration Guide.
4. Enter the subject in the Subject field.
5. Edit the mail text in the Mail definition view with the help of the Mail Text Editor.
6. Save the changes.
To edit an existing mail definition
1. Open the mail template in Mail Template Editor.
2. Select the language in the Mail definition list.
3. Edit the mail subject line and the body text.
4. Save the changes.
Using Base Object Properties
You can use all the properties of the object entered under Base object in the subject line
and in the mail body. You can also use the object properties that are referenced by foreign
key relation.
To access properties use dollar notation. For more information, see the One Identity
Manager Configuration Guide.
Customizing Email Signatures
Configure the email signature for mail templates using the following configuration
parameter.
Table 32: Configuration Parameters for Email Signatures
Configuration Parameter
Description
Common\MailNotification\Signature
Data for the signature in email automat-
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
79
Configuration Parameter
Description
ically generated from mail templates.
Common\MailNotification\Signature\Caption
Signature under the salutation.
Common\MailNotification\Signature\Company Company name.
Common\MailNotification\Signature\Link
Link to company website.
The script VI_GetRichMailSignature combines the components of an email signature
according to the configuration parameters for use in mail templates.
Password Policies
One Identity Manager provides you with support for creating complex password policies,
for example, for system user passwords, the employees' central password as well as
passwords for individual target systems. Password polices apply not only when the user
enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can user or
customize if required. You can also define your own password policies.
Detailed information about this topic
l
Predefined Password Policies on page 80
l
Editing Password Policies on page 81
l
Custom Scripts for Password Requirements on page 84
l
Restricted Passwords on page 86
l
Testing a Password on page 86
l
Testing Generating a Password on page 87
l
Assigning a Password Policy on page 87
Predefined Password Policies
You can customize predefined password policies to meet your own requirements, if
necessary.
Password for logging into One Identity Manager
The password policy "One Identity Manager password policy" is used for logging into One
Identity Manager. This password policy defined the settings for the system user passwords
(DialogUser.Password and Person.DialogUserPassword) as well as the access code for a one
off log in on the Web Portal (Person.Passcode).
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
80
The password policy "One Identity Manager password policy" is also labeled as the default
and is used when no other password policy is found.
Password policy for forming employees' central passwords
An employee's central password is formed from the target system specific user accounts
by respective configuration. The password policy "Employee central password policy"
defines the settings for the central password (Person.CentralPassword).
IMPORTANT: Ensure that the password policy "Employee central password policy"
does not violate the target system specific password requirements.
Password policies for target systems
A predefined password that you can apply to the user account password columns, is
provided for every target system.
NOTE: When you update One Identity Manager version 7.x to One Identity Manager
version 8.0, the configuration parameter settings for forming passwords are passed
on to the target system specific password policies.
IMPORTANT: If you are not working with target system specific password policies,
the default policy applies. In this case, ensure that the password policy "One Identity
Manager password policy" does not violate the target system requirements.
Editing Password Policies
To edit a password policy
1. Select the category Employees | Basic configuration data | Password
policies in the Manager.
2. Select the password policy in the result list and select Change master data in
the task view.
3. Edit the password policy's master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for a Password Policy on page 82
l
Policy Settings on page 82
l
Character Sets for Passwords on page 83
l
Custom Scripts for Password Requirements on page 84
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
81
General Master Data for a Password Policy
Enter the following master data for a password policy.
Table 33: Master Data for a Password Policy
Property
Meaning
Display name
Password policy name. Translate the given text using the
button.
Description
Spare text box for additional explanation. Translate the given
text using the
button.
Error Message
Custom error message outputted if the policy is not fulfilled.
Translate the given text using the
button.
Owner (Application Role)
Application roles whose members can configure the password
policies.
Default policy
Mark as default policy for passwords.
NOTE: The password policy "One Identity Manager
password policy" is marked as the default policy. This
password policy is applied if no other password policies
can be found.
Policy Settings
Define the following settings for a password policy on the Password tab.
Table 34: Policy Settings
Property
Meaning
Initial password
Initial password for new user accounts. If no password is
given when the user account is added or a random password
is generated, the initial password is used.
Password confirmation
Reconfirm password.
Min. Length
Minimum length of the password. Specify the number of
characters a password must have.
Max. length
Maximum length of the password. Specify the number of
characters a password can have.
Max. errors
Maximum number of errors. Set the number of invalid
passwords. If the user has reached this number the user
account is blocked.
Validity period
Maximum age of the password. Enter the length of time a
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
82
Property
Meaning
password can be used before it expires.
Password history
Enter the number of passwords to be saved. If the value '5' is
entered, for example, the last 5 passwords of the user are
saved.
Min. password strength
Specifies how secure the password must be. The higher the
password strength, the more secure it is. The password
strength is not tested if the value is '0'. The values '1', '2', '3'
and '4' gauge the required complexity of the password. The
value '1' demands the least complex password. The value '4'
demands the highest complexity.
Name properties denied
Specifies whether name properties are permitted in the
password.
Character Sets for Passwords
Use the Character classes tab to specify which characters are permitted for a password.
Table 35: Character Classes for Passwords
Property
Meaning
Min. letters
Specifies the minimum number of alphabetical characters
the password must contain.
Min. number lower case
Specifies the minimum number of lowercase letters the
password must contain.
Min. number uppercase
Specifies the minimum number of uppercase letters the
password must contain.
Min. number digits
Specifies the minimum number of digits the password must
contain.
Min. number special
characters
Specifies the minimum number of special characters the
password must contain.
Permitted special
characters
List of permitted characters.
Denied special characters
List of characters, which are not permitted.
Max. identical characters
in total
Maximum number of identical characters that can be
present in the password in total.
Max. identical characters
in succession
Maximum number of identical character that can be
repeated after each other.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
83
Custom Scripts for Password Requirements
You can implement custom scripts for testing and generating password if the password
requirements cannot be mapped with the existing settings options. Scripts are applied in
addition to the other settings.
Detailed information about this topic
l
Script for Checking a Password on page 84
l
Script for Generating a Password on page 85
Script for Checking a Password
You can implement a check script if additional policies need to be used for checking a
password, which cannot be mapped with the available settings.
Syntax for Check Scripts
Public Sub CCC_CustomPwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
With parameters:
policy = password policy object
spwd = password to test
TIP: To use a base object, take the property Entity of the PasswordPolicy class.
Example for a script for testing a password
A password cannot have '?' or '!' at the beginning. The script checks a given password
for validity.
Public Sub CCC_PwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
Dim pwd = spwd.ToInsecureArray()
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
Throw New Exception(#LD("Password can't start with '?' or '!'")#)
End If
End If
If pwd.Length>2
If pwd(0) = pwd(1) AndAlso pwd(1) = pwd(2)
Throw New Exception(#LD("Invalid character sequence in password")#)
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
84
End If
End If
End Sub
To use a custom script for checking a password
1. Create your script in the category Script Library in the Designer.
2. Edit the password policy.
a. Select the category Employees | Basic configuration data | Password
policies in the Manager.
b. Select the password policy in the result list.
c. Select Change master data in the task view.
d. Enter the name of the script to test the password in Check script on the
Scripts tab.
e. Save the changes.
Related Topics
l
Script for Generating a Password on page 85
Script for Generating a Password
You can implement a generating script if additional policies need to be used for generating
a random password, which cannot be mapped with the available settings.
Syntax for Generating Script
Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
With parameters:
policy = password policy object
spwd = generated password
TIP: To use a base object, take the property Entity of the PasswordPolicy class.
Example for a script to generate a password
The script replaces the invalid characters '?' and '!' in random passwords.
Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
Dim pwd = spwd.ToInsecureArray()
' replace invalid characters at first position
If pwd.Length>0
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
85
If pwd(0)="?" Or pwd(0)="!"
spwd.SetAt(0, CChar("_"))
End If
End If
End Sub
To use a custom script for generating a password
1. Create your script in the category Script Library in the Designer.
2. Edit the password policy.
a. Select the category Employees | Basic configuration data | Password
policies in the Manager.
b. Select the password policy in the result list.
c. Select Change master data in the task view.
d. Enter the name of the script to generate a password in Generation script on
the Scripts tab.
e. Save the changes.
Related Topics
l
Script for Checking a Password on page 84
Restricted Passwords
You can add words to a list of restricted terms to prohibit them from being used in
passwords.
NOTE: The restricted list applies globally to all password policies.
To add a term to the restricted list
1. Select the category Base Data | Security Settings | Restricted passwords in
the Designer.
2. Create a new entry with the menu item Object | New an enter the term to excluded
to the list.
3. Save the changes.
Testing a Password
When you test a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
86
To test whether a password conforms to the password policy
1. Select the category Employees | Basic configuration data | Password
policies in the Manager.
2. Select the password policy in the result list.
3. Select Change master data in the task view.
4. Select the Test tab.
5. Select the table and object to be tested in Base object for test.
6. Enter a password in Enter password to test.
A display next to the password shows whether it is valid or not.
Testing Generating a Password
When you generate a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.
To generate a password that conforms to the password policy
1. Select the category Employees | Basic configuration data | Password
policies in the Manager.
2. Select the password policy in the result list.
3. Select Change master data in the task view.
4. Select the Test tab.
5. Click Generate.
This generates and displays a password.
Assigning a Password Policy
You can assign password policies to system user passwords, the employees' central
password as well as passwords for individual target systems. Assign a password policy to
the base object to which it should apply.
l
l
The predefined password policy "One Identity Manager password policy" is assigned
to the system user passwords (DialogUser.Password and Person.DialogUserPassword)
as well as the employee's access code (Person.Passcode).
The predefined password policy "Employee central password policy" is assigned to
the employee's central password (Person.CentralPassword).
If you want to apply another password policy to the password column, change the
password policy assignment in the Manager.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
87
To change a password policy's assignment
1. Select the category Employees | Basic configuration data | Password
policies in the Manager.
2. Select the password policy in the result list.
3. Select Assign objects in the task view.
4. Select the assignment you want to change in Assignments.
5. Select the new password policy to apply from the Password Policies menu.
6. Save the changes.
Entering Employee Master Data
In the One Identity Manager, you can manage master data for company employees as well
as external employees. The term ‘employee’ will be used in the following section to
describe internal and external employees alike as the master data is the same for both.
Enter employee master data in the One Identity Manager in the category Employees.
Employees are filters by different criteria in this category.
Filtering by 'employee' in the navigation view
l
Employees
All enabled and temporarily disabled employees.
l
Inactive employees
All permanently inactive employees.
l
Certification
All employees by certification status.
l
Data source
All employees by their import data source.
To edit employee master data
1. Select the Employees | Employees.
2. Select a employee in the result list and run the task Change master data.
- OR Click
in the result list toolbar.
This opens the employee's master data form.
3. Edit the employee's master data.
4. Save the changes.
Ensure you fill out all compulsory fields when you edit the master data. Certain master
data is inherited by the employee user account through templates.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
88
NOTE: Employee properties loaded from a target system can only be edited to a
limited degree in the One Identity Manager. Certain properties are locked due to
being the master system. The source from which the employee master data is
imported determines which properties are locked.
Detailed information about this topic
l
General Employee Master Data on page 89
l
Organizational Employee Master Data on page 91
l
Address Data on page 93
l
Miscellaneous Employee Master Data on page 94
General Employee Master Data
Enter the following general master data for an employee. This data applies to personal and
job-related employee data.
Table 36: General Master Data
Property
Description
First name
Employee's first name.
Last name
Employee's last name.
Middle name Second middle name.
Form of
address
Employee's form of address. This is automatically set depending on
gender.
Title
Employee's title.
Surname
prefix
Employee's surname prefix, for example "del", "von".
Preferred
name
Employee's preferred name.
Initials
Employee's initials. These are automatically taken from first and last
names.
Gender
Employee's gender.
Date of birth
Employee's date of birth.
Name at
birth
Employee's name at date.
Job
description
Description of employee's job within your company.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
89
Property
Description
Generational Affix, for example, "senior" or "junior".
affix
Language
culture
Language used for sending email notifications to the employee.
Suborganization
Note about sub-organizations to which the Employee belongs.
Permanently Specifies whether the employee is currently employed by the company. If
disabled
this option is set, the employee has left the company. All privileges as One
Identity Manager user are removed.
Certification
status
Specifies whether the employee master data was approved by the
employee’s manager. You can select the following certification statuses:
l
l
l
New – The employee was newly added to the One Identity Manager
database.
Certified – Employee master data was granted approval by the
manager.
Denied – Employee master data was denied approval by the
manager. The employee is permanently disabled.
Certification status is set through certification procedures.
VIP
Labels the employee as important.
Security risk Specifies whether the employee is considered a risk for the company.
Depending on how you configure this, you can prevent employees with
such labels from inheriting resources and permissions and their user
accounts are locked.
No
inheritance
Specifies whether the employee inherits company resources through roles.
If this option is set, the employee cannot inherit. Company resources the
employee receives through IT Shop requests are not assigned either.
Direct assignments remain intact.
If the configuration parameter "QER\Attestation\UserApproval" is set, the
option is set with respect to the option Disable permanently. If the
employee is permanently disabled, the option No inheritance is set
through a formatting rule.
External
Specifies whether the employee is employed internally or externally by
your company. If this option is set, the employee is external. External
employees are excluded from automatic account definition assignment in
the default version of the One Identity Manager.
Company
Enter a company. Use the
Workdesk
Employee's workdesk.
next to the text box to add a new company.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
90
Property
Description
Risk index
(calculated)
A risk index is calculated to evaluate the risk of an employee based on
their permissions. An employee‘s risk index is determined from the risk
indexes of their user accounts. This property is only visible if the
configuration parameter "QER\CalculateRiskIndex" is set.
Description
Spare text box for additional explanation.
Comment
Spare text box for additional explanation.
Spare fields
no.
01.....spare
field no. 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
Related Topics
l
Changing the Certification Status of an Employee on page 117
l
Permanently Deactivating Employees on page 102
l
Using Roles to Limit Inheritance on page 26
l
Business Partners on page 75
l
How to Set up a Workdesk on page 142
l
One Identity Manager Risk Assessment Administration Guide
Organizational Employee Master Data
Enter the following general master data for an organization.
Table 37: Organizational Master Data
Property
Description
Personnel
number
Employee's personnel number.
Primary
department
Department to which the employee is primary assigned. The employee can
obtain company resources through this assignment when One Identity
Manager is configured respectively.
Furthermore, IT operating data for user accounts and mailboxes can be
determined though the department.
Primary cost
center
Cost center to which the employee is primary assigned. The employee can
obtain company resources through this assignment when One Identity
Manager is configured respectively.
Furthermore, IT operating data for user accounts and mailboxes can be
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
91
Property
Description
determined though the cost center.
Primary
business
roles
Business role to which the employee is assigned. The employee can obtain
company resources through this assignment when One Identity Manager is
configured respectively.
Furthermore, IT operating data for user accounts and mailboxes can be
determined though the business role.
NOTE: This property is available if the Business Roles Module is
installed.
Security
Security code for the employee for, for example, access permission.
identification
User account Date on which to create the user account in the target system. This date
should be earlier than the entry date. Use custom processes to
creation
automatically create user accounts in One Identity Manager on this date.
date
Entry date
Date the employee started at the company. This is filled with the current
date when the employee is added.
Leaving date
Date the employee started at the company. Enter a leaving date for the
employee to lock their user account as from a specific point in time. The
leaving date is checked regularly by the schedule "Lock accounts of
employees that have left the company". When the leaving is met, the
employee is blocked.
Company
member
Additional information about the employee’s affiliation.
Temporarily
disabled
Specifies whether the employee is temporarily absent from the company
If this option is set, enter the time period for the temporarily absence.
Temporarily
disabled
from
Date from which the employee and associated user accounts are disabled.
Temporarily
disabled
until
Date until which the employee and associated user accounts are disabled.
There is a schedule implemented ("Enable temporarily disabled accounts")
that monitors the end date of the period of absence. When this date is
reached the employee and their user accounts are reenabled.
Last working
day
Change the date of the last working day if, for example, an employee
leaves the company on a specific day but access to their data should be
remain available for longer.
NOTE: The date of the last working day is copied to the employee’s
user accounts as the expiration date. This overwrites the existing
account expiration date.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
92
Property
Description
Manager
Employee’s managers can assume several tasks in One Identity Manager
such as
l
Edit employee master data for their staff
l
Certify employee master data for their staff
l
Attest company resources assigned to their staff
l
Approve request for their staff in the IT Shop
Employee cannot be assigned as their own manager.
Sponsor
When a new employee is added through the Web Portal, you can make
additional notes like the manager or sponsor.
Related Topics
l
Preparing Hierarchical Roles for Company Resource Assignments on page 22
l
Permanently Deactivating Employees on page 102
l
Temporarily Deactivating Employees on page 102
l
One Identity Manager Target System Base Module Administration Guide
Address Data
Enter the following data for an employee, which describe the employee's location in
the company.
Table 38: Address data
Property Description
Primary
location
Location to which the employee is primary assigned. The employee can
obtain company resources through this assignment when One Identity
Manager is configured respectively.
Furthermore, IT operating data for user accounts and mailboxes can be
determined though the location.
Phone
Employee's telephone number.
Mobile
phone
Employee's mobile number.
Fax
Employee's fax number.
Display in Specifies whether the employee can be shown in the telephone book.
phone
book
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
93
Property Description
Street
Street or road.
Building
Building
Office
mailbox
Office mailbox.
Zip code
Zip code.
Town
City.
Country
Country. You require this to determine the employee’s language and working
hours. This data is usually stored with the employee’s location or department
data. You can also enter it directly by the employee.
State
State. You require this to determine the employee’s language and working
hours. This data is usually stored with the employee’s location or department
data. You can also enter it directly by the employee.
Floor
Floor.
Room
Room.
Image
You can import a picture of the employee into the database. To do this, use
the
button next to the picture box to browse the image to be displayed.
Related Topics
l
Preparing Hierarchical Roles for Company Resource Assignments on page 22
l
Determining an Employee‘s Language on page 121
l
Determining an Employee‘s Working Hours on page 122
l
One Identity Manager Target System Base Module Administration Guide
Miscellaneous Employee Master Data
Enter the following general master data for an employee. This data applies to the target
system login, identities, One Identity Manager login data and employee import data.
Table 39: Miscellaneous Master Data
Property
Description
Central user
account
One Identity Manager user identifier. In the One Identity Manager default
installation, the central user account is made up of the first and the last
name of the employee. An employee’s central user account affects the
composition of user accounts in each target system. The central user
account is still used for logging into the One Identity Manager tools.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
94
Property
Description
Central SAP
user account
Name used to form the user account name in the SAP R/3 target system.
In the One Identity Manager default installation, the central user account
is made up of the first and the last name of the employee.
NOTE: This property is only available if the SAP R/3 User Management module Module is installed.
Central
password
and
password
confirmation
Password for logging in to the target system. An employee's central
password is formed from the target system specific user accounts by
respective configuration.
Query and
reply for
central
password
Question-answer combination to be used with mutual aid to reset the
employee's central password.
Default email The default email address is used to setup mail boxes for an employee in
address
separate target systems. This data is absolutely necessary for
automatically creating mailboxes. In the default version of the One
Identity Manager, the default email address is composed of the
employee’s central user account and the default mail domain of the active
target system.
Identity
Employee's identity type.
Table 40: Permitted values for the identity.
Value
Description
Primary
identity
Employee's default identity. The employee has a default
user account.
Organizational Virtual employee (sub identity) for mapping different
identity
roles to an employee in the organization. The sub
identity has a secondary user account. If you select this
identity, you must also select a main identity.
Personalized
Virtual employee (sub identity) that has an
admin identity administrative user account. If you select this identity,
you must also select a main identity.
Sponsored
identity
Identity linked to a user account that is used, for
example, for training purposes.
Shared
Identity linked to an administrative user account that is
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
95
Property
Description
Value
Description
identity
used by different people.
Service
identity
Identity that is linked to a service account.
Main identity
Allocate a main identity here if the employee is managed as a sub-identity
in the One Identity Manager. A subidentity allows you to set up special
cases in One Identity Manager. If an employee has several user accounts
in one target system that must be assigned to different groups, create a
separate subidentity for each user account with a link to the main identity.
Dummy
employee
You can use a dummy employee for maintaining identities for test or
training purposes in order to treat them as identities but referring to a
special status.
Actual
employee
Assign the dummy employee to an existing employee.
X500 dummy
Specifies whether the employee is managed as an X500 dummy in the
One Identity Manager. If an employee has several X500 entries that differ
in properties, you can also use a "Dummy" employee. Label the employee
with the option X500 dummy in this case and configure a link to the real
X500 employee.
X500 person
Assign the X500 dummy employee to an existing employee.
Starling 2FA
user ID
User ID for multi-factor authentication. For more detailed information
about multi-factor authentication, see the One Identity Manager IT Shop
Administration Guide.
System user
System user with which the employee can log in to the One Identity
Manager administration tools. The login data is analyzed by the
authentication module in use.
Logins
Logins with which the employee can log in to the One Identity Manager
administration tools. Enter the login in the form: Domain\User. This information is required if the authentication modules "user account" or "user
account (role-based) are used for logging in to One Identity Manager
tools.
Password
and
password
confirmation
Password with which the employee logs in to the One Identity Manager
tools.
User account
name
(mainframe)
If an employee is permitted access to the mainframe with their user
account, enter the login name here.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
96
Property
Description
Notebook
user
Just for information.
Company car
Just for information.
Login
permitted on
terminal
server
Specifies whether this employee is permitted to log in on the terminal
server with their user account.
Remote
access
permitted
Specifies whether the employee can dial into the network with their user
account.
Import data
source
Target system or data source respectively, from which the employee was
imported. This property is also set by scripts for automatically assigning
employees to user accounts.
Distinguished Distinguished name of the imported employee. This property should be
name
set by the import.
Canonical
name
Fully qualified name of the imported employee. This property should be
set by the import.
Related Topics
l
Employee's Central User Account on page 97
l
Employee's Central Password on page 98
l
Change Password Question on page 99
l
Employee's Default Email Address on page 101
l
Mapping Multiple Employee Identities on page 115
l
Appendix: Authentication Modules for Logging into the One Identity Manager on
page 189
Employee's Central User Account
Table 41: Configuration Parameter for Forming the Central User Accounts
Configuration Parameter
Meaning
QER\Person\CentralAccountGlobalUnique This configuration parameter specifies how
the central user account is mapped.
If this configuration parameter is set, the
central user account for an employee is
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
97
Configuration Parameter
Meaning
formed uniquely in relation to the central user
accounts of all employees and the user
account names of all permitted target
systems.
If the configuration parameter is not set, it is
only formed uniquely related to the central
user accounts of all employees.
The employee’s central user account is used to form the user account login name in the
active system. The central user account is still used for logging into the One Identity
Manager tools. In the One Identity Manager default installation, the central user account is
made up of the first and the last name of the employee. If only one of these is known, then
it is used for the central user account. The One Identity Manager checks to see if a central
user account with that value already exists. If this is the case, an incremental number is
added to the end of the value.
Table 42: Example of Forming of Central User Accounts
First name
Last name
Clara
Central user account
CLARA
Harris
HARRIS
Clara
Harris
CLARAH
Clara
Harrison
CLARAH1
Employee's Central Password
Table 43: Configuration Parameters for the Central Password
Configuration parameter
Active Meaning
QER\Person\UseCentralPassword
This configuration parameter
specifies whether the employee's
central password is used in the user
accounts. The employee’s central
password is automatically mapped to
the employee’s user account in all
permitted target systems. This
excludes privileged user accounts,
which are not updated.
QER\Person\UseCentralPassword\PermanentStore This configuration parameter
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
98
Configuration parameter
Active Meaning
controls the storage period for
central passwords. If the parameter
is set, the employee’s central
password is permanently stored. If
the parameter is not set, the central
password is only used for publishing
to existing target system specific
user accounts and is subsequently
deleted from the One Identity
Manager database.
The central password can be used to log on to target systems. The behavior for this is
controlled by the following configuration parameters.
l
Set the configuration parameter "QER\Person\UseCentralPassword" in the Designer.
If the configuration parameter "QER\Person\UseCentralPassword" is set, the
employee's central password is automatically mapped to an employee's user
account in each of the target systems. This excludes privileged user accounts, which
are not updated.
l
Use the configuration parameter "QER\Person\UseCentralPassword\PermanentStore"
in the Designer to specify whether an employee’s central password is permanently
saved in the One Identity Manager database or only until the password has been
published in the target system.
The password policy "Employee central password policy" is used to format the
central password.
IMPORTANT: Ensure that the password policy "Employee central password policy"
does not violate the target system specific password requirements.
Related Topics
l
Password Policies on page 80
l
Change Password Question on page 99
l
Mutual Aid for Resetting Passwords on page 100
Change Password Question
Employees can use mutual aid to reset their central password. Prerequisite is a questionanswer pair which is stored for changing the central password.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
99
To enter a question-answer combination
1. Log on to the Manager
2. Open you own employee data.
3. Select Change security question in the task view.
4. Confirm the security prompt with OK.
5. Enter a question and a reply.
IMPORTANT: Make a note of your reply. You need this if you want to reset you central
password using mutual aid.
Related Topics
l
Employee's Central Password on page 98
l
Mutual Aid for Resetting Passwords on page 100
Mutual Aid for Resetting Passwords
Employees can use mutual aid to reset their central password. Prerequisite is the questionanswer pair which is stored for changing the central password.
To grant mutual aid
1. Log on to the Manager
2. Open you own employee data.
3. Select Mutual aid - set password in the task view.
The employee for whom you want to grant mutual and can change their central
password on this form.
To change the central password
1. Enter their central user account under Login name.
2. Enter the personnel number.
If there is no personnel number stored with the employee, the field can
remain empty.
3. Click Next.
The question for the central password appears.
4. Enter the answer for the central password and click Enable
5. Enter a new central password and confirm it, then click Save.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
100
Related Topics
l
Employee's Central Password on page 98
l
Change Password Question on page 99
Employee's Default Email Address
Table 44: Configuration parameter for the Default Email Address
Configuration parameter
Description
QER\Person\DefaultMailDomain This configuration parameter contains the default mail
domain. The value is used to establish an employee's
email address.
The employee’s default email address is displayed on the mailboxes in the activated target
system. The default installation from the One Identity Manager builds the default email
address from the employee’s central user account and the default mail domain of the
active target system.
The default mail domain is found in the configuration parameter
"QER\Person\DefaultMailDomain".
l
Set the configuration parameter in the Designer and enter the default mail domain
name as a value.
Related Topics
l
Employee's Central User Account on page 97
Disabling and Deleting Employees
How employees are handled, particularly in the case of permanent or partial withdrawal of
an employee, varies between individual companies. There are companies that never delete
employees, and only disable them when they leave the company.
The following methods are available in the One Identity Manager standard version:
l
Temporarily Deactivating Employees
l
Permanently Deactivating Employees
l
Deferred Deletion of Employees
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
101
Temporarily Deactivating Employees
The employee has temporarily left the company and is expected to return at a predefined
date. The desired course of action could be to disable the user account and remove all
group memberships. Or the user accounts could be deleted and reestablished with the
employee’s return, even if it is with a new system identification number (SID).
Temporary disabling of an employee is triggered by:
l
l
The option Temporary disabled
The start and end date for deactivation (Temporary disabled from and
Temporary disabled until)
NOTE: Configure and enable the schedule "Lock accounts of employees that have left
the company" in the Designer. This schedule checks the start date for disabling and
sets the option Temporarily disabled when it is reached.
NOTE: Configure and enable the schedule "Enable temporarily disabled accounts" in
the Designer. This schedule monitors the end date of the disabled period and enables
the employee with their user accounts when the date expires. Employee's user
accounts that were disabled before the period of temporary absence are also reenabled once the period has expired.
Related Topics
l
Permanently Deactivating Employees on page 102
l
Deferred Deletion of Employees on page 104
Permanently Deactivating Employees
Employees can be disabled permanently when, for example, they leave the company. It
might be necessary, to remove access to this employee’s entitlements in connected target
systems and their company resources.
Effects of permanent disabling of an employee are:
l
The employee cannot be assigned to employees as a manager.
l
The employee cannot be assigned to roles as a supervisor.
l
The employee cannot be assigned to attestation policies as an owner.
l
l
There is no inheritance of company resources through roles, if the additional option
No inheritance is set for an employee.
Employee user accounts are locked or deleted and then removed from group
memberships.
Trigger permanent disabling through:
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
102
l
The task Disable employee permanently
This task ensures that the option Permanently disabled is set and leaving date and
the last day of work are set to the current date.
l
Leave date reached
NOTE: Configure and enable the schedule "Lock accounts of employees that
have left the company" in the Designer. This schedule regularly checks the
leaving date and sets the option Permanently disabled on reaching the date.
NOTE: The task Re-enable employee ensures that the employee is reenabled.
l
Certification status "Denied"
An employee is permanently disabled when their certification status is set to
"Denied" either through attestation or manually. If the employee's certification
status is changed to "certified", the employee is activated again.
NOTE: This function is only available if the Attestation Module is installed.
Related Topics
l
Temporarily Deactivating Employees on page 102
l
Deferred Deletion of Employees on page 104
l
Re-enable an Employee on page 103
l
Changing the Certification Status of an Employee on page 117
Re-enable an Employee
Employees who are permanently deactivated can be re-enabled if they were not disabled
by certification.
To re-enable an employee
1. Select the category Employees | Inactive employees.
2. Select the employee in the result list.
3. Select Re-enable employee in the task view.
An alert appears.
4. Confirm the security prompt with Yes if the employee should be enabled. Otherwise
close the alert with No.
The option Disabled permanently is enabled on the employee’s master data form.
The leaving date and last working day are deleted.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
103
Related Topics
l
Permanently Deactivating Employees on page 102
Deferred Deletion of Employees
When an employee is deleted, they are tested to see if user accounts and company
resources are still assigned, or if there are still pending requests in the IT Shop. The
employee is marked for deletion and therefore locked out of further processing. Before an
employee can finally be deleted from the One Identity Manager database, you need to
delete all company resource assignments and close all requests. You can do this manually
or implement custom processes to do it. All the user accounts linked to one employee could
be deleted by default by the One Identity Manager once this employee has been deleted. If
no more company resources are assigned, the employee is finally deleted.
By default, employees are finally deleted from the database after 30 days. During this
period it is possible to re-enable the employee. A restore is not possible once the delete
delay has expired. You can configure an alternative deletion delay on the table Person in
the Designer.
Related Topics
l
Temporarily Deactivating Employees on page 102
l
Permanently Deactivating Employees on page 102
Assigning Company Resources to
Employees
One Identity Manager uses different assignment types to assign company resources.
l
Indirect Assignment
In the case of indirect assignment of company resources, employees, devices and
workdesks are arranged in departments, cost centers, locations, business roles or
application roles. The total of assigned company resources for an employee, device
or workdesk is calculated from the position within the hierarchies, the direction of
inheritance (top-down or bottom-up) and the company resources assigned to these
roles. In the Indirect assignment methods a difference between primary and
secondary assignment is taken into account.
l
Direct Assignment
Direct assignment of company resources results from the assignment of a company
resource to an employee, device or a workdesk, for example. Direct assignment of
company resources makes it easier to react to special requirements.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
104
l
Assigning through Dynamic Roles
Assignment through dynamic roles is a special case of indirect assignment. Dynamic
roles are used to specify role memberships dynamically. Employees, devices and
workdesks are not permanently assigned to a role, just when they fulfill certain
conditions. A check is performed regularly to assess which employees, devices or
workdesks fulfill these conditions. The means the role memberships change
dynamically. For example, company resources can be assigned dynamically to all
employees in a department in this way; if an employee leaves the department they
immediately lose the resources assigned to them.
l
Assigning through IT Shop Requests
Assignment through the IT Shop is a special case of indirect assignment. Add
employees to a shop as customers so that company resources can be assigned
through IT Shop requests. All company resources assigned as product to this shop
can be requested by the customers. Requested company resources are assigned to
the employees after approval is granted. Role memberships can be requested
through the IT Shop as well as company resources.
The following table shows the possible company resources assignments to employees.
NOTE: Company resources are defined in the One Identity Manager modules and are
not available until the modules are installed.
Table 45: Possible Assignments of Company Resources to Employees
Company
Resource
Direct
Indirect
Comment
assignment assignment
permitted
permitted
Resources
+
+
System roles
+
+
Subscribable
reports
+
+
Applications
+
+
Account defin- +
itions
+
Groups of
custom target
systems
-
+
All the employee's user accounts are added
to the associated application group, which
permit application inheritance.
Active
Directory
groups
-
+
All the employee's Active Directory user
accounts and Active Directory contacts are
added to Active Directory groups, which
permit group inheritance.
SharePoint
groups
-
+
All the employee's SharePoint user
accounts are added to SharePoint groups.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
105
Company
Resource
Direct
Indirect
Comment
assignment assignment
permitted
permitted
SharePoint
roles
-
+
All the employee's SharePoint user
accounts are added to SharePoint roles.
LDAP groups
-
+
All the employee's LDAP user accounts,
which permit group inheritance, are added
to LDAP groups.
Notes groups
-
+
All the employee's Notes user accounts are
added to Notes groups.
SAP groups
+
+
All the employee's SAP user accounts,
which are in the same SAP clients, are
added to SAP groups.
SAP profiles
+
+
All the employee's SAP user accounts,
which are in the same SAP clients, are
added to SAP profiles.
SAP roles
+
+
All the employee's SAP user accounts,
which are in the same SAP clients, are
added to SAP roles.
Structural
profiles
-
+
All the employee's SAP user accounts,
which are in the same SAP clients, are
added to structural profiles.
BI analysis
authorizations
+
All the employee's BI user accounts, which
are in the same system, obtain BI analysis
authorizations.
E-Business
Suite
entitlements
-
+
All the employee's E-Business Suite user
accounts, which are in the same E-Business
Suite system and for which group
inheritance is permitted, are added to EBusiness Suite groups.
Azure Active
Directory
groups
-
+
All the employee's Azure Active Directory
user accounts, which permit group
inheritance, are added to Azure Active
Directory groups.
Azure Active
Directory
administrator
roles
-
+
All the employee's Azure Active Directory
user accounts, which permit group
inheritance, are added to Azure Active
Directory administrator roles.
Azure Active
Directory
-
+
All the employee's Azure Active Directory
user accounts, which permit group inher-
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
106
Company
Resource
Direct
Indirect
Comment
assignment assignment
permitted
permitted
subscriptions
itance, are given Azure Active Directory
subscriptions.
Disabled
Azure Active
Directory
service plans
-
+
All the employee's Azure Active Directory
user accounts, which permit group inheritance, are given Azure Active Directory
service plans.
Unix groups
-
+
All the employee's Unix user accounts,
which permit group inheritance, are added
to Unix groups.
Detailed information about this topic
l
l
Basics for Assigning Company Resources on page 14
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
Related Topics
l
Possible Assignments of Company Resources through Roles on page 23
l
Assigning Employees to Departments, Cost Centers and Locations on page 107
l
Assigning Employees to Business Roles on page 108
l
l
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
Working with Dynamic Roles on page 65
Assigning Employees to Departments, Cost
Centers and Locations
Assign the employee to departments, cost centers and locations so that the employee
obtains its company resources through these organizations. To assign company resources
to departments, cost centers and locations, use the appropriate organization tasks.
To assign an employee to departments, cost centers and locations (secondary
assignment; default method)
1. Select the Employees | Employees.
2. Select the employee in the result list.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
107
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
To assign an employee to departments, cost centers and locations (primary
assignment)
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Change master data in the task view.
4. Adjust the following master data:
l
Primary department
l
Primary cost center
l
Primary location
5. Save the changes.
Related Topics
l
l
Assigning Company Resources to Employees on page 104
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
l
Working with Dynamic Roles on page 65
l
Adding Employees to IT Shop Custom Nodes on page 109
l
Assigning Employees to Business Roles on page 108
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Assigning Employees to Business Roles
Installed Modules: Business Roles Module
Assign employees to business roles so that employees obtain their company resources
through these business roles. To assign company resources to business roles user the
corresponding business role tasks.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
108
To assign an employee to business roles (secondary assignment; default
method)
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign an employee to business roles (primary assignment)
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Change master data in the task view.
4. Enter the primary role.
5. Save the changes.
Related Topics
l
Assigning Company Resources to Employees on page 104
l
One Identity Manager Business Roles Administration Guide
Adding Employees to IT Shop Custom Nodes
When employees are added to a custom node they are entitled to make IT Shop requests.
Access permissions to the IT Shop and the assignments allocated to them through product
requests in the IT Shop are displayed on the employee‘s overview.
To add an employee to the IT Shop
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Assign IT Shop memberships in the task view.
4. Assign customer nodes in Add assignments.
- OR Remove customer nodes in Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
109
Detailed information about this topic
l
One Identity Manager IT Shop Administration Guide
Assigning Application Roles to Employees
For more detailed information about implementing and editing application roles, see the
One Identity Manager Application Roles Administration Guide.
Assigned employees obtain all the write permissions of the permission group to which the
application role (or a parent application role) is assigned. In addition, employees obtain the
company resources assigned to the application role. Employees of the parent application
role are inherited if no employees are directly assigned to an application role.
NOTE: The application role Base roles | Everyone (Change), Base roles |
Everyone (Lookup), Base roles | Employee Managers and Base roles | Birthright Assignments are automatically assign to employees. Do not make any
manually assignments to these application roles.
To assign application to an employee
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select One Identity ManagerAssign to application roles iun the task view.
4. Assign application roles in Add assignments.
- OR Remove application roles in Remove assignments.
5. Save the changes.
Assigning Resources Directly to Employees
Resources can be assigned directly or indirectly to employees. Indirect assignment is
carried out by allocating employees and resources in company structures, like
departments, cost centers, locations or business roles.
To react quickly to special requests, you can assign resources directly to an employee.
To assign resources directly to an employee
1. Select the Employees | Employees.
2. Select the employee to which the resources will be assigned, from the result list.
3. Select Assign resources in the task view.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
110
4. Assign the resources in Add assignments.
- OR Remove them in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning Resources Directly to Employees on page 166
l
Managing Resources on page 159
Assigning Applications directly to Employees
You can assign applications directly or indirectly to employees. Indirect assignment is
carried out by assigning employees and applications to company structures, like
departments, cost centers, locations or business roles.
To react quickly to special requests, you can assign applications directly to an employee.
To assign an application directly to an employee
1. Select the Employees | Employees.
2. Select the employee to which the application will be assigned from the result list.
3. Select Assign applications in the task view.
4. Assign applications in Add assignments.
- OR Remove applications in Remove assignments.
5. Save the changes.
Assigning System Roles Directly to
Employees
Installed Modules: System Roles Module
System roles can be assigned directly or indirectly to a employees. Indirect assignment is
carried out by allocating the employees and system roles in company structures, like
departments, cost centers, locations or business roles.
To react quickly to special requests, you can assign system roles directly to an employee.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
111
To assign system roles directly to an employee
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
Related Topics
l
One Identity Manager System Roles Administration Guide
Origin of an Employee's Roles and
Entitlements
The report "Show entitlements origin" allows you to determine which entitlements a
employee owns and where they come from. You can establish whether the employee
obtained an entitlements directly or indirectly. For example, in the case of an indirect
assignment, you can determine whether the entitlement resulted from a department
memberships or a request,
You can also use the report to discover which departments, cost centers, locations and
business roles are assigned to an employee and how the membership evolved.
To use the origin report
l
Set the configuration parameter "SysConfig\Display\SourceDetective" in the
Designer and compile the database.
To display the origin of an employee's entitlements
1. Select the Employees | Employees.
2. Select an employee in the result list and run the report Show entitlements origin.
3. Under "Assigned objects", you will see the employee's entitlements, departments,
cost centers, locations and business roles. Select an entry by double-clicking on it, to
view more details.
4. Under "Origin", details of the selected entry are display in a hierarchical structure.
You can see whether the assignment was a direct assignment, dynamic assignment
or a request.
l
Use the Details... button to switch to the dynamic role or to the request.
l
Double-click on some of the entries in the detail view to go to the object.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
112
l
Use the Inspect button to obtain further information about the entitlement's
assignment.
Example of Entitlement Origin
The "show entitlements origin" report establishes that Clara Harris is assigned to the Active
Directory group "Finance".
The report answers several questions.
Question Why does Clara Harris have the Active Directory group "Finance".
Answer
Clara Harris owns a Active Directory user account and this user account is
assigned to the group "Finance".
Question Why is the user account assigned to the group "Finance"?
Answer
Clara Harris is assigned to the department "Finance".
The department "Finance" inherits from the department "Global Finance" The
department "Global Finance" is directly assigned to the group "Finance".
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
113
Question Why is Clara Harris in the department "Finance"?
Answer
There is a department membership request for Clara Harris.
Analyzing Role Memberships and
Employee Assignments
The report "Overview of all Assignments" is displayed for certain objects, for example,
permissions, compliance rules or roles. The report finds all the roles, for example,
departments, cost centers, locations, business roles and IT Shop structures in which there
are employee who own the selected base object. In this case, direct as well as indirect
base object assignments are included.
Example
l
l
l
l
l
If the report is created for a resource, all roles are determined in which there are
employees with this resource.
If the report is created for a group, all roles are determined in which there are
employees with this group.
If the report is created for a compliance rule, all roles are determined in which there
are employees with this compliance rule.
If the report is created for a department, all roles are determined in which
employees of the selected department are also members.
If the report is created for a business role, all roles are determined in which
employees of the selected business role are also members.
To display detailed information about assignments
l
l
To display the report, select the base object from the navigation or the result list and
select the report Overview of all assignments.
Use the
Used by button in the report's toolbar to select the role class
(department, location, business role or IT Shop structure) for which you determine if
roles exist in which there are employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements
identifies the role in which there are employees with the selected base object. The
meaning of the report control elements is explained in a separate legend. In the
report's toolbar, click
to open the legend.
l
Double-click a control to show all child roles belonging to the selected role.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
114
l
l
By clicking the
button in a role's control, you display all employees in the role with
the base object.
Use the small arrow next to
to start a wizard that allows you to bookmark this list
of employee for tracking. This creates a new business role to which the employees
are assigned.
Figure 13: Toolbar for Report "Overview of all assignments"
Table 46: Meaning of Icons in the Report Toolbar
Icon
Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.
Displays all roles or only the affected roles.
Mapping Multiple Employee Identities
Table 47: Configuration Parameter for Representing Multiple Identities
Configuration parameter
Active Meaning
QER\Person\MasterIdentity
Preprocessor relevant configuration parameter for
controlling the component
parts for administrating
several identities of one
employee. Changes to the
parameter require recompiling
the database.
If this parameter is set,
several logical employees can
be handled in the database for
one physical employee (for
example, an employee has
different identities and account
characteristics at different
branches).
QER\Person\MasterIdentity\UseMasterForAuthentication This configuration parameter
specifies whether the main
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
115
Configuration parameter
Active Meaning
identity should be used to log
in to One Identity Manager
tools through an employee
linked authentication module.
If this parameter is set, the
main identity is used for
employee linked
authentication. If the
parameter is not set, the
subidentity for employeelinked authentication is used.
It might be necessary for employees to have different identities for their work under
certain circumstances – for example, identities that result from contracts at different
branches. These identities can be differentiated through the membership of a department,
cost center or through access permissions. External employees at different locations can
also be used and represented with different identities in the system. You can define a main
identity and a subidentity for an employee in the One Identity Manager to represent each of
the identities and to group them at a central location.
Main Identity
l
l
l
l
A main identity represents a real person.
A main identity can be assigned user accounts and permissions in the One Identity
Manager and it can place requests in the IT Shop.
A main identity can be referenced by several subidentities.
The employee master data for a main identity is entered in the One Identity
Manager.
Subidentity
l
l
l
l
l
A subidentity is a virtual employee.
A subidentity can be assigned user accounts and permissions in the One Identity
Manager and it can place requests in the IT Shop.
A subidentity is always linked to a main identity.
Employee master data for a subidentity is displayed in the One Identity Manager.
This can be copied from the main identity data using the appropriate templates.
Enter a main identity for the subidentity using the pop-up menu Main identity on
the employee’s master data form.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
116
TIP: If an employee with multiple identities is being edited despite only one identity
being currently known to the One Identity Manager, you should create a main identity
for that employee.You should assign the previously know identity as a subidentity and
create new subidentities for the other identities. In this way, it is possible to test the
employee’s permitted permissions per subidentity or per main identity including all
subidentities in the bounds of an identity audit.
Limited Access to One Identity Manager
Installed Modules: Attestation Module
User can log in through the Web Portal who only have temporary or limited access to the
One Identity Manager. This functionality can be used, for example, if external employees,
such as contract workers, should be provided with temporary access to the One Identity
Manager. These employee can log in to the Web Portal as new workers. New employee
objects are added for them in the One Identity Manager database.
If you make use of this functionality, take note of the following:
l
An employee with the following properties is created in One Identity Manager:
Certification status new
l
l
Certified
enabled
No inheritance
enabled
If the configuration parameter "QER\Attestation\UserApproval" is set, the new
employee is automatically attested.
To assign company resources to the employee or to ensure editing permissions in the
One Identity Manager, implement custom processes.
Related Topics
l
Changing the Certification Status of an Employee on page 117
l
One Identity Manager Attestation Administration Guide
Changing the Certification Status of an
Employee
Installed Modules: Attestation Module
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
117
Employee's certification status is set by default through certification and recertification
procedures. You can manually change an employee's certification status if it is necessary
to do so outside the regular recertification schedule.
Prerequisite
l
The configuration parameter "QER\Attestation\UserApproval" is set.
To change an employee's certification status manually
1. To change the certification status of an active employee select the category
Employees | Employees.
- OR To change certification status of a inactive employee, select the category
Employees | Inactive.
2. Select the employee in the result list.
3. Select Change certification statusin the task view.
4. Select the certification status you want from the Certification status menu.
5. Click OK to accept the changes.
The new certification status for the employee is displayed on the form.
NOTE: The option Permanently disabled is updated with respect to the certification status. If an employee's certification status is set to "rejected" through
attestation or manually, the employee is immediately permanently disabled. If
the employee's certification status is changed to "certified", the employee is
enabled again.
Related Topics
l
Limited Access to One Identity Manager on page 117
l
Permanently Deactivating Employees on page 102
l
One Identity Manager Attestation Administration Guide
Additional Tasks for Managing
Employees
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
118
Employee Overview
Use this task to obtain an overview of the most important information about an employee.
To obtain an overview of an employee
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Employee overview in the task view.
The most important information about an employee is shown on this form, this
includes the employee‘s contact data, user accounts, and affiliation to company
structures. The assigned company resources and access to IT Shop structures and IT
Shop requests are displayed.
The employee‘s responsibilities within the One Identity Manager are displayed on this
form. This includes application roles that the employee has obtain within the One
Identity Manager and functions as department manager, cost center manager, or
approver within the IT Shop.
4. Select Employee entitlements overview in the task view.
This form shows the system entitlements and all the target system groups allocated
to an employee.
Manually Assigning User Accounts to
Employees
Installed Modules: Target System Base Module
Active Directory Module
Oracle E-Business Suite Module
LDAP Module
IBM Notes Module
SAP R/3 User Management module Module
SAP R/3 Analysis Authorizations Add-on Module
SharePoint Module
NOTE: You should the default method for creating user account with account definitions.
The overview form displays all the employee’s user accounts. You can manually assign
an employee to a user account by using the appropriate tasks to assign user account
to employees.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
119
Detailed information about this topic
l
l
For more information, see target system guides.
For more detailed information about account definitions, see the One Identity
Manager Target System Base Module Administration Guide.
Entering Calls for an Employee
Installed Modules: Helpdesk Module
Enter the calls for employees through the Helpdesk Module.
To enter help desk data for an employee
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Show calls in the task view to display calls entered for an employee.
4. Select New call in the task view, to enter a new call.
5. Save the changes.
Detailed information about this topic
l
One Identity Manager Help Desk Module User Guide
Assigning Extended Properties
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a group
1. Select the Employees | Employees.
2. Select the employee in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
The view- OR Remove extended properties from Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
120
Related Topics
l
Edit Extended Properties on page 176
Determining an Employee‘s Language
In order for email notifications within the request process in the IT Shop or during
attestation to be sent in the recipients language, the employee's language has to be
determined.
l
l
States and countries and their languages already exist in the One Identity Manager
default installation. Verify and edit this information in the Designer.
Add the country and state of the primary location to the primary department, the
primary cost center, the primary business role or directly to the employee. To map
special cases, you can also add the language directly to the location, department,
cost center or employee.
An employee‘s language is determined in the following order:
1. Language that is directly assigned to the employee.
2. Language of the employee's state.
3. Language of the employee's country.
4. Language directly assigned to the employee's location.
5. Language of the primary location's state.
6. Language of the primary location's country.
7. Language directly assigned to the employee's primary department.
8. Language of the primary department's state.
9. Language of the primary department's country.
10. Language directly assigned to the employee's primary cost center.
11. Language of the primary cost center's state.
12. Language of the primary cost center's country.
13. Language directly assigned to an employee's primary business role
14. Language of the primary business role's state.
15. Language of the primary business role's country.
16. Fallback, in case the language could not be determined with this sequence:
l
l
Language is taken from the configuration parameter
"Common\MailNotification\DefaultCulture"
Language "en-US"
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
121
Related Topics
l
One Identity Manager Configuration Guide
Determining an Employee‘s Working
Hours
An employee‘s working hours need to be made public in order to determine the reaction
times of approvers or attestors to request processes in the IT Shop or during attestation.
l
l
l
States and countries and their time zones, public holidays and standard working
hours already exist in the One Identity Manager. Verify and edit this information in
the Designer.
The employee‘s area (state or country) has to be determined so that the working
hours can be calculated correctly. Add the country and state of the primary location
to the primary department, the primary cost center or directly to the employee.
The correct working hours are subsequently calculated. The standard working hours
in the country, rule for weekends and holidays, as well as different time zones and
daylight saving rules, are taken into account when the hours are calculated.
The employee‘s area and therefore valid working hours, are determined in the
following order:
1. State that is directly assigned to the employee.
2. Country that is directly assigned to the employee.
3. State of primary location.
4. Country of primary location.
5. State of primary department.
6. Country of primary department.
7. State of primary cost center.
8. Country of primary cost center.
9. State of primary business role.
10. Country of primary business role.
11. Fallback, in case the area could not be determined with this sequence:
l
l
l
State or country using the secondary location, department or cost center.
First country from all enabled countries in the database sorted by
telephone number
Country "USA".
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
122
Related Topics
l
One Identity Manager Configuration Guide
Employee Reports
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects.The
following reports are available for employees.
NOTE: Other sections may be available depending on the which modules are
installed.
Table 48: Employee Reports
Report
Description
Entitlement The report shows an employee's entitlements and roles and the possible
Origins
assignment methods.
Request
History
The report provides you with an overview of each IT Shop request made by
an employee. The report is divided into approved, canceled, denied and
pending requests. You can trace when and why each product was requested,
extended or canceled.
View completed requests by clicking on the approval history Show...
button. In the approval history you can see the approval workflow, the
results of each approval step and the approver. The button Show... shows
you the current approval status of pending requests.
Data
quality of
supervised
employees
This report evaluates the data quality of employee data records. All
employees under supervision are taken into account.
Employees This report contains the number of employee per department. The primary
per
and secondary assignments to organizations are taken into account. You can
department find this report in the category My One Identity Manager.
Employees
per cost
center
This report contains the number of employee per cost center. The primary
and secondary assignments to organizations are taken into account. You can
find this report in the category My One Identity Manager.
Employees
per
location
This report contains the number of employee per location. The primary and
secondary assignments to organizations are taken into account. You can
find this report in the category My One Identity Manager.
Data
quality
summary
The report contains different analyzes of data quality for all employees. You
can find this report in the category My One Identity Manager.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
123
Report
Description
for
employee
records
Related Topics
l
Origin of an Employee's Roles and Entitlements on page 112
l
Analyzing Role Memberships and Employee Assignments on page 114
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Employee Administration
124
5
Managing Devices and Workdesks
The One Identity Manager offers extended device administration functionality for networks.
The One Identity Manager differentiates between device types, device models and the
device itself.
l
l
l
Device types, such as PCs, printers or monitors, provide the initial classification of
the devices.
Device models provide the additional fine tuning of the device types in order to
obtain a more exact classification of devices.
The actual devices as they are defined in the network are listed under devices.
Workdesks are required for assigning different devices to a workstation. The assignment of
company resources can be mainly automated by assigning workdesks to business roles,
departments, cost centers, locations or dynamic roles.
To manage devices and workdesks in the One Identity Manager
l
Set the configuration parameter "Hardware" in the Designer and compile the
database.
Detailed information about this topic
l
Base Data for Device Management on page 125
l
Setting up a Device on page 132
l
How to Set up a Workdesk on page 142
l
Asset Data for Devices on page 153
Base Data for Device Management
The following basic data is required for managing devices:
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
125
l
Configuration parameter
Use configuration parameters to configure the behavior of the system's basic
settings. One Identity Manager provides default settings for different configuration
parameters. Check the configuration parameters and modify them as necessary to
suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each
One Identity Manager module can also install configuration parameters. You can find
an overview of all configuration parameters in the category Base data | General |
Configuration parameters in the Designer.
l
Device model
Device models are required to classify devices, for example, PC, server, monitor,
printer types. One Identity Manager contains predefined device models.
l
Info about manufacturer and supplier
You can enter the manufacturer and supplier to augment device model and
device data.
l
Device status
Provide the possible device statuses for device asset data.
l
Workdesk Status
You can add a status to a workdesk.
l
Workdesk Type
Provide workdesk types for further classification of workdesks,
Detailed information about this topic
l
Device Model on page 126
l
Business Partners on page 129
l
Device status on page 130
l
Workdesk Status on page 131
l
Workdesk Type on page 132
l
Appendix: Configuration Parameters for Managing Devices and Workdesks on
page 187
Device Model
The prerequisite for adding hardware is the definition of device models. Device models are
required to classify devices, for example, PC, server, monitor, printer types. One Identity
Manager contains predefined device models. You can define more device models.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
126
To edit a hardware model
1. Select the category Devices & Workdesks | Basic configuration data |
Device models.
2. Select a device model in the result list. Select Change master data in the
task view.
- OR Click
in the result list toolbar.
3. Edit the device model's master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for a Device Model on page 127
l
Inventory Data for a Device Model on page 128
General Master Data for a Device Model
Enter the following general master data for a device model.
Table 49: Device Model Master Data
Property
Description
Device
model
Name of the device model.
Device
type
Type of the device. During the setup of new device, the device model’s
device type filters the forms that are available for handling master data.
Company
Name of manufacturer. Use the
next to the text box to add a new
company. For more information, see Business Partners on page 129.
NOTE: Only the companies that are marked as manufacturers can be
selected. When a new device is added, the company named as
manufacturer in the device model is used for the device.
Service
item
If you assigned a service item to the device model, the usage of the device
model can be booked internally. Use the
next to the text box to add a new
service item.
Website
Manufacturers Website.
Use the Browse task to see the manufacturer’s website in the standard web
browser.
Description Spare text box for additional explanation.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
127
Property
Description
Additional
data
Spare text box for additional explanation.
PC
Specifies whether, in principle, the device can be used as a PC in the sense
of workstation.
Server
Specifies whether the device is used as a server.
Local
peripheral
Specifies whether this device type is a local peripheral to attach to a PC.
Disabled
Specifies whether the device model is in use or not.
NOTE: Only device models which are enabled can be assigned in One
Identity Manager. If a device model is deactivated, assignment of the
device model is not permitted. However, existing assignments remain
intact.
Inventory Data for a Device Model
You can enter the following inventory and asset data for a device model.
NOTE: Prices are given to 2 decimal places by default. The number of comma can be
modified as required.
Table 50: Inventory Data for a Device Model
Property
Description
Default supplier
Name of supplier. For more information, see Business
Partners on page 129.
Employee
Employee responsible for the purchase.
Alternative device model Alternative device model.
Warranty [months]
Standard manufacturer warranty in months.
Additional guarantee
[months]
Additional manufacturer guarantee in months.
Usage [months]
Estimated period of use.
Min. stock
Minimum level of stock in storage.
Max. stock
Maximum level of stock in storage.
Item number
Article number at suppliers.
Request units
Measurement units for requests.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
128
Property
Description
Minimum request
quantity
Minimum quantity for requests.
Last quote date
Last quote date.
Price of last offer
Price of last offer.
Last delivery date
Last delivery date.
Price of last delivery
Price of last delivery.
Business Partners
Enter data for external companies that might be used as manufacturers, suppliers or
leasing partners.
To edit the data of a business partner
1. Select the category Devices & Workdesks | Basic configuration data |
Business partners.
2. Select a company in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the business partner's master data.
4. Save the changes.
Enter the following data for a company:
Table 51: General Master Data for a Company
Property
Description
Company
Short description of the company for the views in One Identity Manager
tools.
Name
Full company name.
Surname prefix
Additional company name.
Short name
Company's short name.
Contact
Contact person for the company.
Partner
Specifies whether this is a partner company.
Customer
number
Customer number at the partner company.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
129
Property
Description
Supplier
Specifies whether this is a supplier.
Customer
number
Customers number at supplier.
Leasing partner
Specifies whether this is a leasing provider or rental firm.
Manufacturer
Specifies whether this is a manufacturer.
Remarks
Spare text box for additional explanation.
Table 52: Company address
Property
Description
Street
Street or road.
Building
Building
Zip code
Zip code.
Town
City.
State
State.
Country
Country.
Phone
Company's telephone number.
Fax
Company's fax number.
Email address
Company's email address.
Web page
Company's website.
Use the Browse button to open the website in the default web browser.
Device status
You can define the status that devices take on, for example, activated, deactivated, stored.
To edit a device status
1. Select the category Hardware & Workdesks | Basic configuration data |
Device status.
2. Select a device status in the result list. Select Change master data in the
task view.
- OR Click
in the result list toolbar.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
130
3. Edit the device's master data.
4. Save the changes.
Enter the following data for a device status.
Table 53: Device Status General Data
Property
Description
Device status
Name of the device status.
Short description
Spare text box for additional explanation.
Description
Spare text box for additional explanation.
Workdesk Status
Enter the statuses that workdesks are able to have, for example, activated,
deactivated, stored.
To edit a workdesk status
1. Select the category Devices & Workdesks | Basic configuration data |
Workdesk status.
2. Select the workdesk status in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Edit the workdesk status's master data.
4. Save the changes.
Enter the following data for a workdesk status.
Table 54: Master Data for a Workdesk
Property
Description
Status
Workdesk status name.
Short description
Spare text box for additional explanation.
Description
Spare text box for additional explanation.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
131
Workdesk Type
Provide workdesk types for further classification of workdesks, Enter additional device
prerequisites are diskettes or CD drives necessary, for example.
To edit a workdesk type
1. Select the category Devices & Workdesks | Basic configuration data |
Workdesk type.
2. Select the workdesk type in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Edit the workdesk type's master data.
4. Save the changes.
Enter the following data for a workdesk type.
Table 55: Master Data for a Workdesk Type
Property
Description
Workdesk type
Workdesk status name.
Display name
Name for displaying in the One Identity Manager tools.
Short description
Spare text box for additional explanation.
Description
Spare text box for additional explanation.
Leasing fee
Leasing fee.
Floppy disk drive
required
Specifies whether this workdesk type requires a floppy disk
drive.
CD-ROM drive required
Specifies whether this workdesk type requires a CD-ROM
drive.
Setting up a Device
Table 56: Configuration Parameter for Setting up a Device
Configuration parameter
Active Meaning
Hardware\Display\CustomHardwareType
When a new device is set up with
the corresponding device model
the data is displayed in a
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
132
Configuration parameter
Active Meaning
customized form.
Hardware\Display\CustomHardwareType\MobilePhone Add a device type that represents a mobile phone.
Hardware\Display\CustomHardwareType\Monitor
Add a device type that
represents a monitor
Hardware\Display\CustomHardwareType\PC
Add a device type that
represents a PC.
Hardware\Display\CustomHardwareType\Printer
Add a device type that
represents a printer.
Hardware\Display\CustomHardwareType\Server
Add a device type that
represents a server.
Hardware\Display\CustomHardwareType\Tablet
Add a device type that
represents a tablet.
Hardware\Display\MachineWithRPL
Data for remote booting of
workstation and server can be
edited.
Hardware\Workdesk\WorkdeskAuto
When workstation or server is
setup an associated workdesk is
created automatically.
You can manage different devices with One Identity Manager, for example, workstations,
servers, monitors, printers or other devices.
To edit a device
1. Select the category Devices & Workdesks | Devices.
2. Select one of the following nodes.
l
Personal computer
l
Server
l
Monitors
l
Mobile telephones
l
Tablets
l
Printers
l
Miscellaneous
The type of device model and corresponding form for editing the data is determined
when a new device is added.
3. Select a device in the result list. Select Change master data in the task view.
- OR -
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
133
Click
in the result list toolbar.
4. Edit the device's master data.
5. Save the changes.
Detailed information about this topic
l
General Master Data for Devices on page 134
l
Device Networking Data on page 137
l
Asset Data for Devices on page 153
l
Assigning Company Resources to Devices on page 138
General Master Data for Devices
Enter the following general master data for a device. The master data available depends on
the selected device model.
Table 57: General Master Data for Devices
Property
Description
Asset number
Number of the asset in the bookkeeping.
Device ID
Unique device ID.
PC
Specifies whether the hardware is a computer.
Server
Specifies whether the hardware is a server.
Local
periphery
Specifies whether this is a local periphery, for example, monitor, printer
or other periphery device.
Manufacturer
Name of manufacturer.
Device model
Name of the device model. The master data available depends on the
selected device model.
Device status
Device's status.
Workdesk
The device's workdesk. This workdesk is used to assign various devices
to a workstation or a server.
If the configuration parameter "Hardware\Workdesk\WorkdeskAuto" is
set, a workdesk or server with the same name as the workstation is
added.
Parent device
A parent device which is linked to this device.
VM Client
(option)
Specifies whether this device is a virtual machine.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
134
Property
Description
VM Host
Device on which a virtual machine is installed. The selection is shared if
the option VM client is set.
VM Host
(option)
Specifies whether this hardware is host for a virtual machine.
Phone
Telephone number.
Used by
Employee who uses this device.
Primary
department
Department to which the device is primary assigned. Company resources
can be inherited by a device through these primary assignments if One
Identity Manager is appropriately configured.
Primary
location
Location to which the device is primary assigned. Company resources
can be inherited by a device through these primary assignments if One
Identity Manager is appropriately configured.
Primary cost
center
Cost center to which the device is primary assigned. Company resources
can be inherited by a device through these primary assignments if One
Identity Manager is appropriately configured.
Primary
business roles
Business role to which the device is assigned. Company resources can be
inherited by a device through these primary assignments if One Identity
Manager is appropriately configured.
NOTE: This property is available if the Business Roles Module is
installed.
Investment
Investments or investment plans for the device.
Location
description
Spare text box for additional explanation.
Description
Spare text box for additional explanation.
Remarks
Spare text box for additional explanation.
No inheritance Specifies whether the device inherits company resources through roles.
If this option is set, the employee cannot inherit. Direct assignments
remain intact.
Operating
systems
Operating system identifier.
Operating
system
version
Version number of the operating system.
Service pack
operating
system
Service pack identifier.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
135
Property
Description
Hotfix
operating
system
Hotfix identifier.
Carrier
Carrier contract for the device.
Serial number
Manufacturer's serial number.
MAC address
The device's MAC address.
IMEI
The device's IMEI number.
ICCID
The device's ICCID number.
BIOS version
Version of the BIOS.
RAM [MB]
RAM in megabytes.
HDD capacity
[MB]
Capacity of the first hard disk in megabytes.
Second HDD
capacity [MB]
Capacity of the second hard disk in megabytes.
Max. vertical
resolution
Maximum vertical image resolution.
Max.
horizontal
resolution
Maximum horizontal image resolution.
Import data
source
Target system or data source, from which the data set was imported.
Spare fields
no.
01.....spare
field no. 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
Related Topics
l
Device Model on page 126
l
Business Partners on page 129
l
Device status on page 130
l
Asset Data for Devices on page 153
l
Data for Investments and Investment Plans on page 154
l
How to Set up a Workdesk on page 142
l
Basics for Assigning Company Resources on page 14
l
Using Roles to Limit Inheritance on page 26
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
136
Device Networking Data
Enter the following information for the network configuration. The master data available
depends on the selected device model.
Table 58: Network Data
Property
Description
IP
address
(IPv4)
IP address in IPv4 format.
IP
address
(IPv6)
IP address in IPv6 format.
Use DHCP
Specifies whether the IP address is taken from a DHCP server. If this option
is not set, enter a fixed IP address and enter the subnet mask and standard
gateway.
Subnet
mask
Subnet mask.
Default
gateway
Default gateway.
Use WINS Specifies whether WINS name resolution is used. If this option is set, enter
the IP address of the preferred and the alternative WINS server.
WINS
primary
IP address of the preferred WINS server.
WINS
IP address of the alternative WINS server.
secondary
Range ID
To communicate worth one another, all computers require a TCP/IP network
with the same area ID. The area ID is used for identification when the given
DNS sever cannot be found. In the normal case, this input should be left
empty.
Use DNS
Specifies whether DNS name resolution is used. If this option is set, enter the
IP address of the preferred and the alternative DNS server.
DNS
server
IP address of the preferred DNS server.
Second
DNS
server
IP address of the alternative DNS server.
Third DNS IP address of the alternative DNS server.
server
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
137
Property
Description
DNS
name
Suffix of DNS domain the device belongs to.
DNS host
name
DNS name of the computer.
Remote
boot
Specifies whether this device uses remote booting. This property is available
if the configuration parameter "Hardware\Display\MachineWithRPL" is set.
Remote
boot type
Data for the remote boot type. This property is available if the configuration
parameter "Hardware\Display\MachineWithRPL" is set.
Assigning Company Resources to
Devices
One Identity Manager uses different assignment types to assign company resources.
l
Indirect Assignment
In the case of indirect assignment of company resources, employees, devices and
workdesks are arranged in departments, cost centers, locations, business roles or
application roles. The total of assigned company resources for an employee, device
or workdesk is calculated from the position within the hierarchies, the direction of
inheritance (top-down or bottom-up) and the company resources assigned to these
roles. In the Indirect assignment methods a difference between primary and
secondary assignment is taken into account.
l
Direct Assignment
Direct assignment of company resources results from the assignment of a company
resource to an employee, device or a workdesk, for example. Direct assignment of
company resources makes it easier to react to special requirements.
l
Assigning through Dynamic Roles
Assignment through dynamic roles is a special case of indirect assignment. Dynamic
roles are used to specify role memberships dynamically. Employees, devices and
workdesks are not permanently assigned to a role, just when they fulfill certain
conditions. A check is performed regularly to assess which employees, devices or
workdesks fulfill these conditions. The means the role memberships change
dynamically. For example, company resources can be assigned dynamically to all
employees in a department in this way; if an employee leaves the department they
immediately lose the resources assigned to them.
The following table shows the possible company resources assignments to devices.
NOTE: Company resources are defined in the One Identity Manager modules and are
not available until the modules are installed.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
138
Table 59: Possible Assignments of Company Resources to Devices
Company Direct
resources assignment
permitted
Indirect
assignment
permitted
Comment
Active
Directory
groups
-
+
All Active Directory computers, which
reference this device are added to Active
Directory groups.
LDAP
groups
-
+
All LDAP computers, which reference this
device are added to LDAP groups.
NOTE: Devices also obtain company resources from their workdesks.
Detailed information about this topic
l
l
Basics for Assigning Company Resources on page 14
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
Related Topics
l
Possible Assignments of Company Resources through Roles on page 23
l
Assigning Devices to Departments, Cost Centers and Locations on page 139
l
Assigning Devices to Business Roles
l
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
l
Assigning Company Resources to Workdesks on page 146
l
Working with Dynamic Roles on page 65
Assigning Devices to Departments, Cost
Centers and Locations
Assign devices to departments, cost centers and locations so that they obtain company
resources through these organizations. To assign company resources to departments, cost
centers and locations, use the appropriate organization tasks.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
139
To assign a device to departments, cost centers and locations (secondary
assignment; default method)
1. Select the category Device & Workdesks | Basic configuration data
<filter>.
|
2. Select the device in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
To assign a device to departments, cost centers and locations (primary
assignment)
1. Select the category Device & Workdesks | Basic configuration data
<filter>.
|
2. Select the device in the result list.
3. Select Change master data in the task view.
4. Adjust the following master data:
l
Primary department
l
Primary cost center
l
Primary location
5. Save the changes.
Related Topics
l
l
Assigning Company Resources to Devices on page 138
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
l
Working with Dynamic Roles on page 65
l
Assigning Employees to Business Roles on page 108
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
140
Assigning Devices to Business Roles
Installed Modules: Business Roles Module
Assign devices to business roles such that the devices obtain company resources through
these business roles. To assign company resources to business roles user the
corresponding business role tasks.
To assign a device to business roles (secondary assignment; default method)
1. Select the category Devices & Workdesks | <filter>.
2. Select the device in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign a device to business roles (primary assignment)
1. Select the category Devices & Workdesks | <filter>.
2. Select the device in the result list.
3. Select Change master data in the task view.
4. Enter the primary role.
5. Save the changes.
Related Topics
l
Assigning Company Resources to Devices on page 138
l
One Identity Manager Business Roles Administration Guide
Additional Tasks for Managing Devices
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of Devices
Use this task to obtain an overview of the most important information about a device.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
141
To obtain an overview of a device
1. Select the category Device & Workdesks | Basic configuration data
<filter>.
|
2. Select the device in the result list.
3. Select Device overview.
Assigning Service Agreements and Enter
Calls
Installed Modules: Helpdesk Module
Use the Helpdesk Module to enter service agreements and calls for a device.
To enter help desk data for a device
1. Select the category Device & Workdesks | Basic configuration data
<filter>.
|
2. Select the device in the result list.
3. Select Assign service agreements in the task view, to assign the device to valid
service agreements.
The service agreements are taken into account when calculating solution and
reaction times in the case of a help desk call for this device.
4. Select Show calls in the task view, to display calls entered for a device.
5. Select New call in the task view, to enter a new call.
6. Save the changes.
Detailed information about this topic
l
One Identity Manager Help Desk Module User Guide
How to Set up a Workdesk
Table 60: Configuration Parameters for Setting Up workdesk
Configuration parameter
Active Meaning
Hardware\Workdesk\WorkdeskAuto When workstation or server is setup an associated
workdesk is created automatically.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
142
Workdesks are used to assign various devices to a workstation or a server. The assignment
of company resources can be mainly automated by assigning workdesks to business roles,
departments, cost centers, locations or dynamic roles.
TIP: Set the configuration parameter "Hardware\Workdesk\WorkdeskAuto" in the
Designer to automatically create a workdesk when generating a device for a workstation or a server.
To edit a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the workdesk's master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for a Workdesk on page 143
l
Workdesk Location Information on page 145
l
Additional Information about a Workdesk on page 145
l
Assigning Company Resources to Workdesks on page 146
l
Appendix: Configuration Parameters for Managing Devices and Workdesks on
page 187
General Master Data for a Workdesk
Enter the following general master data for a workdesk.
Table 61: General Master Data for a Workdesk
Property
Description
Workdesk
Workdesk name.
If the configuration parameter "Hardware\Workdesk\WorkdeskAuto" is
set, a workdesk or server with the same name as the workstation is
added.
Workdesk type Type of the workdesk.
Status
Status of the workdesk.
Operating
system
Workdesk's operating system.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
143
Property
Description
Display name
The display name is used to display the workdesk in the One Identity
Manager tools user interface.
Description
Spare text box for additional explanation.
Primary cost
center
Cost center to which the workdesk is primary assigned. A workdesk can
obtain company resources over the primary assignments when One
Identity Manager is correspondingly configured.
Primary
business roles
Business role to which the employee is assigned. A workdesk can obtain
company resources over the primary assignments when One Identity
Manager is correspondingly configured.
NOTE: This property is available if the Business Roles Module is
installed.
Installation
date
Date of going into operation.
Workdesk
supervisor
Employee responsible for this workdesk.
Checked by
Employee who checked this workdesk.
Date checked
Last time the workdesk was checked.
Check remarks Spare text box for additional explanation.
Service type
Information about the service done on this workdesk, for example,
internal or external service provider.
Corresponding
service
agreements
set up
Specifies whether the workdesk is set up corresponding to service
agreements.
No inheritance
Specifies whether the workdesk inherits company resources through
roles. If this option is set, the employee cannot inherit. Direct
assignments remain intact.
Spare fields
no.
01.....spare
field no. 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
NOTE: This property is available if the Helpdesk Module is
installed.
Related Topics
l
Workdesk Type on page 132
l
Workdesk Status on page 131
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
144
l
Basics for Assigning Company Resources on page 14
l
Using Roles to Limit Inheritance on page 26
Workdesk Location Information
Enter the following information about a workdesk's location.
Table 62: Workdesk Location Information
Property
Description
Primary
Department to which the workdesk is primary assigned. A workdesk can
department obtain company resources over the primary assignments when One Identity
Manager is correspondingly configured.
Primary
location
Location to which the workdesk is primary assigned. A workdesk can obtain
company resources over the primary assignments when One Identity
Manager is correspondingly configured.
Fax
Fax number.
Remarks
(fax)
Spare text box for additional explanation.
Building
Building
Room
Room.
Phone
Telephone number.
Floor
Floor.
Remarks
(room)
Spare text box for additional explanation.
Related Topics
l
Basics for Assigning Company Resources on page 14
Additional Information about a Workdesk
Enter additional device prerequisites are diskettes or CD drives necessary, for example.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
145
Table 63: Miscellaneous Workdesk Data
Property
Description
Setup date
Date of going into operation.
Withdrawal date
Date on which the workdesk is written off.
Leasing fee
Leasing fee.
Floppy disk drive required Specifies whether this workdesk requires a floppy disk drive.
CD-ROM drive required
Specifies whether this workdesk requires a CD-ROM drive.
Comment
Spare text box for additional explanation.
Assigning Company Resources to
Workdesks
One Identity Manager uses different assignment types to assign company resources.
l
Indirect Assignment
In the case of indirect assignment of company resources, employees, devices and
workdesks are arranged in departments, cost centers, locations, business roles or
application roles. The total of assigned company resources for an employee, device
or workdesk is calculated from the position within the hierarchies, the direction of
inheritance (top-down or bottom-up) and the company resources assigned to these
roles. In the Indirect assignment methods a difference between primary and
secondary assignment is taken into account.
l
Direct Assignment
Direct assignment of company resources results from the assignment of a company
resource to an employee, device or a workdesk, for example. Direct assignment of
company resources makes it easier to react to special requirements.
l
Assigning through Dynamic Roles
Assignment through dynamic roles is a special case of indirect assignment. Dynamic
roles are used to specify role memberships dynamically. Employees, devices and
workdesks are not permanently assigned to a role, just when they fulfill certain
conditions. A check is performed regularly to assess which employees, devices or
workdesks fulfill these conditions. The means the role memberships change
dynamically. For example, company resources can be assigned dynamically to all
employees in a department in this way; if an employee leaves the department they
immediately lose the resources assigned to them.
The following table shows the possible company resources assignments to workdesks.
NOTE: Company resources are defined in the One Identity Manager modules and are
not available until the modules are installed.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
146
Table 64: Possible Assignments of Company Resources to Workdesks
Company
Resource
Direct
Indirect
assignment assignment
permitted
permitted
Remarks
System
roles
+
+
Applications +
+
Active
Directory
groups
-
+
All Active Directory computers, which
reference the workdesk device are added to
Active Directory groups.
LDAP
groups
-
+
All LDAP computers, which reference the
workdesk device are added to LDAP groups.
Detailed information about this topic
l
l
Basics for Assigning Company Resources on page 14
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
Related Topics
l
Possible Assignments of Company Resources through Roles on page 23
l
Assigning Workdesks to Departments, Cost Centers and Locations on page 147
l
Assigning Workdesks to Business Roles
l
l
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
Working with Dynamic Roles on page 65
Assigning Workdesks to Departments, Cost
Centers and Locations
Assign workdesks to departments, cost centers and locations so that they obtain company
resources through these organizations. To assign company resources to departments, cost
centers or locations, use the appropriate organization tasks.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
147
To assign a workdesk to departments, cost centers and locations (secondary
assignment; default method)
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
To assign a workdesk to departments, cost centers and locations (primary
assignment)
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Change master data in the task view.
4. Adjust the following master data:
l
Primary department
l
Primary cost center
l
Primary location
5. Save the changes.
Related Topics
l
l
Assigning Company Resources to Workdesks on page 146
Assigning Company Resources to Departments, Cost Centers and Locations on
page 53
l
Working with Dynamic Roles on page 65
l
Assigning Devices to Business Roles on page 141
l
Assigning Employees, Devices and Workdesks to Departments, Cost Centers and
Locations on page 52
Assigning Workdesks to Business Roles
Installed Modules: Business Roles Module
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
148
Assign the workdesk to business roles such that the workdesk obtains its company
resources through these business roles. To assign company resources to business roles
user the corresponding business role tasks.
To assign a workdesk to business roles (secondary assignment; default
method)
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign a workdesk to business roles (primary assignment)
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Change master data in the task view.
4. Enter the primary role.
5. Save the changes.
Related Topics
l
Assigning Company Resources to Workdesks on page 146
l
One Identity Manager Business Roles Administration Guide
Assigning Applications Directly to
Workdesks
You can assign applications directly or indirectly to a workdesk. Indirect assignment is
carried out by allocating the workdesk and applications in company structures, like
departments, cost centers, locations or business roles.
To react quickly to special requests, you can assign applications directly to a workdesk.
Information about the applications is written to the workstation set up file that is assigned
to this workdesk.
To assign applications to a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
149
3. Select Assign applications in the task view, to assign application directly to
the workdesk.
4. Assign applications in Add assignments.
- OR Remove applications in Remove assignments.
5. Save the changes.
Related Topics
l
l
Assigning Workdesks to Departments, Cost Centers and Locations on page 147
Assigning Workdesks to Business Roles on page 148
Assigning System Roles Directly to
Workdesks
Installed Modules: System Roles Module
System roles can be assigned directly or indirectly to a contact. Indirect assignment is
carried out by assigning workdesks and system roles to company structures, like
departments, cost centers, locations or business roles.
To react quickly to special requests, you can assign system roles directly to a workdesk.
To assign system roles to a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Assign system roles in the task view, to assign system roles directly to
the workdesk.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
Related Topics
l
Assigning Workdesks to Departments, Cost Centers and Locations on page 147
l
Assigning Workdesks to Business Roles on page 148
l
One Identity Manager System Roles Administration Guide
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
150
Additional Tasks for Managing
Workdesks
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Workdesk Overview
Use this task to obtain an overview of the most important information about a workdesk.
To obtain an overview of a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Workdesk overview in the task view.
Assigning Devices to Workdesks
Use this task to assign a workdesk to several devices, for example, workstations, printers,
monitors or other peripheral devices. You can also assign the workdesk through the
device's master data.
To assign devices to a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select the task Assign devices.
4. Assign devices in Add assignments.
- OR Remove assignments to devices in Remove assignments.
5. Save the changes.
Related Topics
l
General Master Data for Devices on page 134
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
151
Assigning Employees to Workdesks
Use this task to assign a workdesk to several employees. You can also assign the workdesk
through the employee's master data. By assigning a workdesk to an employee, all the user
accounts for this employee are assigned as default PC to the associated workstation. This
assignment is required for finding application licenses.
To assign employees to a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Assign employees in the task view.
4. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
5. Save the changes.
Related Topics
l
General Employee Master Data on page 89
Assigning Service Agreements and Enter
Calls
Installed Modules: Helpdesk Module
Use the Helpdesk Module to enter service agreements and calls for a workdesk.
To enter help desk data for a workdesk
1. Select the category Devices & Workdesks | Workdesks | Names.
2. Select the workdesk in the result list.
3. Select Assign service agreements in the task view, to assign the workdesk to
valid service agreements.
The service agreements are taken into account when calculating solution and
reaction times in the case of a help desk call for this workdesk.
4. Select Show calls, to show the calls entered for a workdesk.
5. Select New call in the task view, to enter a new call.
6. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
152
Related Topics
l
One Identity Manager Help Desk Module User Guide
Asset Data for Devices
The One Identity Manager offers the possibility for the administration of data for assets
and accounting within the framework of inventory management. Further information about
business partners, ownership (leasing, purchasing, renting) and the associated contract
information about cost and time periods belongs here. For the assets inventory
management, data can be taken from another system and adopted by the One Identity
Manager. For example a file extracted from the SAP R/3 assets accounting, can act as
data source.
To use this function
l
Set the configuration parameter "Hardware\AssetAccounting" in the Designer and
compile the database.
Detailed information about this topic
l
Basic Data for Asset Management on page 153
l
Data for Investments and Investment Plans on page 154
l
Editing Device Asset Data on page 155
Basic Data for Asset Management
The following basic data is available for asset management.
l
Asset classes
Provide the possible asset classes for device asset data.
l
Asset types
Provide the possible asset types for hardware object asset data.
Detailed information about this topic
l
Asset classes on page 154
l
Asset types on page 154
l
Base Data for Device Management on page 125
l
Appendix: Configuration Parameters for Managing Devices and Workdesks on
page 187
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
153
Asset classes
Enter asset classes for asset data about a device.
To edit an asset class
1. Select the category Devices & Workdesks | Basic configuration data |
Asset classes.
2. Select the asset class in the result list. Select Change master data in the
task view.
- OR Click
in the result list toolbar.
3. Edit the asset class's master data.
4. Save the changes.
Enter the following data for an asset class.
Table 65: Asset Class Master Data
Property
Description
Storage class
Description of the asset class.
Display name
Name for displaying in the One Identity Manager tools.
Description
Spare text box for additional explanation.
Asset types
Enter asset types for asset data about a device.
To edit an asset type
1. Select the category Devices & Workdesks | Basic configuration data |
Asset types.
2. Select an asset type in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Enter the name of the asset type and a description for additional explanation.
4. Save the changes.
Data for Investments and Investment Plans
Enter the data for investments and investment plans and assign then to devices.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
154
To edit an investment
1. Select the category Devices & Workdesks | Investments.
2. Select an investments in the result list. Select Change master data in the
task view.
- OR Click
in the result list toolbar.
3. Edit the following master data.
Table 66: Master Data for Investments
Property
Description
Investment
Name of the investment.
Date
Date of investment.
Investment manager
Employee responsible for this investment.
Description
Spare text box for additional explanation.
Remarks
Spare text box for additional explanation.
4. Save the changes.
Related Topics
l
General Master Data for Devices on page 134
Editing Device Asset Data
To enter asset information for a device
1. Select the category Devices & Workdesks | <filter>.
2. Select the device in the result list.
3. Select Edit asset data.
4. Save the changes.
Detailed information about this topic
l
Master Data for Asset Data on page 156
l
Commercial Data on page 157
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
155
Master Data for Asset Data
Enter the following master data for the asset data of a device.
Table 67: Device Asset Data
Property
Description
Asset number
Number of the asset in the bookkeeping.
Asset
Asset.
Storage class
Asset class.
Storage type
Asset type.
Device status
The device's status.
Enabling
Date for enabling the asset or leasing begin, respectively.
Deactivation
Date for disabling the asset or end of lease, respectively.
Replacement
value
Value for replacing with a new device.
Depreciated
value
Depreciation value for the device.
Company
owned
Specifies whether the device is owned by the company.
Leased
Specifies whether the device is leased.
Invoice
number
Invoice number of the purchase.
PSP character Asset PSP as character string.
string
Last
inventory run
Date of last inventory.
Primary cost
center
Cost center. Company resources can be inherited by a device through
these primary assignments if One Identity Manager is appropriately
configured.
Serial
number
Serial number of the device.
Delivery
remarks
Spare text box for additional explanation.
Inventory
remarks
Spare text box for additional explanation.
Primary
Location. Company resources can be inherited by a device through these
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
156
Property
Description
location
primary assignments if One Identity Manager is appropriately configured.
Primary
department
Department. Company resources can be inherited by a device through
these primary assignments if One Identity Manager is appropriately
configured.
Related Topics
l
Asset classes on page 154
l
Asset types on page 154
l
Basics for Assigning Company Resources on page 14
Commercial Data
Enter the following asset data for a device.
NOTE: Prices are given to 2 decimal places by default. The number of comma can be
modified in the Designer.
Table 68: Device Asset Data
Property
Description
Acquisition date
Date of purchase.
Delivery date
Date of delivery.
Delivery voucher number
Delivery voucher number.
Warranty
Warranty expiry date.
Warranty number
Warranty number.
Setup date
Date of going into operation.
Owner
Leasing company.
Supplier
Name of supplier.
Manufacturer
Name of manufacturer.
Purchase price
Purchase price.
Internal price
Internal price.
Sales price
Sales price.
Currency
Currency unit
Inventory note
Spare text box for additional explanation.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
157
Property
Description
Withdrawal date
Date for writing off the device.
Leasing fee
Leasing fee.
Internal transfer price
Internal transfer price.
Depreciation month
Depreciation in months
Related Topics
l
Business Partners on page 129
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Devices and Workdesks
158
6
Managing Resources
The One Identity Manager not only offers the possibility to map IT resources but also nonIT resources such as mobile telephones, desks, company cars and keys i.e, everything
that is necessary to create an efficient working environment for an employee. You can
assign resources directly to an employee or through classification into hierarchical roles in
the One Identity Manager. Similarly, you can resources request for an employee through
the IT Shop.
Resources are divided up from a functional point of view.
Table 69: Resource Types
Type
Description
Table
Resources
Resources that an employee (workstation,
device) may own just once.
QERResource
The resources can be requested in the IT
Shop just once. The resources are assigned
to the employees after approval has been
granted. They remain assigned until the
request is canceled. You can request them
again a later point.
Examples: phones, company cars
Multi-request resources
Resources that can be requested more than
once in the IT Shop. Requests are automatically canceled once approved. The
resources are not explicitly assigned to
employees.
QERReuse
Example: consumables, like pens, printer
paper
Multi-requestable/unsubscribable resources
Resources which an employee can request
more than once in the IT Shop but must
return them explicitly once they are no
longer needed. The resources are assigned
to the employees after approval has been
QERReuseUS
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
159
Type
Description
Table
granted. They remain assigned until the
request is canceled.
Example: printer, monitor
Detailed information about this topic
l
Editing Resources on page 163
l
Assigning Resources to Employees on page 165
l
Editing Multi Request Resources on page 169
l
Assigning Multi Request Resources to Employees on page 171
l
Reports about Resources on page 173
One Identity Manager Users for
Managing Resources
The following users are used for user administration.
Table 70: Users
User
Task
Administrators for
the IT Shop.
Administrators must be assigned to the application role Request &
Fulfillment | IT Shop | Administrators.
Users with this application role:
l
One Identity
Manager administrators
l
l
l
Edit the resources and assign them to IT Shop structures and
employees.
Create customized permissions groups for application roles for
role-based login to administration tools in the Designer, as
required.
Create system users and permissions groups for non-role
based login to administration tools, as required.
Enable or disable additional configuration parameters in the
Designer, as required.
l
Create custom processes in the Designer, as required.
l
Create and configures schedules, as required.
l
Create and configure password policies, as required.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
160
Base Data for Resources
The following basic data is required for managing resources.
l
Resource Types
You can use resource types to group resources.
l
Processing status
After a resource has been assigned, further manual processing may be necessary.
You can define processing statuses in the One Identity Manager that reflect the status
of each manual processing step.
l
Extended properties
Extended properties are meta objects that cannot be mapped directly in the One
Identity Manager, for example, operating codes, cost codes or cost accounting areas.
Detailed information about this topic
l
Resource Types on page 161
l
Processing status on page 161
l
Edit Extended Properties on page 176
Resource Types
You can use resource types to group resources.
To define resource types
1. Select the category Entitlements | Basic configuration data | Resource types.
2. Select the resource type in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Enter a name and description for the resource type.
4. Save the changes.
Processing status
After a resource has been assigned, further manual processing may be necessary. You can
define processing statuses in the One Identity Manager that reflect the status of each
manual processing step.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
161
NOTE: Manual post-processing of resource requests is not part of the standard One
Identity Manager installation. Implement a custom solution for the required functionality.
Example
An employee requests a mobile phone through the IT Shop. This request is
authorized by the person in charge of the employee’s cost center. The following
steps could be necessary:
1. Initiate phone request at the dealers
2. Check delivery
3. Activate the resource in asset accounting
4. Deliver phone to employee
Once a processing step has been completed the processing status for the assigned
resource should be updated. Employees can use this to keep up-to-date with the progress
of their requests.
To edit processing statuses
1. Select the category Entitlements | Basic configuration data | Processing
status.
2. Select a processing status in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Edit the processing status's master data.
4. Save the changes.
Enter the following properties for a processing status.
Table 71: General Master Data for a Processing Status
Property
Description
Processing status Name of the processing status.
Success
The processing status marks the success of the processing step.
Closed
The processing status marks whether processing is complete.
Sort order
Order in which processing status can be set.
Description
Spare text box for additional explanation.
You can use user defined columns, for example, to link processing statuses to resources
(Spare field No. 01 to spare field no. 10). To use the processing status in requests,
specify Processing status on success and Processing status on error in the
approval step.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
162
Related Topics
l
Default Processing Status on page 163
l
Editing Resources on page 163
l
One Identity Manager IT Shop Administration Guide
Default Processing Status
The One Identity Manager provides the processing status by default. This processing status
is used in IT Shop,in the approval steps of the default approval workflow.
To display the default processing status
l
Select the category Entitlements | Basic configuration data | Processing
status | Predefined.
Editing Resources
To edit resources
1. Select the category Entitlements | Resources.
2. Select the resource in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the resource's master data.
4. Save the changes.
Detailed information about this topic
l
Resource Master Data on page 163
l
Assigning Resources to Employees on page 165
Resource Master Data
Enter the following master data for a resource.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
163
Table 72: Resource Master Data
Property
Description
Resource
Resource identifier.
Resource type
Resource type for grouping resources.
Service item
Service item through which you can request the resource in the IT
Shop. Assign an existing service item or add a new one.
Required resource
Define the dependencies between resources. When this resource is
requested or assigned, the required resource is automatically
requested or assigned with it.
Risk index
Value for evaluating the risk of resource assignments to employees.
Enter a value between 0 and 1. This property is only visible when
the configuration parameter QER\CalculateRiskIndex is set.
IT Shop
Specifies whether the resource can be requested through the IT
Shop. The resource can be ordered by an employee over the Web
Portal and distributed using a defined approval process. The
resource can still be directly assigned to employees and roles
outside the IT Shop.
Only for use in IT
Shop
Specifies whether the resource can only be requested through the
IT Shop. The resource can be ordered by an employee over the Web
Portal and distributed using a defined approval process. This
means, the resource cannot be directly assigned to roles outside the
IT Shop.
No inheritance on
security risk
Resources marked with this option are not inherited by employee
who are rated as a security risk.
Description
Spare text box for additional explanation.
Automatic assignment to employees
Specifies whether the resource is assigned automatically to all
internal employees. The resource is assigned to every employee
not marked as external, on saving. New employees automatically
obtain this resource as soon as they are added.
Disable this option to remove automatic assignment of the resource
to all employees. The resource cannot be reassigned to employees
from this point on. Existing resource assignments remain intact.
Spare fields no.
01.....spare field
no. 10
Additional company specific information. Use the Designer to
customize display names, formats and templates for the input
fields.
Related Topics
l
Resource Types on page 161
l
One Identity Manager Risk Assessment Administration Guide
l
One Identity Manager IT Shop Administration Guide
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
164
Assigning Resources to Employees
Resources can be assigned to employees directly, indirectly or through IT Shop requests.
In the case of indirect assignment employees and resources are arranged in hierarchical
roles. The number of resources assigned to an employee is calculated from the position in
the hierarchy and the direction of inheritance. Add employees to a shop as customers so
that resources can be assigned through IT Shop requests. All resources, which are assigned
to this shop can be requested by the customers. Requested resources are assigned to the
employees after approval is granted.
Prerequisites for indirect assignment of resources to employees are:
l
Assignment of employees and resources is permitted for role classes (department,
cost center, location or business role).
Detailed information about this topic
l
l
Permit Assignments of Employees, Devices, Workdesks and Company
Resources on page 25
Basics for Assigning Company Resources on page 14
Assigning Employees to Departments, Cost
Centers and Locations
Assign a resource to departments, cost centers or locations such that employees inherit the
resource through these organizations.
To assign a resource to departments, cost centers and locations
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
165
Related Topics
l
Managing Departments, Cost Centers and Locations on page 30
l
Basics for Mapping Company Structures in One Identity Manager on page 9
Assigning Resources to Business Roles
Installed Modules: Business Roles Module
Assign a resource to business roles such that the resource is inherited by employees
through these business roles.
To assign a resource to business roles
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
Detailed information about this topic
l
One Identity Manager Business Roles Administration Guide
Assigning Resources Directly to Employees
Resources can be assigned directly or indirectly to employees. Indirect assignment is
carried out by allocating employees and resources in company structures, like
departments, cost centers, locations or business roles.
To react quickly to special requests, you can assign resources directly to employees.
To assign a resource directly to employees
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Assign to employees in the task view.
4. Assign employees in Add assignments.
- OR -
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
166
Remove employees from Remove assignments.
5. Save the changes.
Related Topics
l
Employee Administration on page 72
l
Basics for Assigning Company Resources on page 14
Adding Resources to the IT Shop
Once a resource has been assigned to an IT Shop shelf, it can be requested by the shop
customers. There are other prerequisites required to make a resource requestable.
l
The resource must be labeled with the option IT Shop.
l
The resource must be assigned to a service item.
l
The resource must be also labeled with the option Only use in IT Shop if the
resource can only be assigned to employees using IT Shop requests. Then, the
resource may not be assigned directly to hierarchical roles.
To add a resource to the IT Shop
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Add to IT Shop in the task view.
4. Assign the resource to the IT Shop shelf in Add assignments.
5. Save the changes.
To remove a resource from individual IT Shop shelves
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the resource from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove resource from all IT Shop shelves
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
167
5. Click OK.
The resource is removed from all shelves by the One Identity Manager Service. All
requests and assignment requests with this resource are canceled in the process.
Related Topics
l
Resource Master Data on page 163
l
One Identity Manager IT Shop Administration Guide
Adding Resources to System Roles
Installed Modules: System Roles Module
A resource can be added to different system roles. A system role that is only contains
resources can be labeled with the system role type "Resource package". Resources can
also be added to system roles that are not resource packages. When you assign a system
role to an employee the resource is assigned to the employee.
NOTE: Resources by which the option "Only use in IT Shop" can only be assigned to
system roles which also have the option set.
To assign a resource to system roles
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
Detailed information about this topic
l
One Identity Manager System Roles Administration Guide
Additional Tasks for Managing
Resources
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
168
Resource Overview
Use this task to obtain an overview of the most important information about a
resource. The affiliation of the resource to hierarchical roles and IT Shop structures
counts in this here.
To obtain an overview of a resource
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Resource overview in the task view.
Assigning Extended Properties to Resources
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for an resource
1. Select the category Entitlements | Resources.
2. Select a resource in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
Detailed information about this topic
l
Edit Extended Properties on page 176
Editing Multi Request Resources
Table 73: Configuration Parameters for the IT Shop
Configuration Meaning
parameter
QER\ITShop
Preprocessor relevant configuration parameter to control the
component parts for the IT Shop. If the parameter is set, the IT Shop
components are available. Changes to the parameter require recompiling the database.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
169
Mult-request resources can only be edited of the configuration parameter
"QER\ITShop"is set.
l
Check whether the configuration parameter is set in the Designer. Otherwise, set the
configuration parameter and compile the database.
To edit multi-request resources
1. Select the category Entitlements | Multi request resources for IT Shop.
2. Select the resource in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the multi-request resource's master data.
4. Save the changes.
To edit multi-requestable/unsubscribable resources
1. Select the category Entitlements | Multi requestable/unsubscribable
resources for IT Shop.
2. Select the resource in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Edit the multi-requestable/unsubscribable resource's master data.
4. Save the changes.
Detailed information about this topic
l
Multi-Request Resource Master Data on page 170
l
Assigning Multi Request Resources to Employees on page 171
Multi-Request Resource Master Data
Enter the following master data for a multi-request resource.
Table 74: Multi-Request Resource Master Data
Property
Description
Multi-request resource
Resource identifier.
Multirequestable/unsubscribable
resource
Resource type
Resource type for grouping resources.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
170
Property
Description
Service item
Service item through which you can request the resource in
the IT Shop. Assign an existing service item or add a new
one.
Risk index
Value for evaluating the risk of resource assignments to
employees. Enter a value between 0 and 1. This property is
only visible when the configuration parameter
QER\CalculateRiskIndex is set.
IT Shop
Specifies whether the resource can be requested through
the IT Shop. The resource can be ordered by an employee
over the Web Portal and distributed using a defined
approval process. The resource can still be directly
assigned to employees and roles outside the IT Shop.
This option cannot be disabled.
Only for use in IT Shop
Specifies whether the resource can only be requested
through the IT Shop. The resource can be ordered by an
employee over the Web Portal and distributed using a
defined approval process. This means, the resource cannot
be directly assigned to roles outside the IT Shop.
This option cannot be disabled.
Description
Spare text box for additional explanation.
Spare fields no.
01.....spare field no. 10
Additional company specific information. Use the Designer
to customize display names, formats and templates for the
input fields.
Related Topics
l
Resource Types on page 161
l
One Identity Manager IT Shop Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
Assigning Multi Request Resources to
Employees
Assign multi requestable resources through IT Shop requests to employees. To do this, add
employees to a shop as customers. All resources, which are assigned to this shop can be
requested by the customers.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
171
Detailed information about this topic
l
Assigning through IT Shop Requests on page 18
l
One Identity Manager IT Shop Administration Guide
Adding Multi Request Resources to the IT
Shop
A multi request resource can be requested by shop customers when it is assigned to an IT
Shop shelf.
Adding multi request resources to the IT Shop
1. Select the category Entitlements | Multi-request resources for IT Shop.
- OR Select the category Entitlements | Multi requestable/unsubscribable
resources for IT Shop.
2. Select a resource in the result list.
3. Select Add to IT Shop in the task view.
4. Assign the resource to the IT Shop shelf in Add assignments.
5. Save the changes.
To remove multi request resources from individual IT Shop shelves
1. Select the category Entitlements | Multi-request resources for IT Shop.
- OR Select the category Entitlements | Multi requestable/unsubscribable
resources for IT Shop.
2. Select a resource in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the resource from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove multi request resources from all IT Shop shelves
1. Select the category Entitlements | Multi-request resources for IT Shop.
- OR Select the category Entitlements | Multi requestable/unsubscribable
resources for IT Shop.
2. Select a resource in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
172
4. Confirm the security prompt with Yes.
5. Click OK.
The resource is removed from all shelves by the One Identity Manager Service. This
cancels all requests for this resource.
Detailed information about this topic
l
One Identity Manager IT Shop Administration Guide
Reports about Resources
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for resources.
NOTE: Other sections may be available depending on the which modules are
installed.
Table 75: Reports about Resources
Report
Description
Overview of all assignments
This report finds all roles containing employees with the
selected resource.
Related Topics
l
Analyzing Role Memberships and Employee Assignments on page 114
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Managing Resources
173
7
Set up Extended Properties
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas. You can
assign extended properties to company resources, hierarchical roles and employees. They
can, for example, be used in the rule conditions of compliance rules.
To assign extended properties
1. First, set up a property group, under which the extended properties will be grouped.
2. Set up the extended properties in the property group.
3. Assign the extended properties to the objects.
There can be any number of objects of different object types assigned to an extended
property at this point.
Detailed information about this topic
l
Create Property Groups on page 175
l
Edit Extended Properties
One Identity Manager Users for
Managing Extended Properties
The following users are used for managing extended properties.
Table 76: Users
User
Task
Administrators for
the IT Shop.
Administrators must be assigned to the application role Request &
Fulfillment | IT Shop | Administrators.
Users with this application role:
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Set up Extended Properties
174
User
Task
l
One Identity
Manager administrators
l
l
l
Create extended properties for company resources of any
type.
Create customized permissions groups for application roles for
role-based login to administration tools in the Designer, as
required.
Create system users and permissions groups for non-role
based login to administration tools, as required.
Enable or disable additional configuration parameters in the
Designer, as required.
l
Create custom processes in the Designer, as required.
l
Create and configures schedules, as required.
l
Create and configure password policies, as required.
Create Property Groups
Property groups are used to group extended properties. Each extended property must be
assigned to at least one property group. Furthermore, you can assign the extended
properties to any other property groups.
To create a property group
1. Select the category Entitlements | Basic configuration data | Extended
properties.
2. Click
in the result list toolbar.
3. Enter a name and description for the property group.
4. Save the changes.
To assign extended properties to a property group
1. Select the category Entitlements | Basic configuration | Extended properties.
2. Select a property group in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Set up Extended Properties
175
Edit Extended Properties
To edit an extended property
1. Select the category Entitlements| Basic configuration data | Extended
properties | <property group>.
2. Select the extended property in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Edit the extended property's master data.
4. Save the changes.
Detailed information about this topic
l
Extended Property Master Data on page 176
l
Specifying Scoped Boundaries on page 177
Extended Property Master Data
Enter the following data for an extended property.
Table 77: Extended Property Master Data
Property
Description
Extended
property
name
Name of the extended property.
Property
group
The property group for structuring extended properties. You can assign a
primary property group to a property on the master data form. Extended
properties are grouped by this property group in navigation.
If an extended property needs to be assigned to several property groups,
then you can use the task Assign property groups to assign additional
property groups.
Lower scope
boundary
Lower scope boundary for further subdivision.
Upper scope
boundary
Upper scope boundary for further subdivision.
Description
Spare text box for additional explanation.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Set up Extended Properties
176
Property
Description
Spare fields
no.
01.....spare
field no. 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
Detailed information about this topic
l
Specifying Scoped Boundaries on page 177
Specifying Scoped Boundaries
You can subdivide extended properties by specifying scoped boundaries. You are not
obliged to enter scoped boundaries. If you do enter a lower boundary you are not
required to enter an upper one. However, if you specify an upper boundary, you have to
enter a lower one.
Take note of the following when defining scoped boundaries:
l
Basically, any string is permitted as a lower or upper scoped boundary.
l
You can use * as a wildcard for any number of characters (even null).
l
l
Wild cards can only be added to the end of a string, for example, AB*. Strings such
as *AB or A*B are not allowed, for example.
If you enter a lower boundary without a wildcard, you cannot use a wildcard in the
upper boundary.
The following restrictions apply for the length of the string:
l
l
l
If you enter a lower and upper boundary without a wildcard, the strings have to be
the same length, for example, lower boundary 123/upper boundary 456. A lower
boundary of 123 and an upper of 45, for example, is not permitted or a lower
boundary 123/upper boundary 4567 is also not allowed.
If you use a wildcard in the lower boundary but none in the upper boundary, then the
length of the upper boundary string needs to be the same as or bigger than the string
in the lower boundary.
If you use a wildcard in the lower and upper boundary, they have to be the same
length, for example, lower boundary 123*/upper boundary 456*. A lower boundary
of 123* and an upper of 45*, for example, is not permitted or a lower boundary
123*/upper boundary 4567* is also not allowed.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Set up Extended Properties
177
Additional Tasks for Managing
Extended Properties
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Extended Property Overview
Use this task to obtain an overview of the most important information about an extended
property. For this you need to take into account the affiliation of the extended property to
the different One Identity Manager objects.
To obtain an overview of an extended property
1. Select the category Entitlements| Basic configuration data | Extended
properties | <property group>.
2. Select the extended property in the result list.
3. Select Extended property overview in the task view.
To obtain an overview of a property group
1. Select the category Entitlements | Basic configuration data | Extended
properties.
2. Select a property group in the result list.
3. Select the task Property group overview in the task view.
Assign Objects
You can assign extended properties to company resources, hierarchical roles and
employees.
To assign objects to an extended property
1. Select the category Entitlements| Basic configuration data | Extended
properties | <property group>.
2. Select the extended property in the result list.
3. Select Assign objects in the task view.
4. Select the desired object type in Select object type.
The object belonging to the object types are displayed on the form.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Set up Extended Properties
178
5. Assign objects in Add assignments.
- OR Remove objects in Remove assignments.
6. Save the changes.
Assign Property Groups
Each extended property must be assigned to at least one property group. Furthermore, you
can assign the extended properties to any other property groups.
To assign an extended property to a property group
1. Select the category Entitlements| Basic configuration data | Extended
properties | <property group>.
2. Select the extended property in the result list.
3. Select Assign property groups in the task view.
4. Assign property groups in Add assignments.
- OR Remove property groups in Remove assignments.
5. Save the changes.
Related Topics
l
Create Property Groups on page 175
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Set up Extended Properties
179
A
Appendix: Configuration Parameters
for Managing Departments, Cost
Centers and Locations
The following configuration parameters are additionally available in One Identity Manager
after the module has been installed.
Table 78: Configuration parameter
Configuration parameter
Description
QER\Structures
If the configuration parameter is
set, hierarchical roles are
supported.
QER\Structures\DynamicGroupCheck
This configuration parameter
controls the generation of
calculation tasks for dynamic
roles. If the configuration
parameter is not set, the
subparameters do not apply.
QER\Structures\DynamicGroupCheck\
CalculateImmediatelyPerson
If the parameter is set, a
calculation task for modifications
to employees or employee level
objects is queued immediately in
the DBQueue Processor. If the
parameter is not set, the
calculation tasks are queued the
next time the schedule is planned
to run.
QER\Structures\DynamicGroupCheck\
CalculateImmediatelyHardware
If the parameter is set, a
calculation task for modifications
to employees or employee level
objects is queued immediately in
the DBQueue Processor. If the
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Departments,
Cost Centers and Locations
180
Configuration parameter
Description
parameter is not set, the
calculation tasks are queued the
next time the schedule is run.
QER\Structures\DynamicGroupCheck\
CalculateImmediatelyWorkdesk
If the parameter is set, a
calculation task for modifications
to workdesks or workdesk level
objects is queued immediately in
the DBQueue Processor. If the
parameter is not set, the
calculation tasks are started the
next time the schedule is planned
to run.
QER\Structures\ExcludeStructures
Preprocessor relevant configuration parameter for defining the
effectiveness of role memberships. If this parameter is set,
mutually excluding roles can be
defined. Changes to the
parameter require recompiling
the database.
QER\Structures\Inherite\Person
This configuration parameter
specifies whether employees can
inherit through primary
assignments.
QER\Structures\Inherite\Person\FromDepartment
This configuration parameter
specifies whether employees
inherit assignments from their
primary department (Person.UID_
Department).
QER\Structures\Inherite\Person\FromLocality
This configuration parameter
specifies whether employees
inherit assignments from their
primary location(Person.UID_
Locality).
QER\Structures\Inherite\Person\FromProfitCenter
This configuration parameter
specifies whether employees
inherit assignments from their
primary cost center(Person.UID_
ProfitCenter).
QER\Structures\Inherite\Hardware
This configuration parameter
specifies whether devices inherit
through primary assignment.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Departments,
Cost Centers and Locations
181
Configuration parameter
Description
QER\Structures\Inherite\Hardware\FromDepartment
This configuration parameter
specifies whether devices inherit
assignments from their primary
department (Hardware.UID_
Department).
QER\Structures\Inherite\Hardware\FromLocality
This configuration parameter
specifies whether devices inherit
assignments from their primary
location(Hardware.UID_Locality).
QER\Structures\Inherite\Hardware\FromProfitCenter
This configuration parameter
specifies whether devices inherit
assignments from their primary
cost center(Hardware.UID_
ProfitCenter).
QER\Structures\Inherite\Workdesk
This configuration parameter
specifies whether workdesks can
inherit through primary
assignments.
QER\Structures\Inherite\Workdesk\FromDepartment This configuration parameter
specifies whether workdesks
inherit assignments from their
primary department
(Workdesk.UID_Department).
QER\Structures\Inherite\Workdesk\FromLocality
This configuration parameter
specifies whether workdesks
inherit assignments from their
primary location (Workdesk.UID_
Locality).
QER\Structures\Inherite\Workdesk\FromProfitCenter This configuration parameter
specifies whether workdesks
inherit assignments from their
primary cost center (Person.UID_
ProfitCenter).
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Departments,
Cost Centers and Locations
182
B
Appendix: Configuration Parameters
for Managing Applications
The following configuration parameters are additionally available in One Identity Manager
after the module has been installed.
Table 79: Configuration parameter
Configuration parameter
Description
QER\Person
If this configuration parameter
is set, employee
administration is supported.
QER\Person\CentralAccountGlobalUnique
This configuration parameter
specifies how the central user
account is mapped.
If this configuration parameter
is set, the central user account
for an employee is formed
uniquely in relation to the
central user accounts of all
employees and the user
account names of all permitted
target systems.
If the configuration parameter
is not set, it is only formed
uniquely related to the central
user accounts of all
employees.
QER\Person\DefaultMailDomain
This configuration parameter
contains the default mail
domain. The value is used to
establish an employee's email
address.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Applications
183
Configuration parameter
Description
QER\Person\MasterIdentity
Preprocessor relevant configuration parameter for
controlling the component
parts for administrating
several identities of one
employee. Changes to the
parameter require recompiling
the database.
If this parameter is set,
several logical employees can
be handled in the database for
one physical employee (for
example, an employee has
different identities and account
characteristics at different
branches).
QER\Person\MasterIdentity\UseMasterForAuthentication This configuration parameter
specifies whether the main
identity should be used to log
in to One Identity Manager
tools through an employee
linked authentication module.
If this parameter is set, the
main identity is used for
employee linked
authentication. If the
parameter is not set, the
subidentity for employeelinked authentication is used.
QER\Person\TemporaryDeactivation
This configuration parameter
controls the behavior between
employees and user accounts
if employees are temporarily
inactivated.
If the configuration parameter
is set, the employee’s user
accounts are locked if the
employee is permanently or
temporarily disabled.
If the configuration parameter
is not set, the employee’s
properties do not have any
effect on the associated user
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Applications
184
Configuration parameter
Description
accounts.
QER\Person\UseCentralPassword
This configuration parameter
specifies whether the
employee's central password
is used in the user accounts.
The employee’s central
password is automatically
mapped to the employee’s
user account in all permitted
target systems. This excludes
privileged user accounts,
which are not updated.
QER\Person\UseCentralPassword\PermanentStore
This configuration parameter
controls the storage period for
central passwords. If the
parameter is set, the
employee’s central password
is permanently stored. If the
parameter is not set, the
central password is only used
for publishing to existing target
system specific user accounts
and is subsequently deleted
from the One Identity Manager
database.
SysConfig
If this configuration parameter
is set, you can configure
general settings for system
behavior.
SysConfig\Display
If the configuration parameter
is set, user interface design is
supported.
SysConfig\Display\PersonalData
If en employee can be determined using the authentication
module, this configuration
parameter specifies whether
data, requests, attestations,
rule violations should be
displayed in a category "My
Data" in the Manager.
SysConfig\Display\SourceDetective
Preprocessor relevant configuration parameter for
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Applications
185
Configuration parameter
Description
controlling how the source of
an employee's entitlements
are displayed. Changes to the
parameter require recompiling
the database.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Applications
186
C
Appendix: Configuration
Parameters for Managing Devices
and Workdesks
The following configuration parameters are additionally available in One Identity Manager
after the module has been installed.
Table 80: Configuration parameter
Configuration parameter
Description
Hardware
Preprocessor relevant configuration parameter to control the
database model components for
device administration. If the
parameter is set, the device
administration components are
available. Changes to the
parameter require recompiling
the database.
Hardware\AssetAccounting
Preprocessor parameter to
control the model components
for asset accounting. If the
parameter is set, asset accounting components are available.
Changes to the parameter
require recompiling the
database.
Hardware\Display
This configuration parameter
specifies whether how device
properties are displayed can be
configured.
Hardware\Display\CustomHardwareType
This configuration parameter
specifies whether new device
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Devices and
Workdesks
187
Configuration parameter
Description
with the appropriate device
model is displayed on the
custom form.
Hardware\Display\CustomHardwareType\MobilePhone This configuration parameter
contain data for a device type,
which represents a mobile
phone.
Hardware\Display\CustomHardwareType\Monitor
This configuration parameter
contains data for a device type,
which represents a monitor.
Hardware\Display\CustomHardwareType\PC
This configuration parameter
contains data for a device type,
which represents a PC.
Hardware\Display\CustomHardwareType\Printer
This configuration parameter
contains data for a device type,
which represents a printer.
Hardware\Display\CustomHardwareType\Server
This configuration parameter
contains data for a device type,
which represents a server.
Hardware\Display\CustomHardwareType\Tablet
This configuration parameter
contains data for a device type,
which represents a tablet.
Hardware\Display\DisplayResolutions
This configuration parameter
contains a pipe delimited list of
all screen resolutions that are
available for selection for the
device's master data form.
Hardware\Display\MachineWithRPL
This configuration parameter
specifies whether data for
remote rebooting of
workstations and server can be
edited.
Hardware\Workdesk
If this configuration parameter is
set, workdesk administration is
supported.
Hardware\Workdesk\WorkdeskAuto
This configuration parameter
specifies whether a workdesk is
automatically created in association with setting up a workstation or server.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Configuration Parameters for Managing Devices and
Workdesks
188
D
Appendix: Authentication Modules
for Logging into the One Identity
Manager
The following authentication modules are available for logging into One Identity Manager in
once this module has been installed.
For more detailed information on authentication modules, see the One Identity Manager
Configuration Guide.
Employee
Login Data
Employee's central user account and password.
Prerequisites The system user with permissions exists in the One Identity Manager
database.
The employee exists in the One Identity Manager database.
Set as
default
Yes
Single SignOn
No
l
The central user account is entered in the employee's master data.
l
The system user is entered in the employee's master data.
l
The password is entered in the employee's master data.
Front-end
Yes
login allowed
Web Portal
Yes
login allowed
Remarks
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
189
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
The user interface and the write permissions are loaded through the
system user that is directly assigned to the logged in employee.
Changes to the data are assigned to the logged in employee.
Generic single sign-on (role based)
Login Data
The authentication module uses the Active Directory login data of user
currently logged in on the workstation.
Prerequisites The employee exists in the One Identity Manager database.
The employee is assigned at least one application role.
The user account exists in the One Identity Manager database and the
employee is entered in the user account's master data.
Set as
default
No
Single SignOn
Yes
Front-end
Yes
login allowed
Web Portal
Yes
login allowed
Remarks
One Identity Manager searches for the user account according to the
configuration and finds the employee assigned to the user account.
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
A dynamic system user determined from the employee's application roles.
The user interface and the write permissions are loaded through this
system user.
Changes to the data are assigned to the logged in employee.
Modify the following configuration parameters in the Designer to implement the
authentication module.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
190
Table 81: Configuration Parameters for the Authentication Module
Configuration parameter
Meaning
QER\Person\OAuthAuthenticator
This configuration parameter specifies whether
authentication through single sign-on is supported.
QER\Person\GenericAuthenticator\ This configuration parameter contains the table in
the One Identity Manager schema in which user
SearchTable
information is stored. The table must contain a
foreign key with the name UID_Person, which points
to the table Person.
Example: ADSAccount
QER\Person\GenericAuthenticator\ This configuration parameter contains the column
from the One Identity Manager table (SearchTable),
SearchColumn
which is used to search for the user name of the
current user.
Example: CN
QER\Person\GenericAuthenticator\ This configuration parameter contains a pipe (|)
delimited list of Boolean columns from the One
EnabledBy
Identity Manager table (SearchTable) enabled by the
user account for the login.
QER\Person\GenericAuthenticator\ This configuration parameter contains a pipe (|)
delimited list of Boolean columns from the One
DisabledBy
Identity Manager table (SearchTable) disabled by
the user account for the login.
Example: AccountDisabled
Employee (role based)
Login Data
Employee's central user account and password.
Prerequisites The employee exists in the One Identity Manager database.
l
The central user account is entered in the employee's master data.
l
The password is entered in the employee's master data.
The employee is assigned at least one application role.
Set as
default
Yes
Single SignOn
No
Front-end
Yes
login allowed
Web Portal
Yes
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
191
login allowed
Remarks
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
A dynamic system user determined from the employee's application roles.
The user interface and the write permissions are loaded through this
system user.
Changes to the data are assigned to the logged in employee.
Employee (dynamic)
Login Data
Employee's central user account and password.
Prerequisites The employee exists in the One Identity Manager database.
l
The central user account is entered in the employee's master data.
l
The password is entered in the employee's master data.
The configuration data for dynamically determining the system user is
defined in the application. Thus, an employee can, for example, be
assigned a system user dynamically depending on their department
membership.
Set as
default
Yes
Single SignOn
No
Front-end
Yes
login allowed
Web Portal
Yes
login allowed
Remarks
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
The application configuration data is used to determine a system user,
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
192
which is automatically assigned to the employee. The user interface and
write permissions are loaded through the system user that is dynamically
assigned to the logged in employee.
Changes to the data are assigned to the logged in employee.
User account
Login Data
The authentication module uses the Active Directory login data of user
currently logged in on the workstation.
Prerequisites The system user with permissions exists in the One Identity Manager
database.
The employee exists in the One Identity Manager database.
l
l
Set as
default
No
Single SignOn
Yes
Permitted logins are entered in the employee's master data. The
logins are expected in the form: domain\user.
The system user is entered in the employee's master data.
Front-end
Yes
login allowed
Web Portal
Yes
login allowed
Remarks
All employee logins saved in the One Identity Manager database are
found. The employee whose login data matches that of the current user is
used for logging in.
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
The user interface and access permissions are loaded through the system
user that is directly assigned to the employee found.
Data modifications are attributed to the current user account.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
193
User Account (role based)
Login Data
The authentication module uses the Active Directory login data of user
currently logged in on the workstation.
Prerequisites The employee exists in the One Identity Manager database.
l
Permitted logins are entered in the employee's master data. The
logins are expected in the form: domain\user.
The employee is assigned at least one application role.
Set as
default
No
Single SignOn
Yes
Front-end
Yes
login allowed
Web Portal
Yes
login allowed
Remarks
All employee logins saved in the One Identity Manager database are
found. The employee whose login data matches that of the current user is
used for logging in.
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
A dynamic system user determined from the employee's application roles.
The user interface and the write permissions are loaded through this
system user.
Data modifications are attributed to the current user account.
OAuth 2.0/OpenID Connect
The authorization module supports the authorization code for OAuth 2.0 and OpenID
Connect. For more detailed information about the authorization code flow, see, for
example, the OAuth Specification or the OpenID Connect Specification.
This authentication module uses a Secure Token Service for logging in. This login
procedure can be used with every Secure Token Service which can return an OAuth
2.0 token.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
194
Login Data
Dependent on the authentication method of the secure token service.
Prerequisites The system user with permissions exists in the One Identity Manager
database.
The employee exists in the One Identity Manager database.
l
The system user is entered in the employee's master data.
The user account exists in the One Identity Manager database and the
employee is entered in the user account's master data.
Set as
default
No
Single SignOn
No
Front-end
Yes
login allowed
Web Portal
Yes
login allowed
Remarks
One Identity Manager determines which employee is assigned to the user
account.
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
The user interface and access permissions are loaded through the system
user that is directly assigned to the employee found.
Data modifications are attributed to the current user account. To do this,
the claim type whose value is used for labeling data changes must be
declared.
The respective user interface prompts for the authorization code. The configuration
parameter "QER\Person\OAuthAuthenticator\LoginEndpoint" is used to open an extra login
dialog box for determining the authorization code. The authentication module requires an
access token from the token endpoint and the certificate is required to check the security
token. In the process, an attempt is made to find the certificate from the web application
configuration. If this is not possible, configuration parameters are applied. To find the
certificate for testing the token, the certificate stores are queries in the following order:
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
195
1. Web application configuration (table QBMWebApplication)
a. Certificate text (QBMWebApplication.CertificateText) .
b. Subject or finger print from the local store
(QBMWebApplication.OAuthCertificateSubject and
QBMWebApplication.OAuthCertificateThumbPrint).
c. Certificate endpoint (QBMWebApplication.CertificateEndpoint).
In addition, the subject or finger print is used to check certificates from the
server if they are given and do not exist locally on the server.
2. Configuration Parameter
a. Certificate text (configuration parameter
"QER\Person\OAuthAuthenticator\CertificateText").
b. Subject or finger print from the local store (configuration parameter
"QER\Person\OAuthAuthenticator\CertificateSubject" and
"QER\Person\OAuthAuthenticator\CertificateThumbPrint").
c. Certificate endpoint (configuration parameter
"QER\Person\OAuthAuthenticator\CertificateEndpoint").
In addition, the subject or finger print is used to check certificates from the
server if they are given and do not exist locally on the server.
d. JSON Web Key endpoint (configuration parameter
"QER\Person\OAuthAuthenticator\JsonWebKeyEndpoint").
A claim type is required to find the user account from the user information. In addition, it is
specified which One Identity Manager schema information should be used to search for the
user account.
Authentication through OpenID is built on OAuth. OpenID Connection authentication uses
the same mechanisms, but make user claims available either in an ID token or through a
UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If
the configuration parameter "QER\Person\OAuthAuthenticator\Scope" contains the value
"openid", the authentication module uses OpenID Connect.
Modify the following configuration parameters in the Designer to implement the
authentication module.
Table 82: Configuration Parameters for the Authentication Module
Configuration
Parameter
Meaning
QER\Person\OAuthAuthenticator
This configuration parameter specifies whether authentication is supported through security tokens.
QER\Person\OAuthAuthenticator\
CertificateEndpoint
The configuration parameter contain the certificate
endpoint's Uniform Resource Locator (URL) on the authorization server.
Example: https://localhost/RSTS/SigningCertificate
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
196
Configuration
Parameter
Meaning
QER\Person\OAuthAuthenticator\
CertificateSubject
The configuration parameter contain the subject of the certificate to use for testing. Either subject or finger print must
be set.
QER\Person\OAuthAuthenticator\
CertificateThumbPrint
This configuration parameter contains the fingerprint of the
certificate used to verify the security token.
QER\Person\OAuthAuthenticator\
ClientID
This configuration parameter specifies whether the client
application supports this authentication.
QER\Person\OAuthAuthenticator\
ClientID\Web
This configuration parameter contains the web application's
Uniform Resource Name URN, which supports this authentication.
Example: urn:OneIdentityManager/Web
QER\Person\OAuthAuthenticator\
ClientID\Windows
This configuration parameter contains the native application's Uniform Resource Name URN, which supports this
authentication.
Example: urn:OneIdentityManager/WinClient
QER\Person\OAuthAuthenticator\
DisabledByColumns
This configuration parameter contains a pipe (|) delimited
list of Boolean columns from the One Identity Manager table
(SearchTable) disabled by the user account for the login.
Example: AccountDisabled
QER\Person\OAuthAuthenticator\
EnabledByColumns
This configuration parameter contains a pipe (|) delimited
list of Boolean columns from the One Identity Manager table
(SearchTable) enabled by the user account for the login.
QER\Person\OAuthAuthenticator\
IssuerName
This configuration parameter contains the certificate
issuer's Uniform Resource Name (URN) for verifying the
security token.
Example: urn:STS/identity
QER\Person\OAuthAuthenticator\
LoginEndpoint
This configuration parameter contains the Uniform Resource
Locator (URL) of the Secure Token Service login page.
QER\Person\OAuthAuthenticator\
Resource
This configuration parameter contains the Uniform Resource
Name (URN) of the resourec to be queried, for example
ADFS.
QER\Person\OAuthAuthenticator\
SearchClaim
This configuration parameter contains the claim type's
Uniform Resource Identifier (URI) found from the login
data.
Example: http://localhost/rsts/login
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
197
Configuration
Parameter
Meaning
Example: name of an entity
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
QER\Person\OAuthAuthenticator\
SearchColumn
This configuration parameter contains the column from the
One Identity Manager table (SearchTable), which is used to
search for user data. Equivalent to the claim type
(SearchClaim) in the One Identity Manager schema.
Example: ObjectGUID
QER\Person\OAuthAuthenticator\
SearchTable
This configuration parameter contains the table in the One
Identity Manager schema in which user information is
stored. The table must contain a foreign key with the name
UID_Person, which points to the table Person.
Example: ADSAccount
QER\Person\OAuthAuthenticator\
TokenEndpoint
This configuration parameter contains the token endpoint's
Uniform Resource Identifier (URL) of the authorization
server for returning the access token to the client for
logging in.
Example: https://localhost/rsts/oauth2/token
QER\Person\OAuthAuthenticator\
UserNameClaim
This configuration parameter contains the claim type's
Uniform Resource Identifier (URL) used to label change data
(XUserInserted, XUserUpdated)..
Example: User Principle Name (UPN)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
QER\Person\OAuthAuthenticator\
InstalledRedirectUri
This configuration parameter contains the Uniform Resource
Identifier (URL) for forwarding to installed applications.
Example: urn:InstalledApplication
QER\PerThe configuration parameter specifies whether self-signed
son\OAuthAuthenticator\
certificates are allowed for connecting to the token and
AllowSelfSignedCertsForTL- UserInfo endpoint.
S
QER\Person\OAuthAuthenticator\
CertificateText
This configuration parameter contains the contents of the
certificate as a Base64 coded string. It is used if no certificate is configured.
QER\Person\OAuthAuthenticator\
This configuration parameter contains the Uniform Resource
Identifier (URL) of the JSON Web Key endpoint, which
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
198
Configuration
Parameter
Meaning
JsonWebKeyEndpoint
supplies the signature key. At the moment, only JWK files,
which contain the certificate in the x5c field are supported.
QER\Person\OAuthAuthenticator\
LogoutEndpoint
This configuration parameter contains the Uniform Resource
Identifier (URL) of the log off end point.
QER\Person\OAuthAuthenticator\
SharedSecret
This configuration parameter contains the Share-Secret
value used for authenticating at the token enpoint.
Example: http://localhost/rsts/login?wa=wsignout1.0
Table 83: Additional Configuration Parameters for OpenID Connect
Configuration Parameter
Meaning
QER\Person\OAuthAuthenticator\ This configuration parameter specifies the authenScope
tication log. If the configuration parameter has the
value "openid", OpenID Connect is used and otherwise
OAuth2.
QER\Person\OAuthAuthenticator\ This configuration parameter contains the Uniform
UserInfoEndpoint
Resource Locator (URL) of the OpenID Connection
UserInfo endpoint.
OAuth 2.0/OpenID Connect (role-based)
The authorization module supports the authorization code for OAuth 2.0 and OpenID
Connect. For more detailed information about the authorization code flow, see, for
example, the OAuth Specification or the OpenID Connect Specification.
This authentication module uses a Secure Token Service for logging in. This login
procedure can be used with every Secure Token Service which can return an OAuth
2.0 token.
Login Data
Dependent on the authentication method of the secure token service.
Prerequisites The employee exists in the One Identity Manager database.
The employee is assigned at least one application role.
The user account exists in the One Identity Manager database and the
employee is entered in the user account's master data.
Set as
default
No
Single SignOn
No
Front-end
Yes
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
199
login allowed
Web Portal
Yes
login allowed
Remarks
One Identity Manager determines which employee is assigned to the user
account.
If an employee owns more than one identity, the configuration parameter
"QER\Person\MasterIdentity\UseMasterForAuthentication" controls which
employee is used for authentication.
l
l
If this configuration parameter is set, the employee’s main identity
is used for authentication.
If the parameter is not set, the employee’s subidentity is used for
authentication.
A dynamic system user determined from the employee's application roles.
The user interface and the write permissions are loaded through this
system user.
Data modifications are attributed to the current user account. To do this,
the claim type whose value is used for labeling data changes must be
declared.
The respective user interface prompts for the authorization code. The configuration
parameter "QER\Person\OAuthAuthenticator\LoginEndpoint" is used to open an extra login
dialog box for determining the authorization code. The authentication module requires an
access token from the token endpoint and the certificate is required to check the security
token. In the process, an attempt is made to find the certificate from the web application
configuration. If this is not possible, configuration parameters are applied. To find the
certificate for testing the token, the certificate stores are queries in the following order:
1. Web application configuration (table QBMWebApplication)
a. Certificate text (QBMWebApplication.CertificateText) .
b. Subject or finger print from the local store
(QBMWebApplication.OAuthCertificateSubject and
QBMWebApplication.OAuthCertificateThumbPrint).
c. Certificate endpoint (QBMWebApplication.CertificateEndpoint).
In addition, the subject or finger print is used to check certificates from the
server if they are given and do not exist locally on the server.
2. Configuration Parameter
a. Certificate text (configuration parameter
"QER\Person\OAuthAuthenticator\CertificateText").
b. Subject or finger print from the local store (configuration parameter
"QER\Person\OAuthAuthenticator\CertificateSubject" and
"QER\Person\OAuthAuthenticator\CertificateThumbPrint").
c. Certificate endpoint (configuration parameter
"QER\Person\OAuthAuthenticator\CertificateEndpoint").
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
200
In addition, the subject or finger print is used to check certificates from the
server if they are given and do not exist locally on the server.
d. JSON Web Key endpoint (configuration parameter
"QER\Person\OAuthAuthenticator\JsonWebKeyEndpoint").
A claim type is required to find the user account from the user information. In addition, it is
specified which One Identity Manager schema information should be used to search for the
user account.
Authentication through OpenID is built on OAuth. OpenID Connection authentication uses
the same mechanisms, but make user claims available either in an ID token or through a
UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If
the configuration parameter "QER\Person\OAuthAuthenticator\Scope" contains the value
"openid", the authentication module uses OpenID Connect.
Modify the following configuration parameters in the Designer to implement the
authentication module.
Table 84: Configuration Parameters for the Authentication Module
Configuration
Parameter
Meaning
QER\Person\OAuthAuthenticator
This configuration parameter specifies whether authentication is supported through security tokens.
QER\Person\OAuthAuthenticator\
CertificateEndpoint
The configuration parameter contain the certificate
endpoint's Uniform Resource Locator (URL) on the authorization server.
Example: https://localhost/RSTS/SigningCertificate
QER\Person\OAuthAuthenticator\
CertificateSubject
The configuration parameter contain the subject of the certificate to use for testing. Either subject or finger print must
be set.
QER\Person\OAuthAuthenticator\
CertificateThumbPrint
This configuration parameter contains the fingerprint of the
certificate used to verify the security token.
QER\Person\OAuthAuthenticator\
ClientID
This configuration parameter specifies whether the client
application supports this authentication.
QER\Person\OAuthAuthenticator\
ClientID\Web
This configuration parameter contains the web application's
Uniform Resource Name URN, which supports this authentication.
Example: urn:OneIdentityManager/Web
QER\Person\OAuthAuthenticator\
ClientID\Windows
This configuration parameter contains the native application's Uniform Resource Name URN, which supports this
authentication.
Example: urn:OneIdentityManager/WinClient
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
201
Configuration
Parameter
Meaning
QER\Person\OAuthAuthenticator\
DisabledByColumns
This configuration parameter contains a pipe (|) delimited
list of Boolean columns from the One Identity Manager table
(SearchTable) disabled by the user account for the login.
Example: AccountDisabled
QER\Person\OAuthAuthenticator\
EnabledByColumns
This configuration parameter contains a pipe (|) delimited
list of Boolean columns from the One Identity Manager table
(SearchTable) enabled by the user account for the login.
QER\Person\OAuthAuthenticator\
IssuerName
This configuration parameter contains the certificate
issuer's Uniform Resource Name (URN) for verifying the
security token.
Example: urn:STS/identity
QER\Person\OAuthAuthenticator\
LoginEndpoint
This configuration parameter contains the Uniform Resource
Locator (URL) of the Secure Token Service login page.
QER\Person\OAuthAuthenticator\
Resource
This configuration parameter contains the Uniform Resource
Name (URN) of the resourec to be queried, for example
ADFS.
QER\Person\OAuthAuthenticator\
SearchClaim
This configuration parameter contains the claim type's
Uniform Resource Identifier (URI) found from the login
data.
Example: http://localhost/rsts/login
Example: name of an entity
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
QER\Person\OAuthAuthenticator\
SearchColumn
This configuration parameter contains the column from the
One Identity Manager table (SearchTable), which is used to
search for user data. Equivalent to the claim type
(SearchClaim) in the One Identity Manager schema.
Example: ObjectGUID
QER\Person\OAuthAuthenticator\
SearchTable
This configuration parameter contains the table in the One
Identity Manager schema in which user information is
stored. The table must contain a foreign key with the name
UID_Person, which points to the table Person.
Example: ADSAccount
QER\Person\OAuthAuthenticator\
TokenEndpoint
This configuration parameter contains the token endpoint's
Uniform Resource Identifier (URL) of the authorization
server for returning the access token to the client for
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
202
Configuration
Parameter
Meaning
logging in.
Example: https://localhost/rsts/oauth2/token
QER\Person\OAuthAuthenticator\
UserNameClaim
This configuration parameter contains the claim type's
Uniform Resource Identifier (URL) used to label change data
(XUserInserted, XUserUpdated)..
Example: User Principle Name (UPN)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
QER\Person\OAuthAuthenticator\
InstalledRedirectUri
This configuration parameter contains the Uniform Resource
Identifier (URL) for forwarding to installed applications.
Example: urn:InstalledApplication
QER\PerThe configuration parameter specifies whether self-signed
son\OAuthAuthenticator\
certificates are allowed for connecting to the token and
AllowSelfSignedCertsForTL- UserInfo endpoint.
S
QER\Person\OAuthAuthenticator\
CertificateText
This configuration parameter contains the contents of the
certificate as a Base64 coded string. It is used if no certificate is configured.
QER\Person\OAuthAuthenticator\
JsonWebKeyEndpoint
This configuration parameter contains the Uniform Resource
Identifier (URL) of the JSON Web Key endpoint, which
supplies the signature key. At the moment, only JWK files,
which contain the certificate in the x5c field are supported.
QER\Person\OAuthAuthenticator\
LogoutEndpoint
This configuration parameter contains the Uniform Resource
Identifier (URL) of the log off end point.
QER\Person\OAuthAuthenticator\
SharedSecret
This configuration parameter contains the Share-Secret
value used for authenticating at the token enpoint.
Example: http://localhost/rsts/login?wa=wsignout1.0
Table 85: Additional Configuration Parameters for OpenID Connect
Configuration Parameter
Meaning
QER\Person\OAuthAuthenticator\ This configuration parameter specifies the authenScope
tication log. If the configuration parameter has the
value "openid", OpenID Connect is used and otherwise
OAuth2.
QER\Person\OAuthAuthenticator\ This configuration parameter contains the Uniform
UserInfoEndpoint
Resource Locator (URL) of the OpenID Connection
UserInfo endpoint.
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Appendix: Authentication Modules for Logging into the One Identity
Manager
203
About us
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx
or call +1-800-306-9329.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l
Submit and manage a Service Request
l
View Knowledge Base articles
l
Sign up for product notifications
l
Download software and technical documentation
l
View how-to-videos at www.YouTube.com/OneIdentity
l
Engage in community discussions
l
Chat with support engineers online
l
View services to assist you with your product
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
About us
204
Index
I ndex
A
authentication module
employee 189
application
assign to employee 111
employee (dynamic) 189
assign to workdesks 149
employee (role based) 189
generic single sign-on (role
based) 189
application role
administrators 30, 73
OAuth 2.0/OpenID Connect 189
approver 37
approver (IT) 37
OAuth 2.0/OpenID Connect (rollenbasiert) 189
assign employees 110
user account 189
attestors 30, 36
User Account (role based) 189
base roles
employee manager 73
employee manager 73
Identity Management
B
base object
mail template 77
employees
administrators 73
business partner 75, 129
organizations
administrators 30
C
attestors 30
company resources
assignment
assign 14, 53, 104, 138, 146
about IT Shop request 18
configuration parameter 180, 183, 187
company resources 23
cost center
direct 14
administrators 30
dynamic role 17
allow assignment 25
indirect 14
approver 37, 43
primary 16
approver (IT) 37, 43
configurations 16
secondary 15
assign company resources 23, 53
assign devices 52, 139
configurations 25
assign employees 52, 107
permit 25
assign workdesk 147
assign workdesks 52
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
205
attestors 30, 43
contact data 41
Attestors 36
country 42
basics 10
dynamic 59
conflicting roles 28, 61
edit 39
country 46
functional area 42
dynamic 59
IT operating data 55
edit 43
manager 39
functional area 46
no inheritance 26, 39
IT operating data 55
object ID 39
manager 43
profit 42
no inheritance 26, 43
risk index 42
profit 46
rule violation 42
risk index 46
short name 39
rule violation 46
Specify Role Relations 63
short name 43
state 42
Specify Role Relations 63
transparency index 42
state 46
turn over 42
transparency index 46
device
turn over 46
assign business role 134, 141
assign company resources 138
assign cost center 134, 139
D
assign department 134, 139, 156
department
assign location 134, 139
administrators 30
assign to workdesk 134, 151
allow assignment 25
company 129
approver 37, 39
device ID 134
approver (IT) 37, 39
assign company resources 23, 53
assign devices 52, 139
assign employees 52, 107
assign workdesk 147
assign workdesks 52
attestors 30, 39
Attestors 36
basics 10
conflicting roles 28, 61
device model 126, 134
device status 156
Device status 130
edit 132
enter call 142
location 156
network configuration 137
no inheritance 26, 134
service agreement 142
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
206
storage class 154, 156
assign application 111
storage data 153
assign application role 110
storage type 154, 156
assign business role 91, 108
workdesk 142
assign company resources 104
device model
assign cost center 52, 91, 107
device type 127
assign department 52, 91, 107
disable 127
assign extended properties 120
edit 126
assign location 52, 107
local periphery 127
assign resource 110
logic PC 127
assign system role 111
PC 127
assign to workdesk 89, 152
server 127
central password 94, 98
Device status 130
password question 99
device type 127
reset 100
devices
central SAP user account 94
assign cost center 52
central user account 94, 97
assign department 52
certification status 89, 117
assign location 52
company 75, 89
direction of inheritance 10
country 93, 121-122
dynamic role
default email address 94, 101
calculate 68, 70
delete 104
calculation schedule 66
deputy 91
condition 66
dummy employee 94
test 68
employee manager 73
cost center 59
enter call 120
department 59
entry date 91
location 59
external 89
set up 66
identity 94
identity card number 91
image 93
E
employee
access restriction 117
add to IT Shop 109
address 93
administrators 73
language 93, 121
leaving date 91
location 93
log 88
logins 94
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
207
main identity 94, 115
I
manager 91
inheritance
managerial scope 119
abort 12
mutual aid 99-100
bottom-up 10
new user 117
calculate 18-19, 21
no inheritance 26, 89
limit 26
permanently disabled 89, 102
top-down 10
phone 93
XIsInEffect 21
reenable 102-103
XOrigin 21
report 123
inheritance exclusion 28
risk index 89
define for roles 61
security risk 89
IT operating data 55
Starling 2FA User ID 94
change 58
state 93, 121-122
subidentity 115
L
system user 94
temporarily disabled 91, 102
leaser 75, 129
user account 119
location
work hours 122
address 49-50
X500 person 94
administrators 30
employee manager 73
allow assignment 25
extended property 174
approver 37, 47
Assign Objects 178
approver (IT) 37, 47
assign resource 169
assign company resources 23, 53
assign to employee 120
assign devices 52, 139
create 176
assign employees 52, 107
overview form 178
assign workdesk 147
property group 176, 179
assign workdesks 52
scope limit 176-177
attestors 30, 47
Attestors 36
F
functional area 35
basics 10
conflicting roles 28, 61
country 49
dynamic 59
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
208
edit 47
functional area 51
IT operating data 55
manager 47
network configuration 50
no inheritance 26, 47
profit 51
risk index 51
rule violation 51
short name 47
Specify Role Relations 63
state 49
transparency index 51
turn over 51
P
password
central 94, 98
password question 99
reset 100
password policy 80
assign 87
character sets 83
check password 86
conversion script 84-85
default policy 82, 87
display name 82
edit 81
error message 82
excluded list 86
M
failed logins 82
mail definition 79
generate password 87
mail template
initial password 82
base object 77, 79
name components 82
manufacturer 75, 129
password age 82
mutual aid 99-100
password cycle 82
password length 82
password strength 82
N
predefined 80
notification
mail template 76
test script 84
processing status
Default Processing Status 163
O
property group 174
overview form
extended property 178
add 175
assign extended properties 179
resource 169
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
209
R
S
resource 159
service item
assign extended properties 169
for resource 163, 170
assign system role 168
storage class 154
assign to employee 110, 163
storage type 154
inheritance 163, 170
supplier 75, 129
overview form 169
system role
requestable 163, 170
add resource 168
resource type 163, 170
assign to employee 111
risk index 163, 170
assign to workdesk 150
service item 163, 170
set up 163
T
resource type 163, 170
template
processing step 161
IT operating data, modify 58
set up 161
risk assessment
U
functional area 35
user account
risk index
apply template 58
for resource 163, 170
role
conflicting roles 28
W
role classes 33
workdesk
role type 35
assign application 149
roles
assign business role 143, 148
allow assignment 25
assign company resources 146
assign company resources 23
basics 10
inheritance
bottom-up 10
top-down 10
no inheritance 26
assign cost center 52, 143, 147
assign department 52, 145, 147
assign device 151
assign employees 152
assign location 52, 145, 147
assign system role 150
create automatically 142
edit 142
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
210
enter call 152
no inheritance 26, 143
service agreement 152
status 143
Workdesk Status 131
workdesk type 132, 143
Workdesk status 131
workdesk type 132
One Identity Manager 8.0 Identity Management Base Module
Administration Guide
Index
211