One Identity Manager Administration Guide for

One Identity Manager 8.0
Administration Guide for Connecting
to SharePoint
Copyright 2017 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity do not make any commitment to update the information contained
in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
WARNING: A WARNING icon indicates a potential for property damage,
personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss
of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting
information.
One Identity Manager Administration Guide for Connecting to SharePoint
Updated - November 2017
Version - 8.0
Contents
Managing SharePoint Environments
7
Architecture Overview
8
One Identity Manager Users for Managing an SharePoint
9
Claims-Based Authentication
10
Setting Up SharePoint Farm Synchronization
12
Users and Permissions for Synchronizing with a SharePoint Farm
13
Setting Up the Synchronization Server
14
Creating a Synchronization Project for initial Synchronization of a SharePoint Farm 18
Special Synchronization Cases for Valid Permissions
24
Show Synchronization Results
24
Customizing Synchronization Configuration
25
How to Configure SharePoint Synchronization
27
Configuring Synchronization of Several SharePoint Farms
27
Updating Schemas
28
Speeding Up Synchronization with Revision Filtering
29
Post-Processing Outstanding Objects
29
Configuring Memberships Provisioning
31
Help for Analyzing Synchronization Issues
32
Deactivating Synchronization
33
Base Data for Managing SharePoint
34
Authentication Modes
35
Prefixes
36
Zones and Alternative URLs
37
SharePoint Site Templates
37
SharePoint Permissions
37
SharePoint Quotas
38
SharePoint Languages
38
Editing a Server
39
Master Data for a Job Server
40
Specifying Server Functions
41
Target System Managers
43
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
3
Setting Up Account Definitions
45
Creating an Account Definition
46
Master Data for an Account Definition
46
Setting Up Manage Levels
49
Master Data for a Manage Level
50
Creating a Formatting Rule for IT Operating Data
51
Determining IT Operating Data
53
Modifying IT Operating Data
54
Assigning Account Definitions to Employees
55
Assigning Account Definitions to Departments, Cost Centers and Locations
56
Assigning Account Definitions to Business Roles
56
Assigning Account Definitions to all Employees
56
Assigning Account Definitions Directly to Employees
57
Assigning Account Definitions to System Roles
57
Adding Account Definitions in the IT Shop
58
Assigning Account Definitions to a Target System
59
Deleting an Account Definition
60
SharePoint Farms
62
General Master Data for a SharePoint Farm
62
How to Edit a Synchronization Project
63
SharePoint Web Applications
65
SharePointSite Collections and Sites
66
SharePoint Site Collections
66
General Master Data for a Site Collection
67
Specifying Categories for Inheriting SharePoint Groups
68
SharePoint Sites
68
General Master Data for a Site
69
Address Data for a Site
70
Site Design Properties
70
Additional Tasks for Managing Sites
71
Child Sites Inheriting Permissions
71
Setting Up SharePoint Site Collections and Sites
72
SharePoint User Accounts
74
Supported User Account Types
76
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
4
Entering Master Data for SharePoint User Accounts
79
Group Authenticated User Account Properties
80
User Authenticated User Account Master Data
82
Additional Tasks for Managing SharePoint User Accounts
86
Overview of SharePoint User Accounts
86
Assigning SharePoint Groups Directly to SharePoint User Accounts
86
Assigning SharePoint Roles directly to User Accounts
87
Assigning Extended Properties
88
Using Custom Authentication Modes
88
Automatic Assignment of Employees to SharePoint User Accounts
89
Editing Search Criteria for Automatic Employee Assignment
90
Deleting and Restoring SharePoint User Accounts
93
SharePoint Roles and Groups
94
SharePoint Groups
95
Entering Master Data for SharePoint Groups
96
Assigning SharePoint Groups to SharePoint User Accounts
98
Assigning SharePoint Groups to Departments, Cost Centers and Locations
99
Assigning SharePoint Groups to Business Roles
100
Assigning SharePoint User Accounts directly to an SharePoint Group
101
Assigning SharePoint Roles to SharePoint Groups
102
Adding SharePoint Groups to System Roles
102
Adding SharePoint Groups to the IT Shop
103
Adding SharePoint Groups automatically to the IT Shop
105
Additional Tasks for Managing SharePoint Groups
106
Overview of SharePoint Groups
106
Effectiveness of Group Memberships
107
SharePoint Group Inheritance Based on Categories
109
Assigning Extended Properties to a SharePoint Group
111
Deleting SharePoint Groups
111
SharePoint Roles and Permission Levels
112
Entering Master Data for SharePoint Permission Levels
113
Additional Tasks for Managing SharePoint Permission Levels
113
Overview of a SharePoint Permission Level
113
Assigning Permissions
114
Special Synchronization Cases for Valid Permissions
114
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
5
Entering Master Data for SharePoint Roles
115
Assigning SharePoint Roles to SharePoint User Accounts
116
Assigning SharePoint Roles to Departments, Cost Centers and Locations
117
Assigning SharePoint Roles to Business Roles
118
Assigning SharePoint User Accounts directly to a SharePoint Role
119
Assigning SharePoint Groups to SharePoint Roles
120
Adding SharePoint Roles to System Roles
120
Adding SharePoint Roles to the IT Shop
121
Additional Tasks for Managing SharePoint Roles
123
Overview of SharePoint Rules
123
Effectiveness of SharePoint Roles
123
Deleting SharePoint Roles and Permission Levels
124
Permissions for SharePoint Web Applications
126
SharePoint Permission Policies
127
SharePoint User Policies
127
Reports about SharePoint Site Collections
130
Overview of all Assignments
131
Appendix: Configuration Parameters for Managing SharePoint
133
Appendix: Default Project Template for SharePoint
135
About us
137
Contacting us
137
Technical support resources
137
Index
138
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
6
1
Managing SharePoint Environments
Components and access rights from SharePoint 2010 and SharePoint 2013 can be mapped
in the One Identity Manager. The aim of this is to guarantee company employees access to
the SharePoint site. To achieve this, information about the following SharePoint
components is loaded into the One Identity Manager database.
l
The farm, as highest level in the SharePoint's logical architecture
The SharePoint farm is configured as base object for synchronizing with the One
Identity Manager database.
l
All web applications set up inside the farm with their user policies and permitted
permissions
l
All site collections for these web applications with their user accounts and groups
l
All sites added in site collections in a hierarchical structure (but not their content)
l
All permission levels and SharePoint roles that define permissions on individual sites
SharePoint roles, groups and user accounts are mapped in the context of the SharePoint
components they are set up for. These objects provide One Identity Manager users access
rights to various sites in SharePoint. You can use the different One Identity Manager
mechanisms for linking employees with their SharePoint user accounts for this. The
following objects are provisioned:
l
SharePoint user accounts and their relations to SharePoint roles and groups
l
SharePoint groups and their assignments to user accounts and roles
l
SharePoint roles and their site permissions
The SharePoint supports classic Windows authentication as well as claims-based
authentication for One Identity Manager server login. Every SharePoint user account able
to log in with classic Windows authentication, is either assigned to a One Identity Manager
or an Active Directory user account or an LDAP or Active Directory group in LDAP.
Prerequisite for this, is that the associated Active Directory or LDAP systems respectively,
are mapped in the One Identity Manager database. You can maintain information about
authentication systems used by SharePoint in the One Identity Manager.
For every SharePoint user account connected to Active Directory or LDAP also can be
assigned to an employee stored in the One Identity Manager database. This makes it
possible to maintain employee memberships in SharePoint roles and groups. Employees
can inherit SharePoint permissions through SharePoint role and groups assignments. Apart
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Managing SharePoint Environments
7
from this it is possible to request permissions from the IT Shop. Permissions assigned to an
employee can be monitored over compliance rules.
The SharePoint Module is based on SharePoint Foundation 2010 or SharePoint Foundation
2013 Class Libraries respectively.
Architecture Overview
The SharePoint connector is used for synchronization and provisioning SharePoint. The
connector communicates directly with a SharePoint farm's SharePoint servers.
Figure 1: Connector Paths for Communicating with SharePoint
The One Identity Manager Service, SharePoint connector and the Synchronization Editor
must be installed on one of the SharePoint farm's servers. This server is known as the
synchronization server in the following. All One Identity Manager Service actions are
executed against the target system environment on the synchronization server. Entries
which are necessary for synchronization and administration with the One Identity Manager
database are processed by the synchronization server.
Detailed information about this topic
l
Setting Up the Synchronization Server on page 14
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Managing SharePoint Environments
8
One Identity Manager Users for
Managing an SharePoint
The following users are used in SharePoint system administration with One Identity
Manager.
Table 1: user
User
Task
Target system administrators
Target system administrators must be assigned to the
application role Target system | Administrators.
Users with this application role:
l
l
l
l
l
l
Target system
managers
Administrate application roles for individual target
systems types.
Specify the target system manager.
Set up other application roles for target system managers
if required.
Specify which application roles are conflicting for target
system managers
Authorize other employee to be target system administrators.
Do not assume any administrative tasks within the target
system.
Target system managers must be assigned to the application
role Target systems | SharePoint or a sub application role.
Users with this application role:
l
l
Assume administrative tasks for the target system.
Create, change or delete target system objects, like user
accounts or groups.
l
Edit password policies for the target system.
l
Prepare system entitlements for adding to the IT Shop.
l
l
l
Configure synchronization in the Synchronization Editor
and defines the mapping for comparing target systems
and One Identity Manager.
Edit the synchronization's target system types and
outstanding objects.
Authorize other employees within their area of responsibility as target system managers and create child application roles if required.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Managing SharePoint Environments
9
User
One Identity Manager
administrators
Task
l
l
l
Administrators for the
IT Shop
Create customized permissions groups for application
roles for role-based login to administration tools in the
Designer, as required.
Create system users and permissions groups for non-role
based login to administration tools, as required.
Enable or disable additional configuration parameters in
the Designer, as required.
l
Create custom processes in the Designer, as required.
l
Create and configures schedules, as required.
l
Create and configure password policies, as required.
Administrators must be assigned to the application role
Request & Fulfillment | IT Shop | Administrators.
Users with this application role:
l
Product owner for the
IT Shop
Assign system authorizations to IT Shop structures.
The product owners must be assigned to the application roles
Request & Fulfillment | IT Shop | Product owners or an
application role below that.
Users with this application role:
l
l
Administrators for
organizations
Approve through requests.
Edit service items and service categories under their
management.
Administrators must be assigned to the application role
Identity Management | Organizations | Administrators.
Users with this application role:
l
Business roles administrators
Assign system entitlements to departments, cost centers
and locations.
Administrators must be assigned to the application role
Identity Management | Business roles | Administrators.
Users with this application role:
l
Assign system authorizations to business roles.
Claims-Based Authentication
One Identity Manager supports claims-based authentication as well as classical Windows
authentication for logging on to the SharePoint server. Information about the SharePoint
provider and authentication modes are stored in the database for this purpose. Existing
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Managing SharePoint Environments
10
SharePoint providers for claims-based authentication are loaded into the database during
synchronization. Registered providers are stored for each web application.
Every user account stores which authentication mode the user with this user account uses
to log in. The default authentication mode depends on whether claims-based authentication
is permitted with the associated web applications.
The authentication mode is required to add user accounts to One Identity Manager. The
user account login name for claims-based authentication contains a prefix that depends
on which authentication mode is used. These prefixes are maintained with the
authentication modes.
Related Topics
l
Authentication Modes on page 35
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Managing SharePoint Environments
11
2
Setting Up SharePoint Farm
Synchronization
To initially load SharePoint objects into the One Identity Manager database
1. Prepare a user account with sufficient permissions for synchronizing in SharePoint.
2. The One Identity Manager parts for managing SharePoint systems are available if the
configuration parameter "TargetSystem\SharePoint" is set.
Check whether the configuration parameter is set in the Designer. Otherwise, set the
configuration parameter and compile the database.
Other configuration parameters are installed when the module is installed. Check the
configuration parameters and modify them as necessary to suit your requirements.
3. Install and configure a synchronization server and declare the server as Job server in
One Identity Manager.
4. Synchronize the Active Directory or LDAP environment, SharePoint is going to run on.
For more detailed information about synchronizing with Active Directory, see the One
Identity Manager Administration Guide for Connecting to Active Directory. For more
detailed information about synchronizing with LDAP, see the One Identity Manager
Administration Guide for Connecting to LDAP.
IMPORTANT: To avoid data inconsistency, always synchronize the Active
Directory or LDAP environment first on which the SharePoint environment is
based. Once this synchronization has been successfully completed you can start
the SharePoint farm synchronization.
If this cannot be guaranteed, define a custom process to link user accounts and
user policies to the associated base objects.
5. Create a synchronization project with the Synchronization Editor.
NOTE: To create a synchronization project, start the Synchronization Editor on the
synchronization server or a remote server. For more detailed information about the
archiving process, see the One Identity Manager Target System Synchronization
Reference Guide.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
12
Detailed information about this topic
l
Users and Permissions for Synchronizing with a SharePoint Farm on page 13
l
Setting Up the Synchronization Server on page 14
l
l
Creating a Synchronization Project for initial Synchronization of a SharePoint
Farm on page 18
Appendix: Configuration Parameters for Managing SharePoint on page 133
Users and Permissions for
Synchronizing with a SharePoint Farm
The following users are involved in synchronizing One Identity Manager with SharePoint.
Table 2: Users for Synchronization
User
Permissions
User for
accessing the
SharePoint farm
The connector uses the server farm account to log in to the
SharePoint farm during synchronization. Ensure the server farm
account login data is available.
There is no sensible minimum configuration recommended, which
effectively differentiates its permissions from the server account.
Membership in the group "Farm Administrators" is not sufficient.
One Identity
Manager Service
user account
The One Identity Manager Service farm's server farm account must
be used as user account for SharePoint.
The user account for the One Identity Manager Service requires
additional access rights to carry out operations at file level (issuing
user rights, adding directories and files to be edited).
The user account must belong to the group "Domain Users".
The user account must have the extended access right "Log on as a
service".
The user account requires access rights to the internal web service.
NOTE: If the One Identity Manager Service runs under the
network service (NT Authority\NetworkService), you can issue
access rights for the internal web service with the following
command line call:
netsh http add urlacl url=http://<IP address>:<port number>/
user="NT AUTHORITY\NETWORKSERVICE"
The user account needs full access to the One Identity Manager
Service installation directory in order to automatically update the
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
13
User
Permissions
One Identity Manager.
In the default installation the One Identity Manager is installed under:
l
l
%ProgramFiles(x86)%\One Identity (on 32-bit operating
systems)
%ProgramFiles%\One Identity (on 64-bit operating systems)
The default system user "Synchronization" is available to run
User for
accessing the One synchronization over an application server.
Identity Manager
database
Setting Up the Synchronization Server
You will need a synchronization server to synchronize a SharePoint environment. You can
use any SharePoint farm SharePoint server for this. The following software must to be
installed on the synchronization sever.
To synchronize a SharePoint 2010 environment
l
Windows Server Server 2008 R2 (prerequisite for SharePoint Server 2010)
l
Microsoft SharePoint Server 2010
l
Microsoft .NET Framework Version 4.5.2 or later
NOTE: Microsoft .NET Framework version 4.6 is not supported.
NOTE: Take the target system manufacturer's recommendations into account.
l
One Identity Manager Service, SharePoint connector
l
Install One Identity Manager components with the installation wizard.
1. Select the option Select installation modules with existing
database.
2. Select the machine role Server | Job server | SharePoint.
To synchronize a SharePoint 2013 environment
l
Windows Server 2008 R2 or Windows Server 2012 (prerequisite for SharePoint
Server 2013)
l
Microsoft SharePoint Server 2013
l
Microsoft .NET Framework Version 4.5.2 or later
NOTE: Microsoft .NET Framework version 4.6 is not supported.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
14
NOTE: Take the target system manufacturer's recommendations into account.
l
One Identity Manager Service, SharePoint connector
l
Install One Identity Manager components with the installation wizard.
1. Select the option Select installation modules with existing
database.
2. Select the machine role Server | Job server | SharePoint.
All One Identity Manager Service actions are executed against the target system
environment on the synchronization server. Entries which are necessary for
synchronization and administration with the One Identity Manager database are processed
by the synchronization server. The synchronization server must be declared as a Job
server in One Identity Manager.
Use the Server Installer to install the One Identity Manager Service. This program
executes the following steps.
l
Setting up a Job server.
l
Specifying machine roles and server function for the Job server.
l
Remote installation of One Identity Manager Service components corresponding to
the machine roles.
l
Configures the One Identity Manager Service.
l
Starts the One Identity Manager Service.
NOTE: The program executes remote installation of the One Identity Manager
Service. Local installation of the service is not possible with this program. Remote
installation is only supported within a domain or a trusted domain.
To install and configure the One Identity Manager Service remotely on a server
1. Start the program Server Installer on your administrative workstation.
2. Enter valid data for connecting to One Identity Manager on the Database
connection page and click Next.
3. Specify on which server you want to install the One Identity Manager Service on the
Server properties page.
a. Select a job server in the Server menu.
- OR Click Add to add a new job server.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
15
b. Enter the following data for the Job server.
Table 3: Job Servers Properties
Property Description
Server
Name of the Job servers.
Queue
Name of queue to handle the process steps. Each One Identity
Manager Service within the network must have a unique queue
identifier. The process steps are requested by the job queue
using exactly this queue name. The queue identifier is entered in
the One Identity Manager Service configuration file.
Full
server
name
Full name of the server in DNS syntax.
Example:
<name of server>.<fully qualified domain name>
NOTE: Use the Advanced option to edit other Job server properties. You
can use the Designer to change properties at a later date.
4. Specify which job server roles to include in One Identity Manager on the Machine
role page. Installation packages to be installed on the Job server are found
depending on the selected machine role.
Select at least the following roles:
l
SharePoint
5. Specify the server's functions in One Identity Manager on the Server functions
page. One Identity Manager processes are handled depending on the server function.
The server's functions depend on which machine roles you have selected. You can
limit the server's functionality further here.
Select the following server functions:
l
SharePoint connector
Windows PowerShell
6. Check the One Identity Manager Service configuration on the Service
settings page.
NOTE: The initial service configuration is already predefined. If further changes
need to be made to the configuration, you can do this later with the Designer.
For more detailed information about configuring the service, see One Identity
Manager Configuration Guide.
7. To configure remote installations, click Next.
8. Confirm the security prompt with Yes.
9. Select the directory with the install files on the Select installation source page.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
16
10. Select the file with the private key on the page Select private key file.
NOTE: This page is only displayed when the database is encrypted.
11. Enter the service's installation data on the Service access page.
Table 4: Installation Data
Data
Description
Computer
Server on which to install and start the service from.
To select a server
l
Enter the server name.
- OR -
l
Service
account
Select a entry from the list.
One Identity Manager Service user account data.
To enter a user account for the One Identity Manager
Service
l
Enter user account, password and password confirmation.
The One Identity Manager Service farm's server farm account
must be used as user account for SharePoint.
Installation
account
Data for the administrative user account to install the service.
To enter an administrative user account for installation
Enable Advanced
l
.
l
Enable the option Current user.
This uses the user account of the current user.
- OR -
l
Enter user account, password and password confirmation.
12. Click Next to start installing the service.
Installation of the service occurs automatically and may take some time.
13. Click Finish on the last page of the Server Installer.
NOTE: The is entered with the name "One Identity Manager Service" in the
server's service administration.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
17
Creating a Synchronization Project for
initial Synchronization of a SharePoint
Farm
Use the Synchronization Editor to set up synchronization between the One Identity Manager
database and SharePoint. The following describes the steps for initial configuration of a
synchronization project.
A synchronization project collects all the information required for synchronizing the One
Identity Manager database with a target system. Connection data for target systems,
schema types and properties, mapping and synchronization workflows all belong to this.
After the initial configuration, you can customize and configure workflows within the
synchronization project. Use the workflow wizard in the Synchronization Editor for this.
The Synchronization Editor also provides different configuration options for a
synchronization project.
Have the following information available for setting up a synchronization project.
Table 5: Information Required for Setting up a Synchronization Project
Data
Explanation
SharePoint
version
The One Identity Manager supports synchronization with SharePoint
2010 and 2013.
User account
and password
for SharePoint
farm login
To access SharePoint objects, the connector logs in with the server
farm account to the SharePoint farm. The server farm account's user
name and password are required. For more information, see Users and
Permissions for Synchronizing with a SharePoint Farm on page 13.
Domain
Server farm account domain.
Synchronization All One Identity Manager Service actions are executed against the
server
target system environment on the synchronization server. Entries
which are necessary for synchronization and administration with the
One Identity Manager database are processed by the synchronization
server.
Installed components:
l
SharePoint server
l
One Identity Manager Service (started)
l
Synchronization Editor
l
SharePoint connector
The synchronization server must be declared as a Job server in One
Identity Manager. The Job server name is required.
For more information, see Setting Up the Synchronization Server on
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
18
Data
Explanation
page 14.
Remote
connection
server
To configure synchronization with a target system, One Identity
Manager must load the data from the target system. One Identity
Manager communicates directly with target system to do this. If you
cannot start the Synchronization Editor on the synchronization server,
because of the firewall configuration, for example, you can set up a
remote connection.
To use a remote connection
1. Provide a workstation on which the Synchronization Editor is
installed.
2. Install the RemoteConnectPlugin on the synchronization server.
Thus, the Synchronisationsserver assumes the function of the
remote connection server at the same time.
The remote connection server and the workstation must be in the same
Active Directory domain.
Remote connection server configuration:
l
One Identity Manager Service is started
l
RemoteConnectPlugin is installed
l
SharePoint connector is installed
l
Target system specific components are installed
The remote connection server must be declared as a Job server in One
Identity Manager. The Job server name is required.
For more detailed information about setting up a remote connection,
see the One Identity Manager Target System Synchronization
Reference Guide.
One Identity
Manager
Database
Connection
Data
SQL Server:
l
Database server
l
Database
l
Database user and password
l
Specifies whether Windows authentication is used.
This type of authentication is not recommended. If you decide to
use it anyway, ensure that your environment supports Windows
authentication.
Oracle:
l
Species whether access is direct or through the Oracle client
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
19
Data
Explanation
Which connection data is required, depends on how this option is
set.
l
Database server
l
Oracle instance port
l
Service name
l
Oracle database user and password
l
Data source (TNS alias name from TNSNames.ora)
There is an wizard to assist you with setting up a synchronization project. This wizard takes
you all the steps you need to set up initial synchronization with a target system. Click Next
once you have entered all the data for a step.
NOTE: The following sequence describes how you configure a synchronization project
if the Synchronization Editor is both:
l
In default mode
l
Started from the launchpad
Additional settings can be made if the project wizard is run in expert mode or is
started directly from the Synchronization Editor. Follow the project wizard
instructions through these steps.
To set up an initial synchronization project for a SharePoint farm
1. Start the Launchpad on the synchronization server and log on to the One Identity
Manager database.
NOTE: If synchronization is executed by an application server, connect the
database through the application server.
2. Select the entry SharePoint target system type. Click Run.
This starts the Synchronization Editor's project wizard.
3. Specify how the One Identity Manager can access the target system on the System
access page.
l
l
If you started the launch pad on the synchronization server, do not change
any settings.
If you started the launch pad on a workstation, connect remotely.
Set the option Connect using remote connection server and select, under
Job server, the synchronization server you want to use for the connection.
4. Enter the connection data for the SharePoint farm in the system connection wizard.
You can test the connection and save the connection data.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
20
l
Enter the following connection data.
Table 6: SharePoint Farm Connection Data
l
Property
Description
SharePoint version
Select SharePoint Version 2010 or 2013.
Domain
Server farm account domain.
User name and
password
User name and password of the server farm account.
This user account is used to synchronize SharePoint
objects.
Click Check now to test the connection data.
The Synchronization Editor tries to log in to the SharePoint farm.
l
To save the connection data, set the option Save connection data on local
computer. This can be reused when you set up other synchronization projects.
5. Verify the One Identity Manager database connection data on the One Identity
Manager connection page. The data is loaded from the connected database.
Reenter the password.
NOTE: Reenter all the connection data if you are not working with an encrypted
One Identity Manager database and no synchronization project has been saved
yet in the database. This page is not shown if a synchronization project already
exists.
6. The wizard loads the target system schema. This may take a few minutes depending
on the type of target system access and the size of the target system.
7. Specify how system access should work on the page Restrict target system
access. You have the following options:
Table 7: Specifying Target System Access
Option
Meaning
Read-only access
to target system.
Specifies whether a synchronization workflow should be set
up to initially load the target system into the One Identity
Manager database.
The synchronization workflow has the following
characteristics:
l
l
Synchronization is in the direction of "One Identity
Manager".
Processing methods in the synchronization steps are
only defined in synchronization direction "One Identity
Manager".
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
21
Option
Meaning
Changes are also
made to the target
system.
Specifies whether a provisioning workflow should be set up in
addition to the synchronization workflow to initially load the
target system.
The provisioning workflow displays the following
characteristics:
l
l
l
Synchronization in the direction of the "target system"
Processing methods are only defined in the synchronization steps in synchronization direction "target
system".
Synchronization steps are only created for such schema
classes whose schema types have write access.
8. Select the synchronization server to execute synchronization on the
Synchronization server page.
If the synchronization server is not declare as a job server in the One Identity
Manager database yet, you can add a new job server.
l
l
l
Click
to add a new job server.
Enter a name for the job server and the full server name conforming to
DNS syntax.
Click OK.
The synchronization server is declared as job server for the target system in
the One Identity Manager database.
NOTE: Ensure that this server is set up as the synchronization server
after saving the synchronization project.
9. Click Finish to complete the project wizard.
This creates and allocates a default schedule for regular synchronization. Enable the
schedule for regular synchronization.
The synchronization project is created, saved and enabled immediately.
NOTE: If the synchronization project is not going to be executed immediately,
disable the option Activate and save the new synchronization project
automatically.
In this case, save the synchronization project manually before closing the
Synchronization Editor.
NOTE: The target system connection data is saved in a variable set, which you
can change in the Synchronization Editor under Configuration | Variables if
necessary.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
22
To configure the content of the synchronization log
1. To configure the synchronization log for target system connection, select the
category Configuration | Target system.
2. To configure the synchronization log for the database connection, select the category
Configuration | One Identity Manager connection.
3. Select General view and click Configure....
4. Select the Synchronization log view and set Create synchronization log.
5. Enable the data to be logged.
NOTE: Certain content create a lot of log data.
The synchronization log should only contain the data necessary for error
analysis and other evaluations.
6. Click OK.
To synchronize on a regular basis
1. Select the category Configuration | Start up configurations.
2. Select a start up configuration in the document view and click Edit schedule....
3. Edit the schedule properties.
4. To enable the schedule, click Activate.
5. Click OK.
To start initial synchronization manually
1. Select the category Configuration | Start up configurations.
2. Select a start up configuration in the document view and click Execute.
3. Confirm the security prompt with Yes.
NOTE: Following synchronization, employees are automatically assigned to user
accounts in the default installation. If there are no account definitions for the site
collection at the time of synchronization, user accounts are linked to employees.
However, account definitions are not assigned. The user accounts are, therefore, in a
"Linked" state.
To select user accounts through account definitions
1. Create an account definition.
2. Assign an account definition to the site collection.
3. Assign the account definition and manage level to the user accounts in a
"linked" state.
a. Select the category SharePoint | User accounts (use authenticated) | Linked but not configured | <site collection>.
b. Select the task Assign account definition to linked accounts.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
23
Detailed information about this topic
l
For more information, see the One Identity Manager Target System Synchronization
Reference Guide.
Related Topics
l
Setting Up the Synchronization Server on page 14
l
Users and Permissions for Synchronizing with a SharePoint Farm on page 13
l
Appendix: Default Project Template for SharePoint on page 135
l
Setting Up Account Definitions on page 45
l
Automatic Assignment of Employees to SharePoint User Accounts on page 89
Special Synchronization Cases for Valid
Permissions
Valid permissions are mapped in the One Identity Manager database in the table
SPSWebAppHasPermission; assignments of valid permissions to permission levels are mapped
in the table SPSRoleHasSPSPermission.
If you remove permissions from the list of valid permissions for a web application in
SharePoint, the permissions cannot be assigned to permission levels within the web
application from this point on. Assignments to permission levels that already exist for
these permissions remain intact but are not active. These permissions are deleted from the
table SPSWebAppHasPermission during synchronization. Assignments to permission levels that
already exist for these permissions are not changed. Inactive permissions are displayed in
the permission levels' overview.
Related Topics
l
SharePoint Roles and Permission Levels on page 112
Show Synchronization Results
Synchronization results are summarized in the synchronization log. You can specify the
extent of the synchronization log for each system connection individually. One Identity
Manager provides several reports in which the synchronization results are organized under
different criteria.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
24
To display a synchronization log
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Logs.
3. Click
in the navigation view toolbar.
Logs for all completed synchronization runs are displayed in the navigation view.
4. Select a log by double-clicking on it.
An analysis of the synchronization is shown as a report. You can save the report.
To display a provisioning log.
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Logs.
3. Click
in the navigation view toolbar.
Logs for all completed provisioning processes are displayed in the navigation view.
4. Select a log by double-clicking on it.
An analysis of the provisioning is show as a report. You can save the report.
The log is marked in color in the navigation view. This mark shows you the execution status
of the synchronization/provisioning.
Synchronization logs are stored for a fixed length of time. The retention period is set in the
configuration parameter "DPR\Journal\LifeTime" and its sub parameters.
To modify the retention period for synchronization logs
l
l
l
Set the configuration parameter "Common\Journal\LifeTime" in the Designer and
enter the maximum retention time for entries in the database journal. Use the
configuration sub parameters to specify the retention period for each warning level.
If there is a large amount of data, you can specify the number of objects to delete
per DBQueue Processor operation and run in order to improve performance. Use the
configuration parameters "Common\Journal\Delete\BulkCount" and
"Common\Journal\Delete\TotalCount" to do this.
Configure and set the schedule "Delete journal" in the Designer.
Customizing Synchronization
Configuration
You have used the Synchronization Editor to set up a synchronization project for initial
synchronization of a SharePoint farm. You can use this synchronization project to load
SharePoint objects into the One Identity Manager database. If you manage user accounts
and their authorizations with One Identity Manager, changes are provisioned in the
SharePoint environment.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
25
You must customize the synchronization configuration in order to compare the SharePoint
database with the regularly and to synchronize changes.
l
l
l
l
l
Create a workflow with the direction of synchronization "target system" to use One
Identity Manager as the master system for synchronization.
You can use variables to create generally applicable synchronization configurations
which contain the necessary information about the synchronization objects when
synchronization starts. Variables can be implemented in base objects, schema
classes or processing methods, for example.
Use variables to set up a synchronization project which can be used for
several different farms. Store a connection parameter as a variable for logging
in to the farms.
To specify which SharePoint objects and database object are included in
synchronization, edit the scope of the target system connection and the One Identity
Manager database connection. To prevent data inconsistencies, define the same
scope in both systems. If no scope is defined, all objects will be synchronized.
Update the schema in the synchronization project, if the One Identity Manager
schema or target system schema has changed. Then you can add the changes to
the mapping.
IMPORTANT: As long as synchronization is running, you must not start another
synchronization for the same target system. This applies especially, if the same
synchronization objects would be processed.
l
l
The moment another synchronization is started with the same start up configuration, the running synchronization process is stopped and given the status,
"Frozen". An error message is written to the One Identity Manager Service log
file.
If another synchronization is started with another start up configuration, that
addresses same target system, it may lead to synchronization error or loss of
data. Plan your start times carefully. If possible, specify your start times so
that synchronization does not overlap.
Detailed information about this topic
l
How to Configure SharePoint Synchronization on page 27
l
Configuring Synchronization of Several SharePoint Farms on page 27
l
Updating Schemas on page 28
l
One Identity Manager Target System Synchronization Reference Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
26
How to Configure SharePoint
Synchronization
The synchronization project for initial synchronization provides a workflow for initial
loading of target system objects (initial synchronization) and one for provisioning object
modifications from the One Identity Manager database to the target system (provisioning).
You also require a workflow with synchronization in the direction of the "target system" to
use One Identity Manager as the master system for synchronization.
To create a synchronization configuration for synchronizing SharePoint farms
1. Open the synchronization project in the Synchronization Editor.
TIP: You can start the Synchronization Editor on any server to modify an
existing synchronization project. Set up a remote connection to communicate
with farm servers.
2. Check whether existing mappings can be used for synchronizing the target system.
Create new maps if required.
3. Create a new workflow with the workflow wizard.
This adds a workflow for synchronizing in the direction of the target system.
4. Create a new start up configuration. Use the new workflow to do this.
5. Save the changes.
6. Run a consistency check.
Detailed information about this topic
l
Configuring Synchronization of Several SharePoint Farms on page 27
Configuring Synchronization of Several
SharePoint Farms
Prerequisites
l
l
The target system schema of both farms are identical.
All virtual schema properties used in the mapping must exist in the extended schema
of both farms.
To customize a synchronization project for synchronizing another farm
1. Install and configure a synchronization server for the other farm. Declare this server
as Job server in the One Identity Manager.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
27
2. Prepare a user account with sufficient permissions for synchronizing in the
other farm.
3. Synchronize the Active Directory or LDAP environment, the other farm is going
to run on.
4. Start the Synchronization Editor on the synchronization server of the other farm and
log in on the One Identity Manager database.
5. Open the synchronization project.
6. Create a new base object for the other farm. Use the wizards to attach a base object.
l
Select the SharePoint connector in the wizard and enter the connection
parameters. The connection parameters are saved in a special variable set.
A start up configuration is created, which uses the new variable set.
7. Change other elements of the synchronization configuration as required.
8. Save the changes.
9. Run a consistency check.
Detailed information about this topic
l
Setting Up the Synchronization Server on page 14
l
Users and Permissions for Synchronizing with a SharePoint Farm on page 13
l
How to Configure SharePoint Synchronization on page 27
Updating Schemas
All the schema data (schema types and schema properties) of the target system schema
and the One Identity Manager schema are available when you are editing a
synchronization project. Only a part of this data is really needed for configuring
synchronization. If a synchronization project is finished, the schema is compressed to
remove unnecessary data from the synchronization project. This can speed up loading the
synchronization project. Deleted schema data can be added to the synchronization
configuration again at a later point.
If the target system schema or the One Identity Manager schema has changed, these
changes must also be added to the synchronization configuration. Then the changes can be
added to the schema property mapping.
To include schema data that have been deleted through compressing and schema
modifications in the synchronization project, update each schema in the synchronization
project. This may be necessary if:
l
A schema was changed by:
l
Changes to a target system schema
l
Customizations to the One Identity Manager schema
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
28
l
l
A One Identity Manager update migration
A schema in the synchronization project was shrunk by:
l
Activating the synchronization project
l
Synchronization project initial save
l
Compressing a schema
To update a system connection schema
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Configuration | Target system.
- OR Select the category
Configuration | One Identity Manager connection.
3. Select the view General and click Update schema.
4. Confirm the security prompt with Yes.
This reloads the schema data.
To edit a mapping
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Mappings.
3. Select a mapping in the navigation view.
Opens the Mapping Editor. For more detailed information about editing mappings,
see One Identity Manager Target System Synchronization Reference Guide.
NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.
Speeding Up Synchronization with
Revision Filtering
Synchronization with SharePoint does not support revision filtering.
Post-Processing Outstanding Objects
Objects, which do not exist in the target system, can be marked as outstanding in One
Identity Manager by synchronizing. This prevents objects being deleted because of an
incorrect data situation or an incorrect synchronization configuration.
Objects marked as outstanding:
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
29
l
Cannot be edited in One Identity Manager.
l
Are ignored by subsequent synchronization.
l
Must be post-processed separately in One Identity Manager.
Start target system synchronization to do this.
To post-process outstanding objects
1. Select the category SharePoint | Target system synchronization: SharePoint.
All tables assigned to the target system type SharePoint as synchronization tables
are displayed in the navigation view.
1. Select the table whose outstanding objects you want to edit in the navigation view.
This opens the target system synchronization form. All objects are shown here that
are marked as outstanding.
TIP:
To display object properties of an outstanding object
a. Select the object on the target system synchronization form.
b. Open the context menu and click Show object.
2. Select the objects you want to rework. Multi-select is possible.
3. Click one of the following icons in the form toolbar to execute the respective method.
Table 8: Methods for handling outstanding objects
Icon Method Description
Delete
The object is immediately deleted in the One Identity Manager.
Deferred deletion is not taken into account. The "outstanding"
label is removed from the object.
Indirect memberships cannot be deleted.
Publish
The object is added in the target system. The "outstanding" label
is removed from the object.
The method triggers the event "HandleOutstanding". This runs a
target system specific process that triggers the provisioning
process for the object.
Prerequisites:
l
l
Reset
The table containing the object can be published.
The target system connector has write access to the target
system.
The "outstanding" label is removed from the object.
4. Confirm the security prompt with Yes.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
30
NOTE: By default, the selected objects are processed in parallel, which speeds up
execution of the selected method. If an error occurs during processing, the action is
stopped and all changes are discarded.
Bulk processing of objects must be disabled if errors are to be localized, which means
the objects are processed sequentially. Failed objects are named in the error
message. All changes that were made up until the error occurred are saved.
To disable bulk processing
l
Deactivate
in the form toolbar.
You must customize synchronization to synchronize custom tables.
To add custom tables to the target system synchronization.
1. Select the category SharePoint | Basic configuration data | Target
system types.
2. Select the target system type SharePoint in the result list.
3. Select Assign synchronization tables in the task view.
4. Assign custom tables whose outstanding objects you want to handle in Add
assignments.
5. Save the changes.
6. Select Configure tables for publishing.
7. Select custom tables whose outstanding objects can be published in the target
system and set the option Publishable.
8. Save the changes.
NOTE: The target system connector must have write access to the target system in
order to publish outstanding objects that are being post-processed. That means, the
option Connection is read only must no be set for the target system connection.
Configuring Memberships Provisioning
Memberships, for example, user accounts in groups, are saved in assignment tables in the
One Identity Manager database. During provisioning of modified memberships, changes
made in the target system will probably be overwritten. This behavior can occur under the
following conditions:
l
Memberships are saved in the target system as an object property in list form
(Example: List of user accounts in the property Users of an SPGroup).
l
Memberships can be modified in either of the connected systems.
l
A provisioning workflow and provisioning processes are set up.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
31
If a membership in One Identity Manager changes, the complete list of members is
transferred to the target system by default. Memberships, previously added to the target
system are removed by this; previously deleted memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is
provisioned in the target system. The corresponding behavior is configured separately for
each assignment table.
To allow separate provisioning of memberships
1. Start the Manager.
2. Select the category SharePoint | Basic configuration data | Target
system types.
3. Select Configure tables for publishing.
4. Select the assignment tables for which you want to allow separate provisioning.
Multi-select is possible.
l
l
The option can only be set for assignment tables whose base table has a
column XDateSubItem.
Assignment tables, which are grouped together in a virtual schema property in
the mapping, must be labeled identically (for example SPSGroupHasSPSRLAsgn
and SPSUserHasSPSRLAsgn).
5. Click Enable merging.
6. Save the changes.
For each assignment table labeled like this, the changes made in the One Identity Manager
are saved in a separate table. During modification provisioning, the members list in the
target system is compared to the entries in this table. This means that only modified
memberships are provisioned and the members list does not get entirely overwritten.
NOTE: The complete members list is updated by synchronization. During this process,
objects with changes but incomplete provisioning are not handled. These objects are
logged in the synchronization log.
For more detailed information about provisioning memberships, see the One Identity
Manager Target System Synchronization Reference Guide.
Help for Analyzing Synchronization
Issues
You can generate a report for analyzing problems which occur during synchronization, for
example, insufficient performance. The report contains information such as:
l
Consistency check results
l
Revision filter settings
l
Scope applied
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
32
l
Analysis of the synchronization buffer
l
Object access times in the One Identity Manager database and in the target system
To generate a synchronization analysis report
1. Open the synchronization project in the Synchronization Editor.
2. Select the menu Help | Generate synchronization analysis report and answer
the security prompt with Yes.
The report may take a few minutes to generate. It is displayed in a separate window.
3. Print the report or save it in one of the available output formats.
Deactivating Synchronization
Regular synchronization cannot be started until the synchronization project and the
schedule are active.
To prevent regular synchronization
l
Select the start up configuration and deactivate the configured schedule.
Now you can only start synchronization manually.
An activated synchronization project can only be edited to a limited extend. The schema in
the synchronization project must be updated if schema modifications are required. The
synchronization project is deactivated in this case and can be edited again.
Furthermore, the synchronization project must be deactivated if synchronization should not
be started by any means (not even manually).
To deactivate the loaded synchronization project
1. Select General on the start page.
2. Click Deactivate project.
Detailed information about this topic
l
Creating a Synchronization Project for initial Synchronization of a SharePoint
Farm on page 18
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Setting Up SharePoint Farm Synchronization
33
3
Base Data for Managing SharePoint
The following data is relevant for managing a SharePoint environment in One
Identity Manager.
l
Configuration parameter
Use configuration parameters to configure the behavior of the system's basic
settings. One Identity Manager provides default settings for different configuration
parameters. Check the configuration parameters and modify them as necessary to
suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each
One Identity Manager module can also install configuration parameters. You can find
an overview of all configuration parameters in the category Base data | General |
Configuration parameters in the Designer.
For more information, see Appendix: Configuration Parameters for Managing
SharePoint on page 133.
l
Account definitions
One Identity Manager has account definitions for automatically allocating user
accounts to employees during working hours. You can create account definitions for
every target system. If an employee does not have a user account in the target
system, a new user account is created. This is done by assigning account
definitions to an employee using the integrated inheritance mechanism followed by
process handling.
For more information, see Setting Up Account Definitions on page 45.
l
Authentication Modes
One Identity Manager supports claims-based authentication as well as classical
Windows authentication for logging on to the SharePoint server. The authentication
mode to use is stored with the web applications and the user accounts. Usable
authentication modes are maintained in the One Identity Manager database.
For more information, see Authentication Modes on page 35.
l
Prefixes
Prefixes are URLs relative to a web application that can be stored under a site
collection.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
34
For more information, see Prefixes on page 36.
l
Zones and Alternative URLs
All the zones that you can configure for a web application are stored in the One
Identity Manager database.
For more information, see Zones and Alternative URLs on page 37.
l
Site templates
Use site templates to add sites.
For more information, see SharePoint Site Templates on page 37.
l
Permissions
User permissions for a SharePoint site or a web application are authorized by
SharePoint permissions. Permissions are grouped into permission levels and
permission policies.
For more information, see SharePoint Permissions on page 37.
l
Target system types
Target system types are required for configuring target system comparisons. Tables
containing outstanding objects are maintained on target system types.
For more information, see Post-Processing Outstanding Objects on page 29.
l
Server
In order to handle SharePoint specific processes in One Identity Manager, the
synchronization server and its server functionality must be declared.
For more information, see Editing a Server on page 39.
l
Target system managers
A default application role exists for the target system manager in the One Identity
Manager. Assign this application to employees who are authorized to edit the
SharePoint farms in One Identity Manager.
Define other application roles, if you want to limit target system managers' access
permissions to individual SharePoint farms. The application roles must be added
under the default application role.
For more information, see Target System Managers on page 43.
Authentication Modes
One Identity Manager supports claims-based authentication as well as classical Windows
authentication for logging on to the SharePoint server. The authentication mode to use is
stored with the web applications and the user accounts. Usable authentication modes are
maintained in the One Identity Manager database. The One Identity Manager supplies the
default authentication systems "Windows (Claims)" (=claims-based Windows
authentication) and "Windows Classic Mode" (=classic Window authentication). If you use
other authentication systems in your SharePoint environment, add them separately in the
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
35
One Identity Manager. This makes it possible to assign user accounts to authentication
modes. Enter the user and group prefix data. This is required to add new SharePoint user
accounts in the One Identity Manager.
To add an authentication mode
1. Select the category | Basic configuration data | Authentication modesSharePoint.
2. Click
in the result list toolbar.
3. Enter the required data on the master data form.
4. Save the changes.
Enter the required data for your own authentication mode:
Table 9: Authentication Mode Properties
Property Description
System
ID
A identifier for the authentication mode.
User
prefix
Prefix for formatting a login name for new user accounts. The associated
authentication object is not a group. This means, the user account option
Group is not set.
Group
prefix
Prefix for formatting a login name for new user accounts. The associated
authentication object is a group. This means, the user account option Group
is set.
Column
for login
name
Column in the table Person used to format the login name for new user
accounts. This information is required if employees are linked to user
accounts though automatic employee assignment.
To assign your own authentication modes automatically to user accounts
l
Modify the template for the column SPSUser.UID_SPSAuthSystem in the Designer.
For more information, see the One Identity Manager Configuration Guide.
Prefixes
Prefixes are URLs relative to a web application that can be stored under a site collection.
Prefix properties such as relative path, absolute path and prefix type, are displayed on the
overview form with the associated web application.
To obtain an overview of a prefix
1. Select the category | Basic configuration data | PrefixesSharePoint.
2. Select a profile in the result list.
3. Select SharePoint prefix overview in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
36
Zones and Alternative URLs
All the zones that you can configure for a web application are stored in the One Identity
Manager database. You can see the alternative URLs that are configured for accessing the
web application on the zone’s overview form.
To obtain an overview of a zone
1. Select the category | Basic configuration data | ZonesSharePoint.
2. Select the zone in the result list.
3. Select SharePoint zone overview in the task view.
To obtain an overview of alternative URL of a web application
1. Select the category SharePoint | Hierarchical view | <farm> | Web
applications | <web application> | URLs.
2. Select the URL in the result list.
3. Select SharePoint alternative URL overview in the task view.
SharePoint Site Templates
Use site templates to add sites. If new sites are meant to be added with One Identity
Manager, load the site template into the One Identity Manager database using
synchronization. The languages in which site templates are available are displayed on the
overview form.
To obtain an overview of a site template
1. Select the category | Basic configuration data | Site templatesSharePoint.
2. Select the site template in the result list.
3. Select Site template overview in the task view.
SharePoint Permissions
User permissions for a SharePoint site or a web application are authorized by SharePoint
permissions. Permissions are grouped into permission levels and permission policies. All
web application permission policies, explicitly granted or rejected for the permission, are
displayed on the permissions overview form.
In SharePoint, you can limit the number of permissions that can be assigned to permission
levels. You are shown an overview of web applications permitted for the permissions.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
37
To obtain a overview of permissions
1. Select the category SharePoint | Basic configuration data | Permissions.
2. Select the permissions in the result list.
3. Select SharePoint permissions overview in the task view.
You can assign permissions to permission levels in One Identity Manager.
To assign valid permissions to permission levels
1. Select the category SharePoint | Basic configuration data | Permissions.
2. Select the permissions in the result list.
3. Select Assign permission levels.
4. Assign the permission levels in Add assignments.
- OR Remove the permission levels in Remove assignments.
5. Save the changes.
Related Topics
l
SharePoint Roles and Permission Levels on page 112
SharePoint Quotas
You can view the SharePoint farm and site collections that the quota is assigned to on the
quota overview form.
To obtain an overview of a quota
1. Select the category SharePoint | Quotas.
2. Select the quota in the result list.
3. Select SharePoint quota overview in the task view.
SharePoint Languages
All the languages that have language packets installed in the One Identity Manager
environment are mapped in the SharePoint database.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
38
To obtain an overview of a language
1. Select the category SharePoint | Hierarchy view | <farm> | Language
packages.
2. Select the language in the result list.
3. Select SharePoint language overview in the task view.
Editing a Server
In order to handle SharePoint specific processes in One Identity Manager, the
synchronization server and its server functionality must be declared. You have several
options for defining a server's functionality:
l
l
Create an entry for the Job server in the category Base Data | Installation | Job
server in the Designer. For detailed information, see the One Identity Manager
Configuration Guide.
Select an entry for the Job server in the category Manager | Basic configuration
data | Server in the SharePoint and edit the Job server master data.
Use this task if the Job server has already been declared in One Identity Manager and
you want to configure special functions for the Job server.
NOTE: One Identity Manager Service must be installed, configured and started in
order for a server to execute its function in the One Identity Manager network.
Proceed as follows in the One Identity Manager Installation Guide.
To edit a Job server and its functions
1. Select the category SharePoint | Basic configuration data | Server in
the Manager.
2. Select the Job server entry in the result list.
3. Select Change master data in the task view.
4. Edit the Job server's master data.
5. Select Assign server functions in the task view and specify server functionality.
6. Save the changes.
Detailed information about this topic
l
Master Data for a Job Server on page 40
l
Specifying Server Functions on page 41
Related Topics
l
Setting Up the Synchronization Server on page 14
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
39
Master Data for a Job Server
NOTE: All editing options are available to you in the Designer, in the category Base
Data | Installation | Job server.
Table 10: Job Server Properties
Property Meaning
Server
Job server name.
Full
server
name
Full server name in accordance with DNS syntax.
Example:
<Name of servers>.<Fully qualified domain name>
Target
System
Computer account target system.
Language
culture
Language of the server.
Server is
cluster
Specifies whether the server maps a cluster.
Server
belongs
to cluster
Cluster to which the server belongs.
IP
address
(IPv6)
Internet protocol version 6 (IPv6) server address.
IP
address
(IPv4)
Internet protocol version 4 (IPv4) server address.
Coding
Character set coding that is used to write files to the server.
Parent
Job
server
Name of the parent Job server.
Executing
server
Name of the executing server. The name of the server that exists physically
and where the processes are handled.
NOTE: The properties Server is cluster and Server belongs to
cluster are mutually exclusive.
This input is evaluated when One Identity Manager Service is automatically
updated. If the server is handling several queues the process steps are not
supplied until all the queues that are being processed on the same server
have completed their automatic update.
Queue
Name of the queue to handle the process steps. Each One Identity Manager
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
40
Property Meaning
Service within the network must have a unique queue identifier. The process
steps are requested by the job queue using exactly this queue name. The
queue identifier is entered in the One Identity Manager Service configuration
file.
Server
operating
system
Operating system of the server. This input is required to resolve the path
name for replicating software profiles. Permitted values are "Win32",
"Windows", "Linux" and "Unix". If the input is empty, "Win32" is assumed.
Service
account
data
One Identity Manager Service user account information. In order to replicate
between non-trusted systems (non-trusted domains, Linux server) the One
Identity Manager Service user information has to be declared for the servers
in the database. This means that the service account, the service account
domain and the service account password have to be entered for the server.
One
Identity
Manager
Service
installed
Specifies whether a One Identity Manager Service is installed on this server.
This option is enabled by the procedure QBM_PJobQueueLoad the moment the
queue is called for the first time.
Stop One
Identity
Manager
Service
Specifies whether the One Identity Manager Service has stopped. If this
option is set for the Job server, the One Identity Manager Service does not
process any more tasks.
The option is not automatically removed. If necessary, you can reset this
option manually for servers whose queue is no longer enabled.
You can make the service start and stop with the appropriate administrative
permissions in program "Job Queue Info".
No
Specifies whether to exclude the server from automatic software updating.
automatic
NOTE: Servers must be manually updated if this option is set.
software
update
Software
update
running
Specifies whether a software update is currently being executed.
Server
Function
Server functionality in One Identity Manager. One Identity Manager
processes are handled depending on the server function.
Related Topics
l
Specifying Server Functions on page 41
Specifying Server Functions
NOTE: All editing options are available to you in the Designer, in the category Base
Data | Installation | Job server.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
41
The server function defines the functionality of a server in One Identity Manager. One
Identity Manager processes are handled depending on the server function.
NOTE: More server functions may be available depending on which modules are
installed.
Table 11: Permitted Server Functions
Server
Function
Remark
Active
Directory
connector
Server on which the Active Directory connector is installed. This server
executes synchronization with the target system Active Directory.
CSV connector
Server on which the CSV connector for synchronization is installed.
Domain
controller
The Active Directory domain controller. Servers that are not labeled as
domain controller are considered to be member servers.
Printer server
Server which acts as a print server.
Generic server
Server for generic synchronization with a custom target system.
Home server
Server for adding home directories for user accounts.
Update Server
This server executes automatic software updating of all other servers.
The server requires a direct connection to the database server that the
One Identity Manager database is installed on. The server can execute
SQL tasks.
The server with the installed One Identity Manager database, is labeled
with this functionality during initial installation of the schema.
SQL processing
server
This server can process SQL tasks. Several SQL processing servers can
be set up to spread the load of SQL processes. The system distributes
the generated SQL processes throughout all the Job servers with this
server function.
Native
database
connector
The server can connect to an ADO.Net database.
One Identity
Manager
database
connector
Server on which the One Identity Manager connector is installed. This
server executes synchronization with the target system One Identity
Manager.
One Identity
Manager
Service
installed
Server on which a One Identity Manager Service is installed.
Primary
domain
Primary domain controller.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
42
Server
Function
Remark
controller
Profile Server
Server for setting up profile directories for user accounts.
SAM
Server for running synchronization with an SMB-based target system.
synchronization
Server
SharePoint
connector
Server on which the SharePoint connector is installed. This server
executes synchronization with the target system SharePoint.
SMTP host
Server from which the One Identity Manager Service sends email
notifications. Prerequisite for sending mails using the One Identity
Manager Service is SMTP host configuration.
Default report
server
Server on which reports are generated.
Windows
PowerShell
connector
The server can run Windows PowerShell version 3.0 or later.
Related Topics
l
Master Data for a Job Server on page 40
Target System Managers
For more detailed information about implementing and editing application roles, see the
One Identity Manager Application Roles Administration Guide.
Implementing Application Roles for Target System Managers
1. The One Identity Manager administrator assigns employees to be target
system managers.
2. These target system managers add employees to the default application role for
target system managers.
The default application role target system managers are entitled to edit all
SharePoint farms in One Identity Manager.
3. Target system managers can authorize more employees as target system managers,
within their scope of responsibilities and create other child application roles and
assign individual SharePoint farms.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
43
Table 12: Default Application Roles for Target System Managers
User
Task
Target
System
Managers
Target system managers must be assigned to the application role Target
systems | SharePoint or a sub application role.
Users with this application role:
l
l
Assume administrative tasks for the target system.
Create, change or delete target system objects, like user accounts
or groups.
l
Edit password policies for the target system.
l
Prepare system entitlements for adding to the IT Shop.
l
l
l
Configure synchronization in the Synchronization Editor and defines
the mapping for comparing target systems and One Identity
Manager.
Edit the synchronization's target system types and outstanding
objects.
Authorize other employees within their area of responsibility as
target system managers and create child application roles if
required.
To initially specify employees to be target system administrators
1. Log in to the Manager as One Identity Manager administrator (application role Base
role | Administrators)
2. Select the category One Identity Manager Administration | Target systems |
Administrators.
3. Select Assign employees in the task view.
4. Assign the employee you want and save the changes.
To add the first employees to the default application as target system
managers.
1. Log yourself into the Manager as target system administrator (application role
Target systems | Administrator).
2. Select the category One Identity Manager Administration | Target systems |
SharePoint.
3. Select Assign employees in the task view.
4. Assign the employees you want and save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
44
To authorize other employees as target system managers when you are a
target system manager
1. Login to the Manager as target system manager.
2. Select the application role in the category SharePoint | Basic configuration data
| Target system managers.
3. Select Assign employees in the task view.
4. Assign the employees you want and save the changes.
To define target system managers for individual SharePoint farms.
1. Login to the Manager as target system manager.
2. Select the category SharePoint | Farms.
3. Select the farm in the result list.
4. Select Change master data in the task view.
5. Select the application role on the General tab in the Target system
manager menu.
- OR Click
l
l
next to the Target system manager menu to create a new application role.
Enter the application role name and assign the parent application role Target
system | SharePoint.
Click OK to add the new application role.
6. Save the changes.
7. Assign the application role to employees, who are authorized to edit the farm in One
Identity Manager.
Related Topics
l
One Identity Manager Users for Managing an SharePoint on page 9
l
General Master Data for a SharePoint Farm on page 62
Setting Up Account Definitions
One Identity Manager has account definitions for automatically allocating user accounts to
employees during working hours. You can create account definitions for every target
system. If an employee does not have a user account in the target system, a new user
account is created. This is done by assigning account definitions to an employee using the
integrated inheritance mechanism followed by process handling.
The data for the user accounts in the respective target system comes from the basic
employee data. The assignment of the IT operating data to the employee’s user account is
controlled through the primary assignment of the employee to a location, a department, a
cost center, or a business role (template processing). Processing is done through
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
45
templates. There are predefined templates for determining the data required for user
accounts included in the default installation. You can customize templates as required.
For more details about the basics, see the One Identity Manager Target System Base
Module Administration Guide.
NOTE: Only SharePoint user accounts that are not marked as a group can be created
with account definitions (IsDomainGroup = 'false')). However, it is recommended to
create SharePoint user accounts on the basis of target system groups. Only use
account definitions for SharePoint if are not following standard procedure. For more
information, see SharePoint User Accounts on page 74.
The following steps are required to implement an account definition:
l
Creating an Account Definition
l
Setting Up Manage Levels
l
Creating a Formatting Rule for IT Operating Data
l
Determining IT Operating Data
l
Assigning Account Definitions to Employees
l
Assigning Account Definitions to a Target System
Creating an Account Definition
To create a new account definition
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Enter the account definition's master data.
4. Save the changes.
Master Data for an Account Definition
Enter the following data for an account definition:
Table 13: Master Data for an Account Definition
Property
Description
Account
Account definition name.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
46
Property
Description
definition
User
account
table
Table in the One Identity Manager schema which maps user accounts.
Target
System
Target system to which the account definition applies.
Required
account
definition
Required account definitions. Define the dependencies between account
definitions. When this account definition is requested or assigned, the
required account definition is automatically requested or assigned with it.
TIP: You can enter this account definition for the associated Active
Directory or LDAP domain here. In this case, an LDAP or Active
Directory user account is created for the employee first. If this
exists, the SharePoint user account is added.
Implement this behavior on a custom basis.
Customize the process TSB_PersonHasAccountDef_AutoCreate_SPSUser
to do this.
Description
Spare text box for additional explanation.
Manage
level
(initial)
Manage level to use by default when you add new user accounts.
Risk index
Value for evaluating the risk of account definition assignments to
employees. Enter a value between 0 and 1. This property is only visible
when the configuration parameter QER\CalculateRiskIndex is set.
For more detailed information, see the .One Identity Manager Risk
Assessment Administration Guide
Service item Service item through which you can request the account definition in the IT
Shop. Assign an existing service item or add a new one.
IT Shop
Specifies whether the account definition can be requested through the IT
Shop. The account definition can be ordered by an employee over the Web
Portal and distributed using a defined approval process. The account
definition can still be directly assigned to employees and roles outside the
IT Shop.
Only for use
in IT Shop
Specifies whether the account definition can only be requested through the
IT Shop. The account definition can be ordered by an employee over the
Web Portal and distributed using a defined approval process. This means,
the account definition cannot be directly assigned to roles outside the IT
Shop.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
47
Property
Description
Automatic
assignment
to
employees
Specifies whether the account definition is assigned automatically to all
internal employees. The account definition is assigned to every employee
not marked as external, on saving. New employees automatically obtain
this account definition as soon as they are added.
IMPORTANT: Only set this option if you can ensure that all current
internal employees in the database and all pending newly added
internal employees obtain a user account in this target system.
Disable this option to remove automatic assignment of the account
definition to all employees. The account definition cannot be reassigned to
employees from this point on. Existing account definition assignments
remain intact.
Retain
account
definition if
permanently
disabled
Specifies the account definition assignment to permanently disabled
employees.
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain
account
definition if
temporarily
disabled
Specifies the account definition assignment to temporarily disabled
employees.
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain
account
definition on
deferred
deletion
Specifies the account definition assignment on deferred deletion of
employees.
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain
account
definition on
security risk
Specifies the account definition assignment to employees posing a security
risk .
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Resource
type
Resource type for grouping account definitions.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
48
Property
Description
Spare field
01 - spare
field 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
Setting Up Manage Levels
Specify the manage level for an account definition for managing user accounts. The user
account’s manage level specifies the extent of the employee’s properties that are inherited
by the user account. This allows an employee to have several user accounts in one target
system, for example:
l
l
Default user account that inherits all properties from the employee
Administrative user account that is associated to an employee but should not inherit
the properties from the employee.
The One Identity Manager supplies a default configuration for manage levels:
l
Unmanaged
User accounts with a manage level of "Unmanaged" become linked to an employee
but do not inherit any other properties. When a new user account is added with this
manage level and an employee is assigned, some of the employee's properties are
transferred initially. If the employee properties are changed at a later date, the
changes are not passed onto the user account.
l
Full managed
User accounts with a manage level of "Full managed" inherit specific properties from
the assigned employee.
NOTE: The manage levels "Full managed" and "Unmanaged" are evaluated in the
templates. You can customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to
amend the templates to include manage level approaches.
Specify the effect of temporarily or permanently disabling, deleting or the security risk of
an employee on its user accounts and group memberships for each manage level. For more
detailed information about manage levels, see the One Identity Manager Target System
Base Module Administration Guide.
l
l
Employee user accounts can be locked when they are disabled, deleted or rated as a
security risk so that permissions are immediately withdrawn. If the employee is
reinstated at a later date, the user accounts are also reactivated.
You can also define group membership inheritance. Inheritance can be discontinued
if desired when, for example, the employee’s user accounts are disabled and
therefore cannot be members in groups. During this time, no inheritance processes
should be calculated for this employee. Existing group memberships are deleted!
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
49
To assign manage levels to an account definition
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Assign manage level in the task view.
4. Assign manage levels in Add assignments.
- OR Remove assignments to manage levels in Remove assignments.
5. Save the changes.
IMPORTANT: The manage level "Unmanaged" is assigned automatically when an
account definition is assigned and cannot be removed.
To edit a manage level
1. Select the category SharePoint | Basic configuration data | Account
definitions | Manage levels.
2. Select the manage level in the result list. Select Change master data.
- OR Click
in the result list toolbar.
3. Edit the manage level's master data.
4. Save the changes.
Master Data for a Manage Level
Enter the following data for a manage level.
Table 14: Master Data for a Manage Level
Property
Description
Manage level
Name of the manage level.
Description
Spare text box for additional explanation.
IT operating data
overwrites
Specifies whether user account data formatted from IT
operating data is automatically updated. Permitted values are:
Never
Data is not updated
always
Data is always updated
Only initially
Data is only initially determined.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
50
Property
Description
Retain groups if
temporarily disabled
Specifies whether user accounts of temporarily disabled
employees retain their group memberships.
Lock user accounts if
temporarily disabled *)
Specifies whether user accounts of temporarily disabled
employees are locked.
Retain groups if
permanently disabled
Specifies whether user accounts of permanently disabled
employees retain group memberships.
Lock user accounts if
permanently disabled
*)
Specifies whether user accounts of permanently disabled
employees are locked.
Retain groups on
deferred deletion
Specifies whether user accounts of employees marked for
deletion retain their group memberships.
Lock user accounts if
deletion is deferred*)
Specifies whether user accounts of employees marked for
deletion are locked.
Retain groups on
security risk
Specifies whether user accounts of employees posing a
security risk retain their group memberships.
Lock user accounts if
security is at risk*)
Specifies whether user accounts of employees posing a
security risk are locked.
Retain groups if user
account disabled
Specifies whether locked user accounts retain their group
memberships.
NOTE: SharePoint user accounts cannot be locked.
When an employee is disabled, deleted or rated as a security risk their SharePoint
user accounts remain enabled. You need to know if the user account referenced as
an authentication object is locked or disabled for logging into a SharePoint site
collection. Manage the authentication object user account with account definitions
to avoid a disabled, deleted or security risk employee logging into a SharePoint site
collection.
Creating a Formatting Rule for IT
Operating Data
An account definition specifies which rules are used to form the IT operating data and
which default values will be used if no IT operating data can be found through the
employee's primary roles.
The following IT operating data is used in the One Identity Manager default
configuration for automatic creating and modifying of user accounts for an employee in
the target system.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
51
l
SharePoint authentication mode
l
Groups can be inherited
l
Identity
l
Privileged user account
To create a mapping rule for IT operating data
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Edit IT operating data mapping in the task view and enter the
following data.
Table 15: Mapping rule for IT operating data
Property Description
Column
User account property for which the value is set.
Source
Specifies which roles to use in order to find the user account properties.
You have the following options:
l
Primary department
l
Primary location
l
Primary cost center
l
Primary business roles
NOTE: Only use the primary business role if the Business
Roles Module is installed.
l
Empty
If you select a role, you must specify a default value and set the
option Always use default value.
Default
value
Default value of the property for an employee's user account if the
value is not determined dynamically from the IT operating data.
Always
use
default
value
Specifies whether user account properties are always filled with the
default value. IT operating data is not determined dynamically from a
role.
Notify
when
applying
the
standard
Specifies whether email notification to a defined mailbox is sent when
the default value is used. Use the mail template "Employee - new user
account with default properties created". To change the mail template,
modify the configuration parameter
"TargetSystem\SharePoint\Accounts\MailTemplateDefaultValues" .
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
52
Determining IT Operating Data
In order for an employee to create user accounts with the manage level "Full managed",
the necessary IT operating data must be determined. The operating data required to
automatically supply an employee with IT resources is shown in the departments,
locations, cost centers, and business roles. An employee is assigned to one primary
location, one primary department, one primary cost center or one primary business role.
The necessary IT operating data is ascertained from these assignments and used in
creating the user accounts. Default values are used if valid IT operating data cannot be
found over the primary roles.
You can also specify IT operating data directly for a specific account definition.
Example:
Normally, each employee in department A obtains a default user account in the A. In
addition, certain employees in department A obtain administrative user accounts in the A.
Create an account definition A for the default user account of the A and an account
definition B for the administrative user account of A. Specify the property "Department" in
the IT operating data formatting rule for the account definitions A and B in order to
determine the valid IT operating data.
Specify the effective IT operating data of department A for the A. This IT operating data
is used for standard user accounts. In addition, specify the effective account definition B
IT operating data for department A. This IT operating data is used for administrative
user accounts.
To specify IT operating data
1. Select the role in the category Organizations or Business roles.
2. Select Edit IT operating data in the task view and enter the following data.
Table 16: IT Operating Data
Property
Description
Organization/Business Department, cost center, location or business role for
role
which the IT operating data is valid.
Effects on
IT operating data application scope. The IT operating data
can be used for a target system or a defined account definition.
To specify an application scope
a. Click
next to the text box.
b. Select the table under Table, which maps the target
system or the table TSBAccountDef for an account
definition.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
53
Property
Description
c. Select the concrete target system or concrete
account definition under Effects on.
d. Click OK.
Column
User account property for which the value is set.
Columns using the script template TSB_ITDataFromOrg in
their template are listed. For more detailed information,
see the One Identity Manager Target System Base Module
Administration Guide.
Value
Concrete value which is assigned to the user account
property.
3. Save the changes.
Modifying IT Operating Data
If IT operating data changes, you must transfer these changes to the existing user
accounts. To do this, templates must be rerun on the affected columns. Before you can run
the templates, you can check what the effect of a change to the IT operating data has on
the existing user accounts. You can decide whether the change is transferred to the
database in the case of each affected column in each affected database.
Prerequisites
l
The IT operating data of a department, cost center, business roleor a location
was changed.
- OR -
l
The default values in the IT operating data template were modified for an account
definition.
NOTE: If the assignment of an employee to a primary department, cost center,
business role or to a primary location changes, the templates are automatically
executed.
To execute the template
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Execute templates in the task view
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
54
This displays a list of all user account, which are created through the selected
account definition and whose properties are changed by modifying the IT
operating data.
Old value
Current value of the object property.
New
value
Value applied to the object property after modifying the IT operating
data.
Selection
Specifies whether the modification is applied to the user account.
4. Mark all the object properties in the selection column that will be given the
new value.
5. Click Apply.
The templates are applied to all selected user accounts and properties.
Assigning Account Definitions to Employees
Account definitions are assigned to company employees. Indirect assignment is the default
method for assigning account definitions to employees. Account definitions are assigned to
departments, cost centers, locations or roles. The employees are categorized into these
departments, cost centers, locations or roles depending on their function in the company
and thus obtain their account definitions. To react quickly to special requests, you can
assign individual account definitions directly to employees. You can automatically assign
special account definitions to all company employees. It is possible to assign account
definitions to the IT Shop as requestable products. A department manager can then request
user accounts from the Web Portal for his staff. It is also possible to add account definitions
to system roles. These system roles can be assigned to employees through hierarchical
roles or directly or added as products in the IT Shop.
In the One Identity Manager default installation, the processes are checked at the start to
see if the employee already has a user account in the target system that has an account
definition. If no user account exists, a new user account is created with the account
definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. You
have to alter the user account manage level afterwards in this case.
Prerequisites for indirect assignment of account definitions to
employees
l
Assignment of employees and account definitions is permitted for role classes
(department, cost center, location or business role).
For detailed information about preparing role classes to be assigned, see the One Identity
Manager Identity Management Base Module Administration Guide.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
55
Assigning Account Definitions to Departments,
Cost Centers and Locations
To add account definitions to hierarchical roles
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
Assigning Account Definitions to Business Roles
Installed Modules: Business Roles Module
To add account definitions to hierarchical roles
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles in Remove assignments.
5. Save the changes.
Assigning Account Definitions to all Employees
To assign an account definition to all employees
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
56
3. Select Change master data in the task view.
4. Set the option Automatic assignment to employees on the General tab.
IMPORTANT: Only set this option if you can ensure that all current internal
employees in the database and all pending newly added internal employees
obtain a user account in this target system.
5. Save the changes.
The account definition is assigned to every employee that is not marked as external. New
employees automatically obtain this account definition as soon as they are added. The
assignment is calculated by the DBQueue Processor.
NOTE: Disable the option Automatic assignment to employees to remove
automatic assignment of the account definition to all employees. The account definition cannot be reassigned to employees from this point on. Existing assignments
remain intact.
Assigning Account Definitions Directly to
Employees
To assign an account definition directly to employees
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Assign to employees in the task view.
4. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
5. Save the changes.
Assigning Account Definitions to System Roles
Installed Modules: System Roles Module
NOTE: Account definitions with the option Only use in IT Shop can only by assigned
to system roles that also have this option set.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
57
To add account definitions to a system role
1. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
2. Select an account definition in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove assignments to system roles in Remove assignments.
5. Save the changes.
Adding Account Definitions in the IT Shop
A account definition can be requested by shop customers when it is assigned to an IT Shop
shelf. To ensure it can be requested, further prerequisites need to be guaranteed.
l
The account definition must be labeled with the IT Shop option.
l
The account definition must be assigned to a service item.
l
If the account definition is only assigned to employees using IT Shop assignments,
you must also set the option Only for use in IT Shop. Direct assignment to
hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign account definitions to IT Shop shelves if
login is role-based. Target system administrators are not authorized to add account
definitions in the IT Shop.
To add an account definition to the IT Shop
1. Select the category SharePoint | Basic configuration data | Account
definitions (non role-based login).
- OR Select the category Entitlements | Account definitions (role-based login).
2. Select an account definition in the result list.
3. Select Add to IT Shop in the task view.
4. Assign the account definition to the IT Shop shelf in Add assignments
5. Save the changes.
To remove an account definition from individual IT Shop shelves
1. Select the category SharePoint | Basic configuration data | Account
definitions (non role-based login).
- OR -
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
58
Select the category Entitlements | Account definitions (role-based login).
2. Select an account definition in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the account definition from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove an account definition from all IT Shop shelves
1. Select the category SharePoint | Basic configuration data | Account
definitions (non role-based login).
- OR Select the category Entitlements | Account definitions (role-based login).
2. Select an account definition in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
5. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this account definition are
canceled in the process.
For more detailed information about request from company resources through the IT Shop,
see the One Identity Manager IT Shop Administration Guide.
Related Topics
l
Master Data for an Account Definition on page 46
l
Assigning Account Definitions to Departments, Cost Centers and Locations on page 56
l
Assigning Account Definitions to Business Roles on page 56
l
Assigning Account Definitions Directly to Employees on page 57
l
Assigning Account Definitions to System Roles on page 57
Assigning Account Definitions to a Target
System
The following prerequisites must be fulfilled if you implement automatic assignment of
user accounts and employees resulting in administered user accounts (state "Linked
configured"):
l
The account definition is assigned to the target system.
l
The account definition has the default manage level.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
59
User accounts are only linked to the employee (state "Linked") if no account definition is
given. This is the case on initial synchronization, for example.
To assign the account definition to a target system
1. Select the site collection in the category SharePoint | Site collections.
2. Select Change master data in the task view.
3. Select the account definition for user accounts from Account definition (initial).
4. Save the changes.
Deleting an Account Definition
You can delete account definitions if they are not assigned to target systems, employees,
hierarchical roles or any other account definitions.
NOTE: If an account definition is deleted, the user accounts arising from this account
definition are deleted.
To delete an account definition
1. Remove automatic assignments of the account definition from all employees.
a. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Change master data in the task view.
d. Disable the option Automatic assignment to employees on the General tab.
e. Save the changes.
2. Remove direct assignments of the account definition to employees.
a. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Assign to employees in the task view.
d. Remove employees from Remove assignments.
e. Save the changes.
3. Remove the account definition's assignments to departments, cost centers and
locations.
a. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Assign organizations.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
60
d. Remove the account definition's assignments to departments, cost centers and
locations in Remove assignments.
e. Save the changes.
4. Remove the account definition's assignments to business roles.
a. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Assign business roles in the task view.
Remove business roles from Remove assignments.
d. Save the changes.
5. If the account definition was requested through the IT Shop, it must be canceled and
removed from all IT Shop shelves. For more detailed information, see the .One
Identity Manager IT Shop Administration Guide
6. Remove the account definition assignment as required account definition for another
account definition. As long as the account definition is required for another account
definition, it cannot be deleted. Check all the account definitions.
a. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Change master data in the task view.
d. Remove the account definition from the Required account definition menu.
e. Save the changes.
7. Remove the account definition's assignments to target systems.
a. Select the site collection in the category SharePoint | Site collections.
b. Select Change master data in the task view.
c. Remove the assigned account definitions on the General tab.
d. Save the changes.
8. Delete the account definition.
a. Select the category SharePoint | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Click
, to delete the account definition.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Base Data for Managing SharePoint
61
4
SharePoint Farms
NOTE: Farms are set up using in the One Identity Manager database using the
Synchronization Editor.
To edit the master data of a farm
1. Select the category SharePoint | Farms.
2. Select the farm in the result list. Select Change master data in the task view.
3. Edit the farm's master data.
4. Save the changes.
General Master Data for a SharePoint
Farm
Enter the following master data for a farm.
Table 17: General Master Data for a Farm
Property
Description
Name
Name of the SharePoint instance port. A distinguished name for internal
user is formed from this.
Domain
Name of the Active Directory or LDAP domain that is serves as security
provider for SharePoint The user accounts and groups that are referenced
are searched for in this domain.
Display
name
The farm's display name.
Target
system
managers
Application role in which target system managers are specified for the
farm. Target system managers only edit the objects from farms that are
assigned to them. Each farm can have a different target system manager
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Farms
62
Property
Description
assigned to it.
Select the One Identity Manager application role whose members are
responsible for administration of this farm. Use the
button to add a new
application role.
Synchronized
by
NOTE: You can only specify the synchronization type when adding a
new farm. No changes can be made after saving.
"Synchronization Editor" is used when you create a farm with the
One Identity Manager.
Specify how the data will be synchronized between the target system and
the One Identity Manager. Choose between "One Identity Manager", "FIM"
and "No synchronization".
Table 18: Permitted Values
Value
Synchronization by
Provisioned by
One Identity Manager
SharePoint connector
SharePoint connector
No synchronization
none
None
NOTE: If you select "No synchronization" you can define custom
processes to exchange data between One Identity Manager and the
target system.
Build version
The build version for SharePoint services for this farm are read in during
synchronization.
Related Topics
l
Target System Managers on page 43
How to Edit a Synchronization Project
Synchronization projects, in which a farm is already used as a base object, can also be
opened using the Manager. You can, for example, check the configuration or view the
synchronization log in this mode. The Synchronization Editor is not started with its full
functionality. You cannot run certain functions, such as, running synchronization or
simulation, starting the target system browser and others.
NOTE: The Manager is locked for editing throughout. To edit objects in the Manager,
close the Synchronization Editor.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Farms
63
To open an existing synchronization project in the Synchronization Editor
1. Select the category SharePoint | Farms.
2. Select the farm in the result list. Select Change master data in the task view.
3. Select Edit synchronization project... from the task view.
Detailed information about this topic
l
One Identity Manager Target System Synchronization Reference Guide
Related Topics
l
Customizing Synchronization Configuration on page 25
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Farms
64
5
SharePoint Web Applications
SharePoint web applications provide permissions for SharePoint users that are valid across
all websites within the web application. You can find information about SharePoint objects
that the web application is linked to on the overview form. Defined users and permissions
policies are shown for the web application. Valid SharePoint providers are displayed with
the web applications for which they are registered.
In SharePoint, you can limit the amount of permissions that can be assigned to SharePoint
permission levels. You can see all valid permissions for the web application on the
overview form.
To obtain an overview of a web application
1. Select the category SharePoint | Web applications.
2. Select the web application in the result list.
3. Select SharePoint web application overview in the task view.
Related Topics
l
SharePoint Roles and Permission Levels on page 112
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Web Applications
65
6
SharePointSite Collections and Sites
SharePoint sites are organized into site collections. A site collection manages access rights
and characterization templates for all sites in the site collection. It consists of at least one
site on the top level (root site). Other websites are arranged below this root site. They can
be connected to hierarchies through simple task relationships. Properties (for example role
definitions) can be inherited by child sites though this hierarchical structure.
Site collections and sites are mapped with their access rights to the One Identity Manager.
You cannot edit their properties in the One Identity Manager. You can edit access rights
managed within a site collection in One Identity Manager. To do this, SharePoint roles,
groups and user accounts are loaded into the One Identity Manager database.
Related Topics
l
SharePoint Roles and Groups on page 94
l
SharePoint User Accounts on page 74
SharePoint Site Collections
A site collection groups sites together. User account and their access permissions are
managed on the sites. To automatically assign used accounts and employees, assign an
account definition to the site collection.
Authorized user accounts and groups are displayed on the site collection's overview as well
as the web application and the root site linked to the site collection. The quota template,
the site collection administrators and auditors assigned to the site collection are also
visible on the overview form.
To edit site collection properties
1. Select SharePoint | Site collection.
2. Select the site collection in the result list. Select Change master data in
the task view.
3. Enter the required data on the master data form.
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
66
Detailed information about this topic
l
General Master Data for a Site Collection on page 67
l
Specifying Categories for Inheriting SharePoint Groups on page 68
General Master Data for a Site Collection
The following properties are displayed for site collections.
Table 19: General Master Data for a Site Collection
Property
Description
Account defin- Initial account definition for creating user accounts. These account
definitions are used if automatic assignment of employees to user
ition
account is used for this domain resulting in administered user accounts
(state "Linked configured"). The account definition's default manage level
is applied.
User accounts are only linked to the employee (state "Linked") if no
account definition is given. This is the case on initial synchronization, for
example.
Server
Name of the SharePoint server that provides the site collection.
Web application
Unique ID for web application that belongs to the site collection.
Root site
Link to the site collection root site. Links to a site that is set as root site.
Administrator Administrator user account for the site collection.
Other administrator
Additional administrator user account for the site collection.
Used storage
Information about the storage taken up by the site collection on the
server.
Last security
relevant
change
Time of last security relevant change that was made to an object in this
site collection.
View the site collection URL and port on the tab Addresses and the URL of a portal linked
to the site collection.
Related Topics
l
Setting Up Account Definitions on page 45
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
67
Specifying Categories for Inheriting
SharePoint Groups
In One Identity Manager, groups can be selectively inherited by user accounts. For this,
groups and user accounts are divided into categories. The categories can be freely selected
and are specified by a template. Each category is given a specific position within the
template. The template contains two tables; the user account table and the group table.
Use the user account table to specify categories for target system dependent user
accounts. Enter your categories for the target system dependent groups, administrative
roles, subscriptions and disabled service plans in the . Each table contains the category
items "Position1" to "Position31".
To define a category
1. Select SharePoint | Site collection.
2. Select the site collection in the result list.
3. Select Change master data in the task view.
4. Switch to the Mapping rule category tab.
5. Expand the respective base node of the user account or group table.
6. Click
to enable category.
7. Enter a name for the user account and group categories in the current language.
8. Save the changes.
Detailed information about this topic
l
SharePoint Group Inheritance Based on Categories on page 109
l
One Identity Manager Target System Base Module Administration Guide
SharePoint Sites
You can structure sites hierarchically. There is always a site labeled as "root site" in every
site collection. The other sites in the site collection are sorted below the root site.
To display properties of a site
1. Select the category SharePoint | Sites.
2. Select the site in the result list. Select Change master data in the task view.
Detailed information about this topic
l
General Master Data for a Site on page 69
l
Address Data for a Site on page 70
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
68
l
Site Design Properties on page 70
General Master Data for a Site
The following master data is displayed for sites.
Table 20: General Master Data for a Site
Property
Description
Display
name
Display name of the site.
Root site
Specifies whether the site is the site collection root site.
Parent site
Unique ID for the parent site.
Site collection
Unique identifier for the site collection to which the site belongs.
Unique role
definition
Specifies whether permission levels and associated permission can be
defined for the site (tables SPSRole and SPSRoleHasSPSPermission). If the
option is not set the role definitions are inherited from the parent site.
Use roles
from
Unique identifier for the site from which the role definitions are inherited.
If the site is assigned roles of its own, their permissions are overwritten by
the inherited permissions.
Unique role Specifies whether user accounts or groups can have direct access permisassignments sions to the site (tables SPSUserHasSPSRLAsgn and SPSGroupHasSPSRLAsgn). If
this option is not set, the role assignments are inherited from the parent
site. No other user accounts or groups have permissions for this site.
Use assignments from
Unique identifier for the site from which the role assignments are
inherited.
Author
Link to user account that created the site.
Description
Spare text box for additional explanation.
Permit
anonymous
access
Specifies whether anonymous access is permitted to the site.
Detailed information about this topic
l
SharePoint Roles and Groups on page 94
l
SharePoint Roles and Permission Levels on page 112
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
69
Address Data for a Site
The following address data is mapped on the Addresses tab.
Table 21: Address Data for a Site
Properties Description
Prefix
Unique identifier of the prefix for the site collection under which you want
the site to be added. A value is only shown if you add the site with the One
Identity Manager.
URL
relative to
server
URL for the site logo relative to the web application URL.
URL
Absolute site URL.
Master
page URL
URL of the master page used for the site.
Alternative
master URL
URL to an alternative master page referenced by the site.
Portal URL
URL for a portal site that this site is linked to.
If the server declared in the URL can be resolved by DNS, you can open the site in the
default browser.
To open the site
1. Select the category SharePoint | Sites.
2. Select the site in the result list.
3. Select Open URL in the task view.
Related Topics
l
Setting Up SharePoint Site Collections and Sites on page 72
Site Design Properties
The following design information is displayed on the Design tab.
Table 22: Site Design Properties
Property
Description
Site
Unique identifier for the site template to be used when the site is created. A
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
70
Property
Description
template
value is only shown if you add the site though the One Identity Manager.
Title
Name for displaying the site.
URL for
logo
URL for the site logo relative to the web application URL.
Logo icon
Description of the site's logo.
description
Related Topics
l
Setting Up SharePoint Site Collections and Sites on page 72
Additional Tasks for Managing Sites
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
You can view all the roles and permission levels that are valid for this site on the overview
form. Use the task Open URL to open the site in a standard web browser. Prerequisite for
this is that the server in the URL can be resolved per DNS.
To obtain an overview of an site
1. Select the category SharePoint | Sites.
2. Select the site in the result list.
3. Select SharePoint site overview in the task view.
Related Topics
l
Address Data for a Site on page 70
Child Sites Inheriting Permissions
SharePoint roles are defined at site level. There are always roles defined for the root site
of a site collection. Child sites can inherit these role definitions. In the same way, roles on
the root site of a site collection are also assigned to groups or user accounts. These
assignments can inherit child sites. The option Unique role definition specifies whether a
site inherits roles from the parent site. The option Unique role assignment specifies
whether user accounts and groups are explicitly authorized for a site or whether the role
assignments are inherited by the parent website.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
71
Detailed information about this topic
l
SharePoint Roles and Groups on page 94
Related Topics
l
General Master Data for a Site on page 69
Setting Up SharePoint Site Collections
and Sites
Site collections and sites are simply loaded into the One Identity Manager database through
synchronization in the default installation of the One Identity Manager. You can add new
site collections and site in the One Identity Manager and publish them in the SharePoint
target system. To do this, the columns UID_SPSPrefix and UID_SPSWebTemplate are provided
for the table SPSWeb as well as predefined scripts and processes.
NOTE: You can use the following scripts and processes to request site collections and
sites from the IT Shop. Customize these scripts and processes as required!
Script/Process Description
Script VI_
CreateSPSSite
Creates a new site collection and the associate root site in the One
Identity Manager database. Creates a user account that is entered as
site collection administrator or root site author.
Script VI_
CreateSPSWeb
Creates a new site within a site collection in the One Identity Manager
database.
Process SP0_
SPWeb_(De-)Prrovision
Creates a new site within a site collection. The process is triggered by
the event PROVISION when the site in the One Identity Manager
database is not labeled as the root site.
Process SP0_
SPSite_(De-)Prrovision
Creates a new site collection in a web application and the associated
root site. The process is triggered by the event PROVISION.
The following step are required in additions:
l
l
l
Define a requestable product through which the site collection/site is requested in
the IT Shop.
Define product properties that are mapped to the script parameter (for example web
application, prefix or site template). You must include these product properties when
the site collection/site is requested.
Create a process for the table PersonWantsOrg that is started when the request is
approved (event OrderGranted). This process call the matching script and sets the
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
72
parameter values with the defined product properties you have defined. Then the site
collection/site is added in the One Identity Manager database.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePointSite Collections and Sites
73
7
SharePoint User Accounts
SharePoint user accounts provide the information necessary for user authentication, such
as, the authentication mode and login names. In addition, permissions of users in a site
collection are specified in the user accounts.
Each SharePoint user account represents an object from an authentication system trusted
by the SharePoint installation. If this authentication system is managed as a target system
in One Identity Manager, the SharePoint object used for authentication can be saved as the
authentication object in the user policy. This means, the SharePoint user account
permissions are mapped to employees managed in One Identity Manager. Thus, One
Identity Manager makes it possible for you to obtain an overview of all an employee's
SharePoint access permissions. SharePoint permissions can be attested and checked for
compliance. Employees can request or obtain the SharePoint permissions they requires
through their memberships in hierarchical roles or through the Web Portal when
appropriately configured.
Example:
Set up guest access to a site collection with read-only permissions. To do this, a
SharePoint user account is added. The Active Directory group "Guests" is assigned as
authentication object to the user account. Clara Harris owns a Active Directory user
account, which is a member in this group. She can log in to the site collection with
this and obtain all the SharePoint user account's permissions.
Jan Bloggs is also requires guest access to the site collection. He owns a Active
Directory user account in the same domain. He request membership of the Web
Portal group in Active Directory. Once the request is granted approval and assigned,
he can log in on the site collection.
By default, the following objects can be assigned as authentication objects in the One
Identity Manager.
l
Active Directory groups (ADSGroup)
l
Active Directory user accounts (ADSAccount)
l
LDAP groups (LDAPGroup)
l
LDAP user accounts (LDAPAccount)
During synchronization, the One Identity Manager tries to assign the matching
authentication object using the login name.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
74
SharePoint access permissions are supplied in different ways in the One Identity Manager,
depending on the referenced authentication object.
Case 1: The associated authentication object is a group. The
authentication system is managed in One Identity Manager. (Default
case)
l
l
l
The user account represents a Active Directory or LDAP group. This group can be
assigned in the One Identity Manager as authentication object.
The user account cannot be assigned to an employee. This means, the user account
can only become a member in SharePoint roles and groups through direct
assignment.
In order for an employee to log in on the SharePoint system, they require a Active
Directory or LDAP user account. This user account must be member in the Active
Directory or LDAP group.
l
A new SharePoint user account can be created manually.
l
The user account cannot be managed through an account definition.
Case 2: The authentication object is a user account. The authentication
system is managed in One Identity Manager.
l
l
The user account represents a Active Directory or LDAP user account. The user
account is not assigned as an authentication object in One Identity Manager.
The SharePoint user account can be assigned to an employee. This means, the user
account can become a member in roles and groups through inheritance and direct
assignment.SharePoint
If an authentication object is assigned, the connected employee is found through the
authentication object.
If there is no authentication object assigned, the employee can be assigned
automatically or manually. Automatic employee assignment depends on the
configuration parameters "TargetSystem\SharePoint\PersonAutoFullsync" and
"TargetSystem\SharePoint\PersonAutoDefault".
l
l
A new SharePoint user account can be manually created or by using an account
definition. The Active Directory or LDAP user account used as authentication object,
must belong to a domain trusted by the referenced authentication system.
The user account can be managed through an account definition.
Case 3: The authentication object is a user account. The authentication
system is not managed in One Identity Manager.
l
l
The user account cannot be assigned an authentication object.
The user account can be manually or automatically assigned to an employee. This
means, the user account can become a member in roles and groups through
inheritance and direct assignment.SharePoint Automatic employee assignment
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
75
depends on the configuration parameters
"TargetSystem\SharePoint\PersonAutoFullsync" and
"TargetSystem\SharePoint\PersonAutoDefault".
l
l
A new SharePoint user account can be manually created or by using an account
definition. If an account definition is used, the column templates must be customized
for the columns SPSUser.LoginName and SPSUSer.DisplayName.
The user account can be managed through an account definition.
The basics for managing employees and user account are described in the One Identity
Manager Target System Base Module Administration Guide.
Supported User Account Types
Different types of user accounts, such as default user accounts, administrative user
accounts or service accounts, can be mapped in One Identity Manager.
The following properties are used for mapping different user account types.
l
Identity (column IdentityType)
The identity describes the type of user account.
Table 23: Identities of User Accounts
l
Identity
Description
Value of the
column
"IdentityType"
Primary
identity
Employee's default user account.
Primary
Organizational Secondary user account used for various roles
identity
within the organization, f. ex. In sub-agreements with other functional areas.
Organizational
Personalized
User account with administration rights used by
admin identity one person.
Admin
Sponsored
identity
User account used for example for training
purposes.
Sponsored
Shared
identity
User account with administration rights used by
several people.
Shared
Service
identity
Service account.
Service
Privileged user account (column IsPrivilegedAccount)
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
76
Use this option to flag user accounts with special, privileged permissions. This
includes administrative user accounts or service accounts, for example. This option
is not used to flag default user accounts.
Default User Accounts
Normally, each employee obtains a default user account, which has the permissions they
require for their regular work. The user accounts are linked to the employee. By default,
the link between employee and SharePoint user account is set up through the
authentication objects to which the user account is assigned. Alternatively, employees can
also be directly linked to the user accounts. Such user accounts can be managed through
account definitions. The effect of the link and the scope of the employee’s inherited
properties on the user accounts can be configured through an account definition and its
manage levels.
To create default user accounts through account definitions
1. Create an account definition and assign the manage level "Unmanaged" or "Full
managed" to it.
2. Specify the effect of temporarily or permanently disabling, deleting or the
security risk of an employee on its user accounts and group memberships for
each manage level.
3. Create a formatting rule for IT operating data.
An account definition specifies which rules are used to generate the IT operating data
for example, whether the container for a user account is made up of the employee's
department, cost center, location or business role and which default values will be
used if no IT operating data can be found through the employee's primary roles.
Which IT operating data is required, depends on the target system. The following
setting are recommended for default user accounts:
l
l
Use the default value "1" in the formatting rule for the column IsGroupAccount
and set the option Always use default value.
Use the default value "primary" in the formatting rule for the column
IdentityType and set the option Always use default value.
4. Enter the effective IT operating data for the target system. Select the concrete target
system under Effects on.
Specify in the departments, cost centers, locations or business roles, which IT
operating data should apply when you set up a user account.
5. Assign the account definition to employees.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.
Administrative User Accounts
An administrative user account must be used for certain administrative tasks.
Administrative user accounts are normally predefined in the target system and have fixed
identifiers and login names, for example, "Administrator".
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
77
Administrative user accounts are loaded through synchronization into the One Identity
Manager. To assign a manager to administrative user accounts, assign an employee to the
user account in One Identity Manager.
NOTE: You can automatically label administrative user accounts as privileged user
accounts. To do this, set the schedule "Mark selected user accounts as privileged" in
the Designer.
Privileged User Accounts
Privileged user accounts are used to provide employees with additional privileges. This
includes administrative user accounts or service accounts, for example. The user accounts
are marked with the property Privileged user account (IsPrivilegedAccount).
NOTE: The criteria used to label user accounts automatically as privileged, are
defined as extensions to the view definition (ViewAddOn) on the table
TSBVAccountIsPrivDetectRule (table type "Union"). The evaluation is done in the script
TSB_SetIsPrivilegedAccount.
To create privileged users through account definitions
1. Create an account definition. Create a new manage level for privileged user accounts
and assign this manage level to the account definition.
2. If you want to prevent properties for privileged user accounts being overwritten, set
the property IT operating data overwrites for the manage level, to the value
"Only initially". In this case, the properties are populated just once when the user
accounts is created.
3. Specify the effect of temporarily or permanently disabling, deleting or the
security risk of an employee on its user accounts and group memberships for
each manage level.
4. Create a formatting rule for IT operating data.
An account definition specifies which rules are used to generate the IT operating data
for example, whether the container for a user account is made up of the employee's
department, cost center, location or business role and which default values will be
used if no IT operating data can be found through the employee's primary roles.
Which IT operating data is required, depends on the target system. The following
settings are recommended for privileged user accounts:
l
l
l
Use the default value "1" in the formatting rule for the column
IsPrivilegedAccount and set the option Always use default value.
You can also specify a formatting rule for the column IdentityType. The column
owns different permitted values, which represent user accounts.
To prevent privileged user accounts inheriting default user groups, define a
template for the column IsGroupAccount with the default value "0" and set the
option Always use default value.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
78
5. Enter the effective IT operating data for the target system.
Specify in the departments, cost centers, locations or business roles, which IT
operating data should apply when you set up a user account.
6. Assign the account definition directly to employees who work with privileged
user accounts.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.
NOTE: Specify a formatting rule for a naming schema if it is required by the company
for privileged user account login names.
Entering Master Data for SharePoint
User Accounts
Each SharePoint user account represents an object from an authentication system. This
object can be a group or a user. The group authentication and user authenticated user
accounts are select separately in the navigation system.
To edit the properties of a group authenticated user account
1. Select the category | User accounts (group authentication)SharePoint.
2. Select the user account in the result list and run the task Change master data.
- OR Click
in the result list toolbar.
3. Edit the user account's resource data.
4. Save the changes.
To edit the properties of a user authenticated user account.
1. Select the category | User accounts (user authentication)SharePoint.
2. Select the user account in the result list and run the task Change master data.
- OR Click
in the result list toolbar.
3. Edit the user account's resource data.
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
79
To manually assign or create a user authenticated user account for an
employee
1. Select the Employees | Employees.
2. Select the employee in the result list and run Assign user accounts in
SharePointthe task view.
3. Assign a user account.
4. Save the changes.
Detailed information about this topic
l
Group Authenticated User Account Properties on page 80
l
User Authenticated User Account Master Data on page 82
Group Authenticated User Account
Properties
Table 24: Configuration Parameters for Setting up User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Enter the following master data for a group authenticated user account.
Table 25: Group Authenticated User Account Properties
Property
Description
Site collection
Site collection the user account is used in.
Group authen- Specifies whether the user account's authentication object is a group.
ticated
Authentication Authentication object referencing the user account. Each SharePoint user
object
account represents an object from an authentication system trusted by
the SharePoint installation. If this authentication system is managed as a
target system in One Identity Manager, the SharePoint object used for
authentication can be saved as the authentication object in the user
policy.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
80
Property
Description
The authentication object is assigned during automatic synchronization.
You can assign an authentication object when setting up a new user
account in the Manager. The authentication object cannot be changed
after saving.
The following authentication objects can be assigned to a group
authenticated user account:
l
l
Active Directory groups with the group type "Security group" from
the domain with the farm or a trusted domain
LDAP groups from the domain with the farm
Authentication Authentication mode used for logging in on the SharePoint server with
mode
this user account.
The login name of new user accounts depends on the authentication
mode. The authentication mode is set by a template. The value depends
on the option Claims-based authentication of the associated web
application. If you have defined custom authentication modes, select
your authentication mode in the menu.
NOTE: Modify the template for this column (SPSUser.UID_SPSAuthSystem) to assign a custom authentication mode to user accounts.
Display name
Any display name for the user account. By default, the display name is
taken from the authentication object display name. Enter the display
name by hand if no authentication object is assigned.
Login name
User account login name. It is found using a template. Enter the login
name by hand if no authentication object is assigned.
NOTE: Modify the template for this column (SPSUser.LoginName) to
assign a custom authentication mode to user accounts.
Email address
User account email address. It is formatted using templates from the
authentication object's email address.
Risk index
(calculated)
Maximum risk index values for all assigned SharePoint roles and groups.
This property is only visible if the configuration parameter
"QER\CalculateRiskIndex" is set. For more detailed information, see the
.One Identity Manager Risk Assessment Administration Guide
Category
Categories for the inheritance of groups by the user account. Select one
or more categories from the menu. Groups can be selectively inherited
by user accounts. To do this, groups and user accounts or contacts are
divided into categories.
Advice
Spare text box for additional explanation.
Identity
User account's identity type
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
81
Property
Description
Table 26: Permitted values for the identity.
Value
Description
Primary
identity
Employee's default user account.
Organizational Secondary user account used for different roles in the
identity
organization, for example for subcontracts with other
functional areas.
Personalized
User account with administrative permissions, used by
admin identity one employee.
Sponsored
identity
User account that is used for training purposes, for
example.
Shared
identity
User account with administrative permissions, used by
several employees.
Service
identity
Service account.
Privileged
user account
Specifies whether this is a privileged user account.
Administrator
Specifies whether the user account is a site collection administrator.
Auditor
Specifies whether the user account is a site collection auditor.
Detailed information about this topic
l
Authentication Modes on page 35
l
Specifying Categories for Inheriting SharePoint Groups on page 68
l
Supported User Account Types on page 76
l
One Identity Manager Identity Management Base Module Administration Guide
User Authenticated User Account Master
Data
Table 27: Configuration Parameters for Setting up User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
82
Configuration
parameter
Active Meaning
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Enter the following master data for a user authenticated user account.
Table 28: User Authenticated User Account Master Data
Property
Description
Employee
Employee that uses this user account. An employee is already entered if
the user account was generated by an account definition. If you create
the user account manually, you can select an employee in the menu. If
an authentication object is assigned, the connected employee is found
through the authentication object by using a template. If there is no
authentication object assigned, the employee can be assigned automatically or manually.
Manage level
User account's manage level. Select a manage level from the menu. You
can only specify the manage level can if you have also entered an
account definition. All manage levels of the selected account definition
are available in the menu.
Account
definition
Account definition through which the user account was created.
Use the account definition to automatically fill user account master data
and to specify a manage level for the user account. The One Identity
Manager finds the IT operating data of the assigned employee and enters
it in the corresponding fields in the user account.
NOTE: The account definition cannot be changed once the user
account has been saved.
To create the user account manually through an account definition, enter
an employee in the Employee box. You can select all the account
definitions assigned to this employee and through which no user account
has been created for this employee.
NOTE: If employees obtain their SharePoint user accounts through
account definitions, the employees must own user accounts in the
Active Directory domain or LDAP domain. This domain is stored in
the SharePoint farm in which the SharePoint user accounts are to
be created.
Site collection
Site collection the user account is used in.
Group authen- Specifies whether the user account's authentication object is a group.
ticated
This option is disabled for user authenticated user accounts.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
83
Property
Description
Authentication Authentication object referencing the user account. Each SharePoint user
object
account represents an object from an authentication system trusted by
the SharePoint installation. If this authentication system is managed as a
target system in One Identity Manager, the SharePoint object used for
authentication can be saved as the authentication object in the user
policy.
The authentication object is assigned during automatic synchronization.
You can assign an authentication object when setting up a new user
account in the Manager. The authentication object cannot be changed
after saving.
The following authentication objects can be assigned to an authenticated
user account:
l
l
Active Directory user accounts from the domain with the farm or a
trusted domain
LDAP user accounts from the domain with the farm
User accounts relating to Active Directory default SIDs cannot reference
authentication objects in One Identity Manager.
NOTE: The SharePoint user account is also created if the user
account that is used as authentication object is disabled or locked.
Authentication Authentication mode used for logging in on the SharePoint server with
mode
this user account.
The login name of new user accounts depends on the authentication
mode. The authentication mode is set by a template. The value depends
on the option Claims-based authentication of the associated web
application. If you have defined custom authentication modes, select
your authentication mode in the menu.
NOTE: Modify the template for this column (SPSUser.UID_SPSAuthSystem) to assign a custom authentication mode to user accounts.
Display name
Any display name for the user account. By default, the display name is
taken from the authentication object display name. Enter the display
name by hand if no authentication object is assigned.
Login name
User account login name. It is found using a template. Enter the login
name by hand if no authentication object is assigned.
NOTE: Modify the template for this column (SPSUser.LoginName) to
assign a custom authentication mode to user accounts.
Email address
User account email address. It is formatted using templates from the
authentication object's email address.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
84
Property
Description
Risk index
(calculated)
Maximum risk index values for all assigned SharePoint roles and groups.
This property is only visible if the configuration parameter
"QER\CalculateRiskIndex" is set. For more detailed information, see the
.One Identity Manager Risk Assessment Administration Guide
Category
Categories for the inheritance of groups by the user account. Select one
or more categories from the menu. Groups can be selectively inherited
by user accounts. To do this, groups and user accounts or contacts are
divided into categories.
Advice
Spare text box for additional explanation.
Identity
User account's identity type
Table 29: Permitted values for the identity.
Value
Description
Primary
identity
Employee's default user account.
Organizational Secondary user account used for different roles in the
identity
organization, for example for subcontracts with other
functional areas.
Personalized
User account with administrative permissions, used by
admin identity one employee.
Privileged
user account
Sponsored
identity
User account that is used for training purposes, for
example.
Shared
identity
User account with administrative permissions, used by
several employees.
Service
identity
Service account.
Specifies whether this is a privileged user account.
Groups can be Specifies whether the user account SharePoint roles and groups can
inherited
inherit through the employee. If this option is set, the user account
inherits SharePoint roles and groups through hierarchical roles or IT
Shop requests.
l
l
If you add an employee with a user account to a department, for
example, and you have assigned groups to this department, the
user account inherits these groups.
If an employee has requested group membership in the IT Shop
and the request is granted approval, the employee's user account
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
85
Property
Description
only inherits the group if the option is set.
Administrator
Specifies whether the user account is a site collection administrator.
Auditor
Specifies whether the user account is a site collection auditor.
Detailed information about this topic
l
Setting Up Account Definitions on page 45
l
Authentication Modes on page 35
l
Specifying Categories for Inheriting SharePoint Groups on page 68
l
Automatic Assignment of Employees to SharePoint User Accounts on page 89
l
Supported User Account Types on page 76
l
One Identity Manager Identity Management Base Module Administration Guide
Additional Tasks for Managing
SharePoint User Accounts
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of SharePoint User Accounts
To obtain an overview of a user account
1. Select the category SharePoint | User accounts (group authenticated) or
SharePoint | User accounts (user authenticated).
2. Select the user account in the result list.
3. Select SharePoint user account overview in the task view.
Assigning SharePoint Groups Directly to
SharePoint User Accounts
Groups can be assigned directly or indirectly to a user account. Indirect assignment is
carried out by allocating the employee and groups in hierarchical roles, like departments,
cost centers, locations or business roles. If the employee has a SharePoint user account,
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
86
groups in the hierarchical roles are inherited by this user account. Groups can only be
directly assigned to group authenticated user accounts.
Only groups from the site collection to which the user account belongs can be assigned.
To assign groups directly to user accounts
1. Select the category SharePoint | User accounts (group authenticated) or
SharePoint | User accounts (user authenticated).
2. Select the user account in the result list.
3. Select Assign groups in the task view.
4. Assign groups in Add assignments.
The view- OR Remove groups from Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Roles directly to User Accounts on page 87
l
Assigning SharePoint Groups to SharePoint User Accounts on page 98
Assigning SharePoint Roles directly to User
Accounts
SharePoint roles can be assigned directly or indirectly to a user account. Indirect
assignment is carried out by assigning the employee and SharePoint roles to hierarchical
roles, like departments, cost centers, locations or business roles. If the employee has an
SharePoint user account, the SharePoint roles in the hierarchical roles are inherited by
the user account. SharePoint roles can only be directly assigned to group authenticated
user accounts.
Only SharePoint roles from the site collection to which the user account belongs can
be assigned.
NOTE: SharePoint roles that reference permission levels set with the Hidden option
cannot be assigned to user accounts.
To assign SharePoint roles directly to user accounts
1. Select the category SharePoint | User accounts (group authenticated) or
SharePoint | User accounts (user authenticated).
2. Select the user account in the result list.
3. Select Assign SharePoint roles in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
87
4. Assign roles in Add assignments.
- OR Remove roles in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Groups Directly to SharePoint User Accounts on page 86
l
Entering Master Data for SharePoint Permission Levels on page 113
Assigning Extended Properties
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a user account
1. Select the category SharePoint | User accounts (group authenticated) or
SharePoint | User accounts (user authenticated).
2. Select the user account in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
Detailed information about this topic
l
One Identity Manager Identity Management Base Module Administration Guide
Using Custom Authentication Modes
When user accounts are added, the values of various master data are determined using
templates. The One Identity Manager tries to identify and classify an authentication object
using user account properties during synchronization. To use custom authentication modes
the templates of different columns must be modified if necessary. Create custom
templates so that authentication modes can be assigned automatically to user accounts and
the login names can be correctly formatted.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
88
To use custom authentication modes
1. Modify the template for the column SPSUser.UID_SPSAuthSystem (authentication mode)
in the Designer.
2. Test the template of columns SPSUser.ObjectKeyNamespaceItem (authentication modes)
and SPSUser.LoginName (login name) and modify them if necessary.
Detailed information about this topic
l
Authentication Modes on page 35
l
One Identity Manager Configuration Guide
Automatic Assignment of Employees to
SharePoint User Accounts
Table 30: Configuration Parameters for Automatic Employee Assignment
Configuration parameter
Meaning
TargetSystem\SharePoint\PersonAutoFullSync This configuration parameter specifies
the mode for automatic employee
assignment for user accounts added to or
updated in the database through
synchronization.
TargetSystem\SharePoint\PersonAutoDefault
This configuration parameter specifies
the mode for automatic employee
assignment for user accounts added to
the database outside synchronization.
When you add a user authenticated user account, an existing employee can be assigned
automatically. This mechanism can follow on after a new user account has been created
manually or through synchronization. Define criteria for finding employees to apply to
automatic employee assignment. If a user account is linked to an employee through the
current mode, the user account is given, through an internal process, the default
manage level of the account definition entered in the user account's target system. You
can customize user account properties depending on how the behavior of the manage
level is defined.
If you run this procedure during working hours, automatic assignment of employees to
user accounts takes place from that moment onwards. If you disable the procedure again
later, the changes only affect user accounts added or updated after this point in time.
Existing employee assignment to user accounts remain intact.
NOTE: It is not recommended to assign employees using automatic employee assignment in the case of administrative user accounts. Use the task Change master data
to assign employees to administrative user account for the respective user account.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
89
Prerequisites:
l
The option Group authenticated is not set in the user accounts.
l
The user accounts are not assigned an authentication object
Run the following tasks to assign employees automatically.
l
l
l
l
If employees can be assigned by user accounts during synchronization, set the
parameter "TargetSystem\SharePoint\PersonAutoFullsync" in the Designer and
select the mode.
If employees can be assigned by user accounts during synchronization, set the
parameter "TargetSystem\SharePoint\PersonAutoDefault" in the Designer and
select the mode.
Assign an account definition to the site collection. Ensure the manage level to be used
is entered as default manage level.
Define the search criteria for employees assigned to the site collection.
NOTE:
The following applies for synchronization:
l
Automatic employee assignment takes effect if user accounts are added or
updated.
The following applies outside synchronization:
l
Automatic employee assignment takes effect if user accounts are added.
Detailed information about this topic
l
For more information, see the One Identity Manager Target System Base Module
Administration Guide.
Related Topics
l
Creating an Account Definition on page 46
l
Assigning Account Definitions to a Target System on page 59
l
Editing Search Criteria for Automatic Employee Assignment on page 90
Editing Search Criteria for Automatic
Employee Assignment
Criteria for employee assignment are defined in the site collection. In this case, you
specify which user account properties must match the employee’s properties such that the
employee can be assigned to the user account. You can limit search criteria further by
using format definitions. The search criteria are written in XML notation in the column
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
90
"Search criteria for automatic employee assignment" (AccountToPersonMatchingRule) of the
SPSSite table.
Search criteria are evaluated when employees are automatically assigned to user
accounts. Furthermore, you can create a suggestion list for assignments of employees to
user accounts based on the search criteria and make the assignment directly.
NOTE: When the employees are assigned to user accounts on the basis of search
criteria, user accounts are given the default manage level of the account definition
entered in the user account's target system. You can customize user account
properties depending on how the behavior of the manage level is defined.
It is not recommended to make assignment to administrative user accounts based on
search criteria. Use the task Change master data to assign employees to
administrative user account for the respective user account.
NOTE: One Identity Manager supplies a default mapping for employee assignment.
Only carry out the following steps when you want to customize the default mapping.
To specify criteria for employee assignment
1. Select SharePoint | Site collection.
2. Select the site collection in the result list.
3. Select Define search criteria for employee assignment in the task view.
4. Specify which user account properties must match with which employee so that the
employee is linked to the user account.
Table 31: Default Search Criteria for User Accounts
Apply to
Column on Employee
User accounts (user authen- Central user account
ticated)
(CentralAccount)
Column on User
Account
Login name
(LoginName)
5. Save the changes.
Direct Assignment of Employees to User Accounts Based on a
Suggestion List
You can create a suggestion list in the "Assignments" view for assignments of employees
to user accounts based on the search criteria. User accounts are grouped in different
views for this.
Table 32: Manual Assignment View
View
Description
Suggested
This view lists all user accounts to which One Identity Manager can assign
assignments an employee. All employees are shown who were found using the search
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
91
View
Description
criteria and can be assigned.
Assigned
user
accounts
This view lists all user accounts to which an employee is assigned.
Without
employee
assignment
This view lists all user accounts to which no employee is assigned and for
which no employee was found using the search criteria.
TIP: By double-clicking on an entry in the view, you can view the user account and
employee master data.
To apply search criteria to user accounts
l
Click Reload.
All possible assignments based on the search criteria are found in the target system
for all user accounts. The three views are updated.
To assign employees directly over a suggestion list
1. Click Suggested assignments.
a. Click Select for all user accounts to be assigned to the suggested employee.
Multi-select is possible.
b. Click Assign selected.
c. Confirm the security prompt with Yes.
The selected user accounts are assigned to the employees found using the
search criteria.
– OR –
2. Click No employee assignment.
a. Click Select employee... for the user account to which you want to assign the
employee. Select an employee from the menu.
b. Click Select for all user accounts to which you want to assign the selected
employees. Multi-select is possible.
c. Click Assign selected.
d. Confirm the security prompt with Yes.
This assigns the selected user accounts to the employees shown in the
"Employee" column.
To remove assignments
1. Click Assigned user accounts.
a. Click Select for all user accounts whose employee assignment you want to
remove. Multi-select is possible.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
92
b. Click Delete selected.
c. Confirm the security prompt with Yes.
The assigned employees are deleted from the selected user accounts.
Deleting and Restoring SharePoint
User Accounts
NOTE: As long as an account definition for an employee is valid, the employee retains
the user account that was created by it. If the account definition assignment is
removed, the user account created through this account definition, is deleted.
To delete a user account
1. Select the category SharePoint | User accounts (group authenticated) or
SharePoint | User accounts (user authenticated).
2. Select the user account in the result list.
3. Click
to delete the user account.
4. Confirm the security prompt with Yes.
To restore user account
1. Select the category SharePoint | User accounts (group authenticated) or
SharePoint | User accounts (user authenticated).
2. Select the user account in the result list.
3. Click
in the result list toolbar.
When an authentication object assigned to a SharePoint user account is deleted from the
One Identity Manager database, the link to the authentication object is removed from the
SharePoint user account. Define a custom process to delete these user accounts from the
One Identity Manager database.
Configuring Deferred Deletion
By default, user accounts are finally deleted from the database after 30 days.The user
accounts are initially disabled. You can reenable the user accounts until deferred deletion is
run. After deferred deletion is run, the user account are deleted from the database and
cannot be restored anymore. You can configure an alternative deletion delay on the table
SPSUser in the Designer.
NOTE: SharePoint user accounts cannot be locked. A user account marked for
deletion remains enabled until deferred deletion has expired and the user account is
finally deleted from the One Identity Manager database.
Lock the user account linked to the SharePoint user account as authentication object
to prevent a user from logging into a site when the SharePoint user account is
marked for deletion.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint User Accounts
93
8
SharePoint Roles and Groups
User accounts inherit SharePoint permissions through SharePoint roles and SharePoint
groups. SharePoint groups are always defined for one site collection in this way.
SharePoint roles are defined for sites. They are assigned to groups and the user accounts
that are members of these groups, inherit SharePoint permissions through them.
SharePoint roles can also be assigned directly to user accounts. User account permissions
on individual sites in a site collection are restricted through the SharePoint roles that are
assigned to it.
Terms
l
l
l
A SharePoint Role is the permission level linked to a fixed site.
The assignment of SharePoint permissions to a permission level is called a role
definition.
The assignment of user account or groups to a SharePoint role is called a role
assignment.
Child sites can inherit permissions from the sites that the user accounts have on those
sites. Every root site of a site collection or every site that has a child site. This permits the
following scenarios:
1. The child site inherits role definitions and role assignments.
The permission levels and role definitions are valid as well as the role assignments
from the parent (inheritance) site. User and groups cannot be explicitly authorized
for the site. Only user accounts that have permissions for the parent (inheritance)
site have access to the site.
2. The child site inherits the role definitions and role assignments.
You cannot define unique permission levels for child site. The SharePoint roles for
this site reference the permission levels of the parent (inheritance) site and its role
definitions. User accounts and groups can be assigned to the SharePoint roles of the
child site based on this. If there are unique permission levels defined for the child
site the permissions are overwritten by the inherited permissions.
3. The child site does not inherit role definitions or role assignments.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
94
In this case unique permission levels with their role definitions can be added in the
same way as the root site. The SharePoint roles based on this are assigned to user
accounts and groups.
Figure 2: SharePoint User Accounts Inheriting SharePoint Permissions in the
One Identity Manager
SharePoint Groups
You can use groups in SharePoint to provide users with the same permissions. Groups that
you add for site collections are valid for all sites in that site collection. SharePoint roles
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
95
that you define for a site are assigned directly to groups. All user accounts that are
members of these groups obtain the permissions defined in the SharePoint roles for this
site.
You can edit the following group data in the One Identity Manager:
l
Object properties like display name, owner or visibility of memberships
l
Assigned SharePoint role and user accounts
l
Usage in the IT Shop
l
Risk Assessment
l
Inheritance through roles and inheritance restrictions
To edit group master data
1. Select the category SharePoint | Groups.
2. Select the group in the result list. Select Change master data in the task view.
- OR Click
in the result list toolbar.
3. Enter the required data on the master data form.
4. Save the changes.
Detailed information about this topic
l
Entering Master Data for SharePoint Groups on page 96
Related Topics
l
SharePoint Roles and Groups on page 94
Entering Master Data for SharePoint Groups
Table 33: Configuration Parameters for Setting Up SharePoint Groups
Configuration
parameter
Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Enter the following master data for a group.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
96
Table 34: SharePoint Group Master Data
Property
Description
Display name Display name of the group.
Site collection
Site collection the group is used in.
Owner
Owner of the group. A SharePoint user account or a SharePoint group can
be selected.
Service item
Service item data for requesting the group through the IT Shop.
Distribution
group alias
Alias of the distribution group that the group is linked to.
Distribution
group email
Email address of the distribution group that the group is linked to.
Risk index
Value for evaluating the risk of assigning the group to user accounts.
Enter a value between 0 and 1. This property is only visible when the
configuration parameter QER\CalculateRiskIndex is set.
Category
Categories for group inheritance. Groups can be selectively inherited by
user accounts. To do this, groups and user accounts are divided into
categories. Use this menu to allocate one or more categories to the
group.
Description
Spare text box for additional explanation.
Description
(HTML)
Additional information about the group in HTML format. (this is displayed
in SharePoint in the description field "About me").
Memberships
only visible
to members
Specifies whether only group members can see the list of members.
Group
Specifies whether all group members can edit the group memberships.
members can
edit memberships
Request for
membership
permitted
Specifies whether SharePoint users can request or end membership in
these groups themselves.
Automatic
membership
on request
Specifies whether SharePoint users automatically become members in
the group once they request membership. The same applies when user
end their membership.
Email
address
membership
Email address that the group membership request or closure is sent to.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
97
Property
Description
requested
IT Shop
Specifies whether the group can be requested through the IT Shop. This
group can be requested by staff through the Web Portal and granted
through a defined approval process. The group can still be assigned
directly to hierarchical roles.
Only for use
in IT Shop
Specifies whether the group can only be requested through the IT Shop.
This group can be requested by staff through the Web Portal and granted
through a defined approval process. The group may not be assigned
directly to hierarchical roles.
Detailed information about this topic
l
Specifying Categories for Inheriting SharePoint Groups on page 68
l
SharePoint Group Inheritance Based on Categories on page 109
l
One Identity Manager IT Shop Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
Assigning SharePoint Groups to SharePoint
User Accounts
Groups can be assigned directly or indirectly to employees. In the case of indirect
assignment, employees and groups are arranged in hierarchical roles. The number of
groups assigned to an employee is calculated from the position in the hierarchy and the
direction of inheritance.
If you add an employee to hierarchical roles and the employee owns a user authenticated
user account, the user account is added to the group. Prerequisites for indirect assignment
of employees to user accounts:
l
Assignment of employees and groups is permitted for role classes (department, cost
center, location or business role).
l
The option Group authenticated is not set in the user accounts.
l
User accounts are marked with the option Groups can be inherited.
l
User accounts and groups belong to the same site collection.
Furthermore, groups can be assigned to employees through IT Shop requests. Add
employees to a shop as customers so that groups can be assigned through IT Shop
requests. All groups are assigned to this shop can be requested by the customers.
Requested groups are assigned to the employees after approval is granted.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
98
Detailed information about this topic
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to System Roles on page 102
l
Adding SharePoint Groups to the IT Shop on page 103
l
Adding SharePoint Groups automatically to the IT Shop on page 105
l
One Identity Manager Identity Management Base Module Administration Guide
Assigning SharePoint Groups to Departments,
Cost Centers and Locations
Assign groups to departments, cost centers and locations in order to assign user accounts
to them through these organizations.
To assign a group to departments, cost centers or locations (non rolebased login)
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
To assign groups to a department, cost center or location (role-based login)
1. Select the category Organizations | Departments.
- OR Select the category Organizations | Cost centers.
- OR Select the category Organizations | Locations.
2. Select the department, cost center or location in the result list.
3. Select Assign SharePoint groups.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
99
4. Assign groups in Add assignments.
- OR Remove assignments to groups in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to System Roles on page 102
l
Adding SharePoint Groups to the IT Shop on page 103
l
Adding SharePoint Groups automatically to the IT Shop on page 105
l
One Identity Manager Users for Managing an SharePoint on page 9
Assigning SharePoint Groups to Business Roles
Installed Module: Business Roles Module
You assign groups to business roles in order to assign them to user accounts over
business roles.
To assign a group to a business role (non role-based login)
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign groups to a business role (non role-based login)
1. Select the category Business roles | <Role class>.
2. Select the business role in the result list.
3. Select Assign SharePoint groups.
4. Assign groups in Add assignments.
- OR Remove assignments to groups in Remove assignments.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
100
5. Save the changes.
Related Topics
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to System Roles on page 102
l
Adding SharePoint Groups to the IT Shop on page 103
l
Adding SharePoint Groups automatically to the IT Shop on page 105
l
One Identity Manager Users for Managing an SharePoint on page 9
Assigning SharePoint User Accounts directly to an
SharePoint Group
Groups can be assigned directly or indirectly to user accounts. Indirect assignment can
only be used for user authenticated user accounts. Direct assignment can only be used for
group and user authenticated user accounts.
User accounts and groups must belong to the same site collection.
To assign a group directly to user accounts
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select Assign user accounts in the task view.
4. Assign user accounts in Add assignments.
- OR Remove user accounts in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Groups Directly to SharePoint User Accounts on page 86
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to System Roles on page 102
l
Adding SharePoint Groups to the IT Shop on page 103
l
Adding SharePoint Groups automatically to the IT Shop on page 105
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
101
Assigning SharePoint Roles to SharePoint Groups
In order for SharePoint user accounts to obtain permissions to individual sites, assign
SharePoint roles to the groups. SharePoint roles and groups must belong to the same site
collection.
NOTE: SharePoint roles that reference permission levels with the Hidden option
cannot be assigned to groups.
To assign SharePoint roles to a group
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select Assign SharePoint roles in the task view.
4. Assign roles in Add assignments.
- OR Remove roles in Remove assignments.
5. Save the changes.
Related Topics
l
Entering Master Data for SharePoint Permission Levels on page 113
l
Assigning SharePoint Groups to SharePoint Roles on page 120
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Adding SharePoint Groups to System Roles on page 102
l
Adding SharePoint Groups to the IT Shop on page 103
l
Adding SharePoint Groups automatically to the IT Shop on page 105
Adding SharePoint Groups to System Roles
Installed Modules: System Roles Module
Use this task to add a group to system roles. If you assign a system role to employees, all
the employees' user authenticated user accounts inherit the group.
NOTE: Groups with the option Only use in IT Shop can only be assigned to system
roles that also have this option set. For more detailed information, see the .One
Identity Manager System Roles Administration Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
102
To assign a group to system roles
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to the IT Shop on page 103
l
Adding SharePoint Groups automatically to the IT Shop on page 105
Adding SharePoint Groups to the IT Shop
Once a group has been assigned to an IT Shop shelf, it can be requested by the shop
customers. To ensure it can be requested, further prerequisites need to be guaranteed.
l
The group must be labeled with the option IT Shop.
l
The group must be assigned to a service item.
l
The group must be labeled with the option Only use in IT Shop if the group can
only be assigned to employees through IT Shop requests. Direct assignment to
hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign groups to IT Shop shelves in the case of
role-based login. Target system administrators are not authorized to add groups in
the IT Shop.
To add a group to the IT Shop
1. Select the category SharePoint | Groups (non role-based login).
- OR Select the category Entitlements | SharePoint groups (role-based login).
2. Select the group in the result list.
3. Select Add to IT Shop in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
103
4. Assign the group to the IT Shop shelves in Add assignments.
5. Save the changes.
To remove a group from individual IT Shop shelves.
1. Select the category SharePoint | Groups (non role-based login).
- OR Select the category Entitlements | SharePoint groups (role-based login).
2. Select the group in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the group from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove a group from all IT Shop shelves.
1. Select the category SharePoint | Groups (non role-based login).
- OR Select the category Entitlements | SharePoint groups (role-based login).
2. Select the group in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
5. Click OK.
This removes the group from all One Identity Manager Service shelves. All requests
and assignment requests with this group are canceled in the process.
For more detailed information about request from company resources through the IT Shop,
see the One Identity Manager IT Shop Administration Guide.
Related Topics
l
Entering Master Data for SharePoint Groups on page 96
l
Adding SharePoint Groups automatically to the IT Shop on page 105
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to System Roles on page 102
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
104
Adding SharePoint Groups automatically to the
IT Shop
Table 35: Configuration Parameter for Automatically Add Groups in the IT Shop
Configuration parameter
Description
QER\ITShop\GroupAutoPublish Preprocessor relevant configuration parameter for
automatically adding groups to the IT Shop. This
configuration parameter specifies whether all Active
Directory and SharePoint target system groups are
automatically added to the IT Shop. Changes to the
parameter require recompiling the database.
To add groups automatically to the IT Shop
1. Set the configuration parameter "QER\Policy\GroupAutoPublish" in the Designer.
2. Compile the database.
The groups are added automatically to the IT Shop from now on.
l
l
Synchronization ensures that the groups are added to the IT Shop. If necessary, you
can manually start synchronization with the Synchronization Editor.
New groups created in One Identity Manager are added to the IT Shop.
The following step are run to add a group to the IT Shop.
1. A service item is determined for the group.
The service item is tested and modified for each group as required. The service item
name corresponds to the name of the group. The service item is assigned to one of
the default service categories.
l
The service item is modified for groups with service items.
l
Groups without service items are allocated new service items.
2. An application role for product owners is determined and the service item is
assigned. Product owners can approve requests for membership in these groups. By
default, the group's owner is established as the product owner.
NOTE: The application role for product owners must be below the application
role Request & Fulfillment | IT Shop | Product owners.
l
l
If the group's owner is already a member of an application role for product
owners, then this application role is assigned to the service item.
If the group's owner is not a member of a product owner application role, a
new application role is added. The name of the application role corresponds to
the name of the owner.
l
If the owner is a user account, the user account's employee is added to
the application role.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
105
l
l
If you are dealing with a group of owners, the employees of all user
accounts in this group are added to the application role.
If the group does not have an owner, the default application role Request &
Fulfillment | IT Shop | Product owner | without owner in
SharePoint is used.
3. The group is labeled with the option IT Shop and assigned to the IT Shop shelf
"SharePoint groups" in the shop "Identity & Access Lifecycle".
Then product owners for shop customers group memberships can make requests through
the Web Portal.
NOTE: When a One Identity Manager group is irrevocably deleted from the database,
the associated service item is deleted.
Related Topics
l
Adding SharePoint Groups to the IT Shop on page 103
l
Assigning SharePoint Groups to Departments, Cost Centers and Locations on page 99
l
Assigning SharePoint Groups to Business Roles on page 100
l
Assigning SharePoint User Accounts directly to an SharePoint Group on page 101
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Groups to System Roles on page 102
l
One Identity Manager IT Shop Administration Guide
Additional Tasks for Managing SharePoint
Groups
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of SharePoint Groups
Use this task to obtain an overview of the most important information about a group.
To obtain an overview of a group
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select SharePoint group overview in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
106
Effectiveness of Group Memberships
Table 36: Configuration Parameter for Conditional Inheritance
Configuration parameter
Active Meaning
QER\Structures\Inherite\GroupExclusion Preprocessor relevant configuration parameter
for controlling effectiveness of group
memberships. If the parameter is set,
memberships can be reduced on the basis of
exclusion definitions. The database has to be
recompiled after changes have been made to
the parameter.
When groups are assigned to user accounts an employee may obtain two or more groups,
which are not permitted in this combination. To prevent this, you can declare mutually
exclusive groups. To do this, you specify which of the two groups should apply to the user
accounts if both are assigned.
It is possible to assign an excluded group directly, indirectly or by IT Shop request at any
time. One Identity Manager determines whether the assignment is effective.
NOTE:
l
l
You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not
permitted.
You must declare each group to be excluded from a group separately. Exclusion
definitions cannot be inherited.
The effect of the assignments is mapped in the tables SPSUserInSPSGroup and
BaseTreeHasSPSGroup through the column XIsInEffect.
Example of the effect of group memberships
l
l
The groups A, B and C are defined in a site collection.
Group A is assigned through the department "Marketing", group B through "Finance"
and group C through the business role "Control group".
Clara Harris has a user account in this site collection. She primarily belongs to the
department "marketing". The business role "Control group" and the department "Finance"
are assigned to her secondarily. Without an exclusion definition, the user account obtains
all the permissions of groups A, B and C.
By using suitable controls, you want to prevent an employee from obtaining authorizations
of groups A and group B at the same time. That means, groups A, B and C are mutually
exclusive. A user, who is a member of group C cannot be a member of group B at the same
time. That means, groups B and C are mutually exclusive.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
107
Table 37: Specifying excluded groups (table SPSGroupExclusion)
Effective Group
Excluded Group
Group A
Group B
Group A
Group C
Group B
Table 38: Effective Assignments
Employee
Member in Role
Effective Group
Ben King
Marketing
Group A
Jan Bloggs
Marketing, finance
Group B
Clara Harris
Marketing, finance, control group
Group C
Jenny Basset
Marketing, control group
Group A, Group C
Only the group C assignment is in effect for Clara Harris. It is published in the target
system. If Clara Harris leaves the business role "control group" at a later date, group B
also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as
mutually exclusive. If this should not be allowed, define further exclusion for group C.
Table 39: Excluded groups and effective assignments
Employee
Member in
Role
Assigned
Group
Jenny
Basset
Marketing
Group A
Control group
Group C
Excluded
Group
Effective
Group
Group C
Group B
Group A
Prerequisites
l
The configuration parameter "QER\Inherite\GroupExclusion" is enabled.
l
Mutually exclusive groups belong to the same site collection.
To exclude a group
1. Select the category SharePoint | Groups.
2. Select a group in the result list.
3. Select Exclude groups in the task view.
4. Assign the groups that are mutually exclusive to the selected group in Add
assignments.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
108
- OR Remove the conflicting groups that are no longer mutually exclusive in Remove
assignments.
5. Save the changes.
SharePoint Group Inheritance Based on
Categories
In One Identity Manager, groups can be selectively inherited by user accounts. For this,
groups and user accounts are divided into categories. The categories can be freely selected
and are specified by a template. Each category is given a specific position within the
template. The template contains two tables; the user account table and the group table.
Use the user account table to specify categories for target system dependent user
accounts. Enter your categories for the target system dependent groups, administrative
roles, subscriptions and disabled service plans in the . Each table contains the category
items "Position1" to "Position31".
Every user account can be assigned to one or more categories. Each group can also be
assigned to one or more categories. The group is inherited by the user account when at
least one user account category item matches an assigned group. The group is also
inherited by the user account if the group or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when groups are
assigned indirectly through hierarchical roles. Categories are not taken into account
when groups are directly assigned to user accounts.
Table 40: Category Examples
Category
Position
Categories for User
Accounts
Categories for Groups
1
Default user
Default permissions
2
System user
System user permissions
3
System administrator
System administrator permissions
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
109
Figure 3: Example of inheriting through categories.
To use inheritance through categories
l
Define the categories in the site collection.
l
Assign categories to user accounts through their master data.
l
Assign categories to groups through their master data.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
110
Related Topics
l
Specifying Categories for Inheriting SharePoint Groups on page 68
l
User Authenticated User Account Master Data on page 82
l
Group Authenticated User Account Properties on page 80
l
Entering Master Data for SharePoint Groups on page 96
Assigning Extended Properties to a SharePoint
Group
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a group
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
The view- OR Remove extended properties from Remove assignments.
5. Save the changes.
For more detailed information about using extended properties, see the One Identity
Manager Identity Management Base Module Administration Guide.
Deleting SharePoint Groups
To delete a group
1. Select the category SharePoint | Groups.
2. Select the group in the result list.
3. Click
to delete the group.
4. Confirm the security prompt with Yes.
The group is deleted completely from the One Identity Manager database and from
SharePoint.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
111
SharePoint Roles and Permission Levels
You can define so-called permission levels in SharePoint to grant permissions to objects in
a site. These permission levels group together different SharePoint permissions.
Permission levels with a unique reference to a site are mapped in the One Identity Manager
database as SharePoint roles. You can assign SharePoint roles through groups, or directly
to user accounts. SharePoint users obtain their permissions for site objects in this way.
Figure 4: SharePoint Roles and Permission Levels in the One Identity Manager
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
112
Entering Master Data for SharePoint
Permission Levels
To edit master data for a permission level
1. Select the category SharePoint | Permission levels.
2. Select the permission level in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Enter the required data on the master data form.
4. Save the changes.
Enter the following properties for a permission level on the master data form:
Table 41: Properties of an Permission Level
Property
Description
permissions Name of the permissions level.
level
Site
Unique identifier for the site the permission level is added to.
Description
Spare text box for additional explanation.
Hidden
Specifies whether a SharePoint role with the permission level can be
assigned to user accounts or groups.
Additional Tasks for Managing SharePoint
Permission Levels
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of a SharePoint Permission Level
To obtain an overview of a permission level
1. Select the category SharePoint | Permission levels.
2. Select the permission level in the result list.
3. Select SharePoint permission level overview in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
113
Assigning Permissions
You can assign SharePoint permission levels in One Identity Manager. Only valid
permissions for web applications can be assigned. User account obtain these site
permissions through a SharePoint internal inheritance procedure.
Permissions may depend on other permissions. SharePoint assigns these dependent
permissions automatically. For example, the permissions "view pages", "browse user
information" and "open" are always passed down with the permission "create groups".
NOTE: Dependent permissions cannot be automatically assigned in the One Identity
Manager.
To assign permissions to permission levels
1. Select the category SharePoint | Permission levels.
2. Select the permission level in the result list.
3. Select Assign permission in the task view.
4. Select the permissions in Add assignments.
- OR Remove permissions in Remove assignments.
5. Save the changes.
Related Topics
l
SharePoint Roles and Groups on page 94
Special Synchronization Cases for Valid
Permissions
If you remove permissions from the list of valid permissions for a web application in
SharePoint, the permissions cannot be assigned to permission levels within the web
application from this point on. Assignments to permission levels that already exist for
these permissions remain intact but are not active. These permissions are deleted from the
table SPSWebAppHasPermission during synchronization. Assignments to permission levels that
already exist for these permissions are not changed. Inactive permissions are displayed in
the permission levels' overview.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
114
Entering Master Data for SharePoint Roles
Table 42: Configuration Parameters for Setting Up SharePoint Roles
Configuration
parameter
Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
To edit SharePoint role master data
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the SharePoint role in the result list. Select Change master data in
the task view.
3. Enter the required data on the master data form.
4. Save the changes.
The following properties are displayed for SharePoint roles.
Table 43: SharePoint Role Properties
Property
Description
Display
name
SharePoint role display name.
Permission
level
Unique identifier for the permission level on which the SharePoint role is
based.
Site
Unique identifier for the site that inherits its permissions from the
SharePoint role.
Risk index
Value for evaluating the risk of assigning the SharePoint role to user
accounts. Enter a value between 0 and 1. This property is only visible when
the configuration parameter QER\CalculateRiskIndex is set.
Description Spare text box for additional explanation.
Service
item
Service item data for requesting the group through the IT Shop.
IT Shop
Specifies whether the SharePoint role can be requested through the IT Shop.
This SharePoint role can be requested by staff through the Web Portal and
granted through a defined approval procedure. The SharePoint role can still
be assigned directly to employees and hierarchical roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
115
Property
Description
Only for
use in IT
Shop
Specifies whether the SharePoint role can only be requested through the IT
Shop. This SharePoint role can be requested by staff through the Web Portal
and granted through a defined approval procedure. The SharePoint role may
not assigned directly to hierarchical roles.
NOTE: If the SharePoint role references a permission level with the Hidden option
set, the options IT Shop and Only use in IT Shop cannot be set. You cannot assign
these SharePoint roles to user accounts or groups.
Detailed information about this topic
l
Entering Master Data for SharePoint Permission Levels on page 113
l
One Identity Manager IT Shop Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
Assigning SharePoint Roles to SharePoint
User Accounts
SharePoint roles can be assigned directly or indirectly to user accounts. In the case of
indirect assignment, employees and SharePoint roles are arranged in hierarchical roles.
The number of SharePoint roles assigned to an employee is calculated from the position in
the hierarchy and the direction of inheritance. If you add an employee to hierarchical roles
and the employee owns a user authenticated user account, the user account is added to the
SharePoint role. Prerequisites for indirect assignment of employees to user accounts:
l
Assignment of employees and groups is permitted for role classes (department, cost
center, location or business role).
l
The option Group authenticated is not set in the user accounts.
l
User accounts are marked with the option Groups can be inherited.
l
User accounts and SharePoint groups belong to the same site collection.
Furthermore, IT Shop roles can be assigned to employees through SharePoint requests.
Add employees to a shop as customers so that SharePoint roles can be assigned through IT
Shop requests. All SharePoint roles, which are assigned to this shop as products, can be
requested by the customers. Requested SharePoint roles are assigned to the employees
after approval is granted.
NOTE: SharePoint roles that reference permission levels with have the option Hidden
set, cannot be assigned to business roles and organizations. These SharePoint roles
can be neither directly nor indirectly assigned to user accounts or groups.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
116
Detailed information about this topic
l
Entering Master Data for SharePoint Permission Levels on page 113
l
Assigning SharePoint Roles to Departments, Cost Centers and Locations on page 117
l
Assigning SharePoint Roles to Business Roles on page 118
l
Assigning SharePoint User Accounts directly to a SharePoint Role on page 119
l
Assigning SharePoint Groups to SharePoint Roles on page 120
l
Adding SharePoint Roles to System Roles on page 120
l
Adding SharePoint Roles to the IT Shop on page 121
l
One Identity Manager Identity Management Base Module Administration Guide
Assigning SharePoint Roles to Departments, Cost
Centers and Locations
Assign SharePoint roles to departments, cost centers and locations in order to assign user
accounts to them through these organizations.
To assign a SharePoint role to departments, cost centers or locations (non rolebased login)
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
To assign SharePoint roles to departments, cost centers or locations (rolebased login)
1. Select the category Organizations | Departments.
- OR Select the category Organizations | Cost centers.
- OR -
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
117
Select the category Organizations | Locations.
2. Select the department, cost center or location in the result list.
3. Select Assign SharePoint roles in the task view.
4. Assign SharePoint roles in Add assignments.
- OR Remove SharePoint roles in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Roles to Business Roles on page 118
l
Assigning SharePoint User Accounts directly to a SharePoint Role on page 119
l
Assigning SharePoint Groups to SharePoint Roles on page 120
l
Adding SharePoint Roles to System Roles on page 120
l
Adding SharePoint Roles to the IT Shop on page 121
l
One Identity Manager Users for Managing an SharePoint on page 9
Assigning SharePoint Roles to Business Roles
Installed Module: Business Roles Module
You assign SharePoint roles to business roles in order to assign them to user accounts over
business roles.
To assign a SharePoint role to business roles (non role-based login)
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign SharePoint roles to a business role (non role-based login)
1. Select the category Business roles | <Role class>.
2. Select the business role in the result list.
3. Select Assign SharePoint roles in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
118
4. Assign SharePoint roles in Add assignments.
- OR Remove SharePoint roles in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Roles to Departments, Cost Centers and Locations on page 117
l
Assigning SharePoint User Accounts directly to a SharePoint Role on page 119
l
Assigning SharePoint Groups to SharePoint Roles on page 120
l
Adding SharePoint Roles to System Roles on page 120
l
Adding SharePoint Roles to the IT Shop on page 121
l
One Identity Manager Users for Managing an SharePoint on page 9
Assigning SharePoint User Accounts directly to a
SharePoint Role
SharePoint roles can be assigned directly or indirectly to user accounts. Indirect
assignment can only be used for user authenticated user accounts. Direct assignment can
only be used for group and user authenticated user accounts.
User accounts and SharePoint roles must belong to the same site collection.
NOTE: SharePoint roles that reference permission levels and have the option hidden
set, cannot be assigned to user accounts.
To assign a SharePoint role directly to user accounts
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Assign user accounts in the task view.
4. Assign user accounts in Add assignments.
- OR Remove user accounts in Remove assignments.
5. Save the changes.
Related Topics
l
Entering Master Data for SharePoint Permission Levels on page 113
l
Assigning SharePoint Roles directly to User Accounts on page 87
l
Assigning SharePoint Roles to Departments, Cost Centers and Locations on page 117
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
119
l
Assigning SharePoint Roles to Business Roles on page 118
l
Assigning SharePoint Groups to SharePoint Roles on page 120
l
Adding SharePoint Roles to System Roles on page 120
l
Adding SharePoint Roles to the IT Shop on page 121
Assigning SharePoint Groups to SharePoint Roles
In order for SharePoint user accounts to obtain permissions to individual sites, assign
SharePoint roles to the groups. SharePoint roles and groups must belong to the same site
collection.
NOTE: SharePoint roles that reference permission levels with the Hidden option
cannot be assigned to groups.
To assign groups to a SharePoint role
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Assign groups in the task view.
4. Assign groups in Add assignments.
- OR Remove groups in Remove assignments.
5. Save the changes.
Related Topics
l
Entering Master Data for SharePoint Permission Levels on page 113
l
Assigning SharePoint Roles to Departments, Cost Centers and Locations on page 117
l
Assigning SharePoint Roles to Business Roles on page 118
l
Assigning SharePoint User Accounts directly to a SharePoint Role on page 119
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Roles to System Roles on page 120
l
Adding SharePoint Roles to the IT Shop on page 121
Adding SharePoint Roles to System Roles
Installed Module: System Roles Module
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
120
Use this task to add a SharePoint role to system roles. If you assign a system role
to employees, all the employees' user authenticated user accounts inherit the
SharePoint role.
NOTE: SharePoint roles that reference permission levels with the Hidden option
cannot be assigned to system roles. These SharePoint roles can be neither directly
nor indirectly assigned to user accounts or groups. For more information, see
Entering Master Data for SharePoint Permission Levels on page 113.
NOTE: SharePoint roles with the option Only use in IT Shop set, can only be
assigned to system roles that also have this option set. For more information, see
theOne Identity Manager System Roles Administration Guide.
To assign a SharePoint role to system roles
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SharePoint Roles to Departments, Cost Centers and Locations on page 117
l
Assigning SharePoint Roles to Business Roles on page 118
l
Assigning SharePoint User Accounts directly to a SharePoint Role on page 119
l
Assigning SharePoint Roles to SharePoint Groups on page 102
l
Adding SharePoint Roles to the IT Shop on page 121
Adding SharePoint Roles to the IT Shop
Once a SharePoint role has been assigned to an IT Shop shelf, it can be requested by the
shop customers. To ensure it can be requested, further prerequisites need to be
guaranteed.
l
The SharePoint role must be labeled with the option IT Shop.
l
The SharePoint role must be assigned to a service item.
l
The SharePoint role must be also labeled with the option Only use in IT Shop if the
SharePoint role can only be assigned to employees using IT Shop requests. Direct
assignment to hierarchical roles may not be possible.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
121
NOTE: IT Shop administrators can assign SharePoint roles to IT Shop shelves in the
case of role-based login. Target system administrators are not authorized to add
SharePoint roles in the IT Shop.
To add a SharePoint role to the IT Shop
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Add to IT Shop in the task view.
4. Assign the IT Shop shelf in Add assignments.
5. Save the changes.
To remove a SharePoint role from individual IT Shop shelves
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the group from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove an SharePoint roles from all IT Shop shelves
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
5. Click OK.
The SharePoint role is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests are canceled along with the SharePoint
role as a result.
Detailed information about this topic
l
One Identity Manager IT Shop Administration Guide
Related Topics
l
Entering Master Data for SharePoint Roles on page 115
l
Assigning SharePoint Roles to Departments, Cost Centers and Locations on page 117
l
Assigning SharePoint Roles to Business Roles on page 118
l
Assigning SharePoint User Accounts directly to a SharePoint Role on page 119
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
122
l
Assigning SharePoint Groups to SharePoint Roles on page 120
l
Adding SharePoint Roles to System Roles on page 120
Additional Tasks for Managing SharePoint
Roles
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of SharePoint Rules
To obtain an overview of a SharePoint role
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select SharePoint role overview in the task view.
Effectiveness of SharePoint Roles
Table 44: Configuration Parameter for Conditional Inheritance
Configuration parameter
Active Meaning
QER\Structures\Inherite\GroupExclusion Preprocessor relevant configuration parameter
for controlling effectiveness of group
memberships. If the parameter is set,
memberships can be reduced on the basis of
exclusion definitions. Changes to the
parameter require recompiling the database.
When SharePoint roles are assigned to user accounts an employee may obtain two or
more SharePoint roles, which are not permitted in this combination. To prevent this, you
can declare mutually exclusive SharePoint roles. To do this, you specify which of the
two SharePoint roles should apply to the user accounts if both of the SharePoint roles
are assigned.
It is possible to assign an excluded SharePoint roles directly, indirectly or by IT Shop
request at any time. One Identity Manager determines whether the assignment is effective.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
123
NOTE:
l
l
l
You cannot define a pair of mutually exclusive SharePoint roles. That means,
the definition "SharePoint role A excludes SharePoint role B" AND "SharePoint
role B excludes SharePoint role A" is not permitted.
You must declare each SharePoint role to be excluded from a SharePoint roles
separately. Exclusion definitions cannot be inherited.
The exclusion definition does not effect SharePoint roles that are inherited by
user accounts through SharePoint groups.
The effect of the assignments is mapped in the tables SPSUserHasSPSRLAssign and
BaseTreeHasSPSRLAssign though the column XIsInEffect.
Prerequisites
l
The configuration parameter "QER\Inherite\GroupExclusion" is enabled.
l
Mutually exclusive SharePoint roles belong to the same site collection.
To exclude SharePoint roles
1. Select the category SharePoint | Hierarchical view | <Farm> | Web
applications | <web application> | <site collection> | <site> | Roles.
2. Select the role in the result list.
3. Select Exclude SharePoint roles in the task view.
4. Assign the roles that are mutually exclusive to the selected role in Add
assignments.
- OR Remove roles that are no longer mutually exclusive in Remove assignments.
5. Save the changes.
Detailed information about this topic
l
Effectiveness of Group Memberships on page 107
Deleting SharePoint Roles and Permission
Levels
You cannot delete SharePoint roles in the Manager. They are deleted by the DBQueue
Processor when the associated permission level is deleted.
To delete a permission level
1. Select the category SharePoint | Permission levels.
2. Select the permission level in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
124
3. Click
to delete the permission level.
4. Confirm the security prompt with Yes.
If deferred deletion is configured, the permission level is marked for deletion and finally
deleted after the deferred deletion period has expired. During this period, the permission
level can be restored. Permission levels with deferred deletion of 0 days are deleted
immediately.
To restore a permission level
1. Select the category SharePoint | Permission levels.
2. Select the permission level marked for deletion in the result list.
3. Click
in the result list toolbar.
Related Topics
l
One Identity Manager Configuration Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
SharePoint Roles and Groups
125
9
Permissions for SharePoint Web
Applications
You can define user policies in SharePoint that guarantee permissions across all sites in a
site collection. These user policies overlay all the permissions that are specially defined for
the sites. User policies are based on authentication objects from which SharePoint user
accounts are created. These authentication objects can be saved as authentication objects
in user policies.
User policies obtain their permissions through permission policies. SharePoint permissions
are explicitly granted or denied in permission policies.
Figure 5: Permissions for SharePoint Web Applications through Policies
You define user policies and permission policies for a web application. User policies are
therefore implicitly authorized for all web application sites. You can limit them to single
zones or be allow them for the entire web application.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Permissions for SharePoint Web Applications
126
SharePoint Permission Policies
On the permission policy overview form, you can view the web application and the user
policies to which the permission policy is assigned. All permissions are listed that have
been explicitly granted or denied.
To obtain an overview of a permission policy
1. Select the category | Permission policiesSharePoint.
2. Select the permission policy from the result list.
3. Select SharePoint permission policy overview in the task view.
The denied SharePoint permission "Deny write" is displayed for the permission policy
"Deny write". SharePoint groups internally several single permissions together that are
only found as single permissions in the SharePoint interface. The One Identity Manager
maps the SharePoint internal permission. That is why only the permission "Deny write"
appears in the One Identity Manager interface. Single permissions are therefore not known
to the One Identity Manager.
SharePoint User Policies
User policies have a dynamic foreign key (column AuthenticationObject) that references
the appropriate authentication object. An additional employee can be assigned if the
dynamic foreign key references an Active Directory or an LDAP user account.
Each user policy represents an object from an authentication system. This object can be a
group or a user.
To edit user policy master data
1. Select the category SharePoint | User policies.
2. Select the SharePoint role in the result list. Select Change master data in
the task view.
3. Enter the required data on the master data form.
4. Save the changes.
The following properties are displayed for user polices.
Table 45: Master Data for a User Policy
Property
Description
Display name
Display name for the user policy.
User account
Specifies whether the user policy's authentication object is a user
account.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Permissions for SharePoint Web Applications
127
Property
Description
Login name
Login name for the user policy. It is found using a template.
System
account
Specified whether the user policies in the SharePoint environment
operates as a system account.
Employee
Employee using the user policy. If an authentication object is assigned,
the connected employee is found through the authentication object by
using a template. If there is no authentication object assigned, the
employee can be assigned manually.
An employee can only be assigned, if the option User account is set.
Web application
Unique identifier for the web application for which the user policy is
setup.
Zone
Unique identifier of the SharePoint zone for which the user policy is valid.
Authentication Authentication object referencing the user policy. Each user policy represobject
ents an object from an authentication system trusted by the SharePoint
installation. If this authentication system is managed as a target system
in One Identity Manager, the object used for authentication can be saved
as the authentication object in the user policy.
The authentication object is assigned during automatic synchronization.
If the option User account is set, the following authentication objects
can be assigned:
l
Active Directory user accounts
l
LDAP user accounts
If the option User account is not set, the following authentication
objects can be assigned:
l
Active Directory groups
l
LDAP groups
NOTE: When an authentication object assigned to a SharePoint user policy is deleted
from the One Identity Manager database, the link to the authentication object is
removed from the user policy. Employees assigned to it remain assigned if
necessary.
Global user polices
Global user polices are user policies that are valid for all zones. They are displayed in the
category SharePoint | Hierarchical view | <farm> | Web applications | <web
application> | Global user policies.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Permissions for SharePoint Web Applications
128
Zone specific User Policies
Zone specific user policies are user policies that are valid for a single zone in a web
application. They are displayed in the category SharePoint | Hierarchical view |
<farm> | Web applications | <web application> | Global zone specific user
policies | <zone>.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Permissions for SharePoint Web Applications
129
10
Reports about SharePoint Site
Collections
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for SharePoint farms.
NOTE: Other sections may be available depending on the which modules are
installed.
Table 46: Reports for the Target System
Report
Description
Overview of all assign- This report finds all roles containing employees with at least one
ments (site collection) user account in the selected site collection.
Overview of all assign- This report finds all roles containing employees with at least one
ments (web applicuser account in the selected site collection.
ation)
Overview of all assign- This report finds all roles containing employees with the selected
ments (group)
group.
Show orphaned user
accounts
This report shows all user accounts of the site collection which
are not assigned an employee. The report contains assigned
groups and risk assessment.
Show employees with This report shows all employees with more than one user
multiple user accounts account in the site collection. The report contains a risk assessment.
Show entitlement
drifts
This report shows all One Identity Manager groups in the site
collection that are the result of manual operations in the target
system rather than using the provisioning engine.
Show unused user
accounts
This report shows all user accounts in the site collection that
have not been used in the last few months.
Show user accounts
This report contains all user accounts in the site collection with
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Reports about SharePoint Site Collections
130
Report
Description
with an above average an above average number of group memberships. You can find
number of system
the report in the category My One Identity Manager | Data
quality analysis.
entitlements
Overview of all Assignments
The report "Overview of all Assignments" is displayed for certain objects, for example,
permissions, compliance rules or roles. The report finds all the roles, for example,
departments, cost centers, locations, business roles and IT Shop structures in which there
are employee who own the selected base object. In this case, direct as well as indirect
base object assignments are included.
Example
l
l
l
l
l
If the report is created for a resource, all roles are determined in which there are
employees with this resource.
If the report is created for a group, all roles are determined in which there are
employees with this group.
If the report is created for a compliance rule, all roles are determined in which there
are employees with this compliance rule.
If the report is created for a department, all roles are determined in which
employees of the selected department are also members.
If the report is created for a business role, all roles are determined in which
employees of the selected business role are also members.
To display detailed information about assignments
l
l
To display the report, select the base object from the navigation or the result list and
select the report Overview of all assignments.
Use the
Used by button in the report's toolbar to select the role class
(department, location, business role or IT Shop structure) for which you determine if
roles exist in which there are employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements
identifies the role in which there are employees with the selected base object. The
meaning of the report control elements is explained in a separate legend. In the
report's toolbar, click
to open the legend.
l
l
Double-click a control to show all child roles belonging to the selected role.
By clicking the
button in a role's control, you display all employees in the role with
the base object.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Reports about SharePoint Site Collections
131
l
Use the small arrow next to
to start a wizard that allows you to bookmark this list
of employee for tracking. This creates a new business role to which the employees
are assigned.
Figure 6: Toolbar for Report "Overview of all assignments"
Table 47: Meaning of Icons in the Report Toolbar
Icon
Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.
Displays all roles or only the affected roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Reports about SharePoint Site Collections
132
A
Appendix: Configuration Parameters
for Managing SharePoint
The following configuration parameters are additionally available in One Identity Manager
after the module has been installed.
Table 48: Configuration parameter
Configuration parameter
Description
TargetSystem\SharePoint
SharePoint is
supported. The
parameter is a precompiler dependent configuration parameter. The
database needs to be
recompiled after the
configuration
parameter has been
changed.
TargetSystem\SharePoint\Accounts
Parameter for configuring SharePoint user
accounts. If this
parameter is set,
settings for SharePoint
user accounts can be
configured.
TargetSystem\SharePoint\Accounts\MailTemplateDefaultValues This configuration
parameter contains the
mail template used to
send notifications if
default IT operating
data mapping values
are used for automatically creating a user
account.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Appendix: Configuration Parameters for Managing SharePoint
133
Configuration parameter
Description
TargetSystem\SharePoint\DBDeleteOnError
If a error occurs adding
a user account in a
target system, the
object is deleted from
the database
afterward.
TargetSystem\SharePoint\DefaultAddress
This configuration
parameter contains the
default email address
for messages when
actions in the target
system fail.
TargetSystem\SharePoint\MaxFullsyncDuration
Specifies the maximum
runtime for synchronization. No recalculation of group
memberships by the
DBQueue Processor can
take place during this
time.
TargetSystem\SharePoint\PersonAutoDefault
Automatic employee
assignment for user
accounts added to the
database outside
synchronization based
on the given mode.
TargetSystem\SharePoint\PersonAutoFullSync
This configuration
parameter specifies the
mode for automatic
employee assignment
for user accounts added
to or updated in the
database through
synchronization.
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Appendix: Configuration Parameters for Managing SharePoint
134
B
Appendix: Default Project Template
for SharePoint
A default project template ensures that all required information is added in the One
Identity Manager. This includes mappings, workflows and the synchronization base object.
If you do not use a default project template you must declare the synchronization base
object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For
custom implementations, you can extend the synchronization project with the
.Synchronization Editor
The template uses mappings for the following schema types.
Table 49: Mapping SharePoint schema types to tables in the One Identity
Manager schema.
Schema type in SharePoint
Table in the One Identity Manager schema
SPAlternateUrl
SPSAlternateURL
SPClaimProvider
SPSClaimProvider
SPFarm
SPSFarm
SPGroup
SPSGroup
SPLanguage
SPSLanguage
SPPolicy
SPSPolicyUser
SPPolicyRole
SPSPolicyRole
SPPrefix
SPSPrefix
SPQuotaTemplate
SPSQuota
SPRoleDefinition
SPSRole
RoleAssignment
SPSRlAsgn
SPSite
SPSSite
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Appendix: Default Project Template for SharePoint
135
Schema type in SharePoint
Table in the One Identity Manager schema
SPUser
SPSUser
SPWeb
SPSWeb
SPWebApplication
SPSWebApplication
SPWebTemplate
SPSWebTemplate
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Appendix: Default Project Template for SharePoint
136
About us
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx
or call +1-800-306-9329.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l
Submit and manage a Service Request
l
View Knowledge Base articles
l
Sign up for product notifications
l
Download software and technical documentation
l
View how-to-videos at www.YouTube.com/OneIdentity
l
Engage in community discussions
l
Chat with support engineers online
l
View services to assist you with your product
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
About us
137
Index
I ndex
A
connector 8
account definition 45
add to IT Shop 58
D
assign to system roles 57
direction of synchronization
Active Directory domain
direction target system 27
SharePoint authentication object 74
SharePoint synchronization 62
Active Directory group
SharePoint authentication object 74
E
employee
number user accounts (report) 130
Active Directory user account
SharePoint authentication object 74
employee assignment
alternative URL 37
automatic 89
application role
manual 91
remove 91
Target System Managers 43
search criteria 90
architecture 8
exclusion definition 107, 123
authentication
extended property
authentication mode 35
assign group 111
claims based 10
user account 88
authentication mode 35
authentication object 74
extended schema 27
B
F
base object
farm
domain 62
create 27
set up 62
target system managers 62
C
calculation schedule
G
disable 33
group
category 68
configuration parameter 133
about IT Shop requests 96
connection parameter 18, 25, 27
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Index
138
add to IT Shop 103
J
add to IT Shop (automatic) 105
Job server
add to system role 102
properties 40
assign category 96
assign extended properties 111
assign SharePoint role 102
L
assign to business role 100
language 37-38
assign to cost center 99
LDAP domain
assign to department 99
SharePoint authentication object 74
assign to location 99
SharePoint synchronization 62
assign user account 98, 101
LDAP group
SharePoint authentication object 74
category 109
LDAP user account
delete 111
SharePoint authentication object 74
drifted (report) 130
login 9
effective 107
exclusion 107
group membership 101
M
inheriting through categories 68
manage level 49
inheriting through system roles 102
membership
overview form 106
modify provisioning 31
owner 96
risk index 96
O
role assignment 71
object
set up 95
delete immediately 29
group prefix 35
outstanding 29
publish 29
I
orphaned user accounts (report) 130
IT operating data
outstanding object 29
change 54
IT Shop shelf
assign account definition 58
P
permission 37
assign group 103
assign SharePoint roles 121
assign permissions level 37
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Index
139
permitted permissions 37, 65
role
synchronizing 24
about IT Shop requests 115
permissions level 37, 112-113
add to IT Shop 121
assign permissions 114
add to system role 120
assign to group 113
assign group 120
assign to user account 113
assign to business role 118
delete 124
assign to cost center 117
overview form 113
assign to department 117
permitted permissions
assign to location 117
synchronizing 114
assign user account 116, 119
role definition 94, 114
delete 124
site 113
effective 123
permissions policy 37, 127
exclusion 123
denied permissions 127
hierarchical role inheritance 116
granted permissions 127
inheriting through system roles 120
synchronization object type 127
map in One Identity Manager 112
prefix 10, 35-36
overview form 123
create site 70
permissions inheritance 94
product owners 105
permissions level 94, 115
project template 135
risk index 115
provider 10, 65
role assignment 94, 119-120
provisioning
role definition 71, 94
members list 31
site 115
root site 69
site 68
Q
site collection 67
quota 38
S
R
schema
relative URL 36
changes 28
report
Overview of all Assignments 131
site collection 130
revision filter 29
shrink 28
update 28
scope 25
server farm account 13
server function 41
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Index
140
site 68
Microsoft.SharePoint.dll 14
anonymous access 69
permissions 13
author 69
prerequisites 12
create 72
prevent 33
prefix 70
provider 10
request through IT Shop 72
start 18
role assignment 69, 71
synchronization analysis report 32
role definition 69, 71
synchronization configuration
root site 68-69
customize 25, 27
permissions inheritance 71, 94
remote connection 27
site template 70
synchronization log 24
subordinate 94
synchronization project
URL 70
disable 33
open 70
edit 63
site collection 66
project template 135
account definition 67
set up 18
administrator 67
synchronization server
category 109
edit 39
create 72
server function 41
employee assignment 90
synchronization workflow
quota 38
create 27
request through IT Shop 72
root site 67
T
permissions inheritance 71, 94
target system manager 43
server 67
assign 62
specify category 68
target system schema 27
URL 67
target system synchronization 29
site template 37
template
create site 70
IT operating data, modify 54
synchronization
accelerate 29
configure 18
U
configure synchronization 14
unused user accounts (report) 130
connection data 18
URL
different farms 27
prefix 36
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Index
141
site 70
role assignment 71
site collection 67
set up 79
user 9
type 76
synchronization 13
user definition 127
user account 74
Active Directory user account 127
administrative user account 76
assign employee 127
administrator 80, 82
authentication object 127
apply template 54
global 128
assign category 80, 82
system account 127
assign employee 82, 89
Web application 127
assign extended properties 88
zone 127
assign group 86, 101
zone specific 129
assign role 87
user prefix 35
assign SharePoint role 119
auditor 80, 82
V
authentication mode 88
variable 25
authentication object 74, 80, 82, 88
variable set 27
authentication system 80, 82
category 109
create automatically 45
W
custom template 88
Web application 65
default user accounts 76
alternative URL 37
deferred deletion 93
claims authentication 65
delete 93
cross permissions 126
identity 76, 80, 82
permissions policy 65, 126
lock 93
permitted conditions 65
login name 80, 82, 88
user definition 65, 126
more than 1 per employee 74
valid permissions 37, 65
number of group memberships
(report) 130
overview 86
permissions for synchronization 13
privileged user account 76, 80, 82
retrieve 93
workflow 27
Z
zone 37
user definition 127
risk index 80, 82
One Identity Manager 8.0 Administration Guide for Connecting to
SharePoint
Index
142