One Identity Manager 8.1.

Target System Base Module

Administration Guide
Copyright 2020 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site ([Link] for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at [Link]
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at [Link]/legal. All other trademarks are the property of their
respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property

damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if

instructions are not followed.

One Identity Manager Target System Base Module Administration Guide

Updated - January 2020
Version - 8.1.2
Contents

Basic mechanisms for employee and user account administration 5

Employee and user account administration 5
Handling employees and user accounts 7
Using account definitions to create user accounts 10
Account definitions and manage levels 10
Assigning account definitions to employees 11
Determining valid IT operating data for the target systems 12
IT operating data for the One Identity Manager default configuration 14
Employee's central user account 16
Employee's default email address 17
Changing employee master data 17
Templates and processes for implementing account definitions 18
Examples for implementing several account definitions within a target system type 18
Automatic assignment of employees to user accounts 20
Configuring automatic employee assignment 21
Editing search criteria for automatic employee assignment 23
Define search criteria for employee assignment 24
Finding employees and directly assigning them to user accounts 26
Modifying scripts for automatic employee assignment 28
Disabling and deleting employees and user accounts 30
Temporarily deactivating employees 30
Permanently deactivating employees 31
Deferred deletion of an employee 32
Disabling and deleting using account definitions 33

Unified Namespace 36
Mapping target system objects in Unified Namespace 36
Special features for mapping object properties 42
One Identity Manager users for managing target systems in Unified Namespace 42
Displaying Unified Namespace objects 43
Reports about the Unified Namespace 43

About us 45

One Identity Manager 8.1.2 Target System Base Module Administration

Guide
3
Contacting us 45
Technical support resources 45

Index 46

One Identity Manager 8.1.2 Target System Base Module Administration

Guide
4
 1

Basic mechanisms for employee and

user account administration

The main feature of One Identity Manager is to map employees together with the master
data and permissions available to them in different target systems. To achieve this,
information about user accounts and permissions can be read from the target system into
the One Identity Manager database and linked to employees. This provides an overview of
the permissions for each employees in all of the connected target systems. One Identity
Manager offers the option of managing user accounts and their permissions. You can
provision modifications in the target systems. Employees are supplied with the necessary
permissions in the connected target systems according to their function in the company.
Regular synchronization keeps data consistent between target systems and the One
Identity Manager database.
Because requirements vary between companies, One Identity Manager offers different
methods for supplying user accounts to employees. One Identity Manager supports the
following method for linking employees and their user accounts.

l Employees can automatically obtain their user accounts through One Identity
Manager account definitions.
l When user accounts are inserted in One Identity Manager, they can be automatically
assigned to an existing employee or a new employee can be created if necessary.
l Employee and user account data in One Identity Manager can be manually entered
and assigned to each other.

Employee and user account

administration
The requirements of a company’s user administration are often different not only in the
existing target system types, but also in the individual target systems of a target
system type.
Requirements for user account administration might be, for example:
Target system type Active Directory with Microsoft Exchange

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 5
Basic mechanisms for employee and user account administration
 l In domain A, a user account should be automatically created for each internal
employee. The information for the container and home server are based on the
department and the location of the person. Each user account in the domain is
automatically allocated a Microsoft Exchange mailbox.
l In domain B, the user accounts are administrated independently of the employee
data. Microsoft Exchange mailboxes can only be allocated by requesting them in
the IT shop.

Target system type IBM Notes

l All members of the sales department are automatically allocated an IBM Notes
mailbox. Members of other departments can request an IBM Notes mailbox. The
attributes of the IBM Notes mailbox are determined depending on the member’s
department.

Target system type SAP R/3

l All members of the personnel department are automatically allocated a user account
in an SAP Client 101.
l The members of the purchasing department are automatically allocated a user
account in the SAP Client 102 the moment they are assigned the appropriate role.
l The user accounts for the SAP Client 103 are allocated exclusively through a
request process.

One Identity Manager uses different mechanisms to assign user accounts to employees.

Initial assignment of user accounts

The user accounts are initially read into One Identity Manager from a target system
through synchronization. In doing so, the existing employees can automatically be
assigned to the user accounts. New employees can be created and assigned to user
accounts if necessary. The criteria for these automatic assignments are defined on a
company-specific basis. The extent of the attributes an employee inherits on their user
account through account definitions can be changed after checking the user accounts. The
loss of user accounts through system changes can therefore be avoided. User account
verification can be carried out manually or by using scripts.

Assigning user accounts during work hours

One Identity Manager uses special account definitions for allocating user accounts to
employees during working hours. Account definitions can be created for each target system
of the appointed target system type, for example, the different domains of an Active
Directory environment or the individual clients of an SAP R/3 system. A priority is applied
to the account definitions in order to ensure that a Microsoft Exchange mailbox, for
instance, is only created when an Active Directory user account is available.
An employee can obtain a user account though the integrated inheritance mechanism by
either direct assignment of account definitions to an employee, or by assignment of
account definitions to departments, cost centers, locations, or business roles. All company
employees can be allocated special account definitions independent of their affiliation to
the departments, cost centers, locations, or business roles. It is possible to assign account

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 6
Basic mechanisms for employee and user account administration
definitions to the One Identity Manager as requestable items in the IT Shop. A department
manager can then request user accounts from the Web Portal for his staff.

Treatment of user accounts and personal data during disabling

The handling of personal data, particularly during long-term or temporary absence of an

employee, is dealt with differently in each company. Some companies never delete
personal data, but just disabled it when the person leaves the company. Other
companies delete the personal data but only after they are sure that all the user
accounts have been deleted.

Handling employees and user accounts

The requirements of a company’s user administration are often different not only in the
existing target system types, but also in the individual target systems of a target system
type. Even within a target system, there may be different rules for different user groups.
For example, different rules for allocating user accounts can apply in the individual
domains within an Active Directory environment.
A requirement could look like the following, for example:

l In domain A, user accounts are administrated independently of employee data.

l In domain B, user accounts are linked to an employee. However, employee master
data should not be transferred to the user accounts.
l In domain C, a user account is automatically created for each internal employee. The
information for the container, home server, and profile server are based on the
employee's department and location.

In order to fulfill the individual requirements of user administration, users can be divided
into categories:

l Unlinked: The user account is not linked to an employee.

l Linked: The user account is linked to an employee.
l Linked configured (linked with configuration of the connection): The user accounts
are linked to the employee. The effect of the link and the scope of the employee’s
inherited properties on the user accounts can be configured through an account
definition and its manage levels.
l One Identity Manager supplies a default configuration with the manage levels:
l Unmanaged: The user accounts are assigned to the employee, but do not
have any further properties of that employee.
l Full managed: The user accounts have an assignment to the employee and
inherit the properties of the employees.

The following visual is designed to make user account transitions clearer. The default
mechanisms integrated in One Identity Manager about employee and user account
administration are shown.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 7
Basic mechanisms for employee and user account administration
Figure 1: Transition States for a User Account

Manually adding a user account

l Case 1: In order to manage a user account independently from employee data, the
user account is added manually and is not assigned to an employee. The user account
is not linked to an employee and therefore has the Unlinked state.
l Case 2: If the user account is already linked to an employee when inserted manually,
the user account changes its state to Linked.
l Case 3: If an employee is already assigned when the user account is added and
an account definition is assigned at the same time, the user account changes its
state to Linked configured. Depending on the manage level used, the state of
the user account becomes Linked configured: Unmanaged or Linked
configured: Full managed.

Editing an existing user account

l Case 4: If an existing user account is manually assigned to an employee, the user

account changes its state from Unlinked to Linked.
l Case 5: If an existing user account is manually assigned to an employee and an
account definition is assigned at the same time, the user account changes its
state from Unlinked to Linked configured. Depending on the manage level
used, the state becomes Linked configured: Unmanaged or Linked
configured: Full managed.
l Case 6: When One Identity Manager goes live, you can create IT Shop requests for
existing user accounts, which are linked with employees (Linked state). This assigns
an account definition and the user account changes its state to Linked configured.
Depending on the manage level used, the state becomes Linked configured:
Unmanaged or Linked configured: Full managed.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 8
Basic mechanisms for employee and user account administration
Changing the manage level

l Cases 7 and 8: By changing the manage level, an existing user account can change
its state from Linked configured: Unmanaged to Linked configured: Full
managed and vice versa. The manage level can only be changed for user accounts
that are associated with an employee.

Removing employee assignments

l Case 9: By deleting the employee entry in a linked user account (Linked), the user
account changes its state to Unlinked.

NOTE: The employee entry cannot be removed from user accounts with a state of Linked
configured as long as the employee owns an account definition. Removing an
employee's account definition results immediately in deleting the user accounts.

Handling user accounts during synchronization

l Case 10: When a database is synchronized with a target system, the user accounts
are always added without an associated employee and therefore, have an initial state
of Unlinked. An employee can be assigned afterwards. This can be done manually or
through automated employee assignment using process handling.

Assigning employees automatically to existing user accounts

l Case 11: One Identity Manager can automatically assign employees to user accounts
in an Unlinked state. If the target system is assigned an account definition, this
account definition is automatically assigned to the employees. Depending on the
manage level used, the state becomes Linked configured: Unmanaged or Linked
configured: Full managed. Automatic employee assignment can follow on from
adding or updating user accounts through synchronization or through manually
adding a user account. For more information, see Automatic assignment of
employees to user accounts on page 20.

Automatically creating user account through account definitions

l Case 12: Account definitions are implemented to automatically assign user accounts
to employees during normal working hours. If an employee does not have a user
account in the target system, a new user account is created. This is done by
assigning account definitions to an employee using the integrated inheritance
mechanism followed by process handling. The manage level is modified to suit the
default manage level and the user account has the Linked configured state.
Depending on the manage level used, the state becomes Linked configured:
Unmanaged or Linked configured: Full managed. For more information, see
Account definitions and manage levels on page 10.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 9
Basic mechanisms for employee and user account administration
Using account definitions to create
user accounts
One Identity Manager has account definitions for automatically allocating user accounts to
employees during working hours. You can create account definitions for every target
system. If an employee does not yet have a user account in a target system, a new user
account is created. This is done by assigning account definitions to an employee.
The data for the user accounts in the respective target system comes from the basic
employee data. The employee must own a central user account. The assignment of the IT
operating data to the employee’s user account is controlled through the primary
assignment of the employee to a location, a department, a cost center, or a business role
(template processing). Processing is done through templates. There are predefined
templates for determining the data required for user accounts included in the default
installation. You can customize templates as required.

Account definitions and manage levels

An account definition specifies which rules are used to form the IT operating data and
which default values will be used if no IT operating data can be found through the
employee's primary roles.
Account definitions can be created for each target system of the appointed target system
type, for example, the different domains of an Active Directory environment or the
individual clients of an SAP R/3 system. An account definition is always valid for a target
system. You can, however, define several account definitions for one target system. Which
account definition will be used is decided when creating an employee's user account. To
ensure that a Microsoft Exchange mailbox, for example, is not created until an Active
Directory user account exists, you can define dependencies between account definitions.
The manage levels that may be used are specified in the account definition. You can create
more than one manage level. The manage level determines the scope of the properties that
an employee's user account can inherit. This allows an employee to have several user
accounts in one target system, for example:

l Default user account that inherits all properties from the employee
l Administrative user account that is associated to an employee but should not inherit
the properties from the employee.

One Identity Manager supplies a default configuration for manage levels:

l Unmanaged: User accounts with the Unmanaged manage level are linked to the
employee but they do no inherit any further properties. When a new user account is
added with this manage level and an employee is assigned, some of the employee's
properties are transferred initially. If the employee properties are changed at a later
date, the changes are not passed onto the user account.
l Full managed: User accounts with the Full managed manage level inherit defined

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 10
Basic mechanisms for employee and user account administration
 properties of the assigned employee. When a new user account is created with this
manage level and an employee is assigned, the employee's properties are
transferred in an initial state. If the employee properties are changed at a later date,
the changes are passed onto the user account.

NOTE: The Full managed and Unmanaged manage levels are analyzed in templates.
You can customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to amend
the templates to include manage level approaches.
A default manage level is defined for every account definition. This manage level is used to
determined the valid IT operating data when a user account is created automatically. In the
One Identity Manager default installation, the processes are checked at the start to see if
the employee already has a user account in the target system that has an account
definition. If no user account exists, a new user account is created with the account
definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. You have to
alter the user account manage level afterwards in this case.
The effects on account definition inheritance of temporary disabling, permanent disabling,
deletion, and security risk to employees is specified for each account definition.

l As long as an account definition applies to an employee, this employee keeps its

linked user accounts. You may want employees that are disabled or marked for
deletion to inherit account definitions to ensure that all necessary permissions are
made immediately available when the employee is reactivated at a later time.
l If the account definition assignment no longer applies or is removed from the
employee, the user account created through this account definition, is deleted.

In addition, you can specify the effect of temporarily or permanently disabling, deleting, or
the security risk of an employee on its user accounts and group memberships for each
manage level.

l Employee user accounts can be locked when they are disabled, deleted, or rated as a
security risk so that permissions are immediately withdrawn. If the employee is
reinstated at a later date, the user accounts are also reactivated.
l You can also define group membership inheritance. Inheritance can be discontinued
if desired when, for example, the employee’s user accounts are disabled and
therefore cannot be members in groups. During this time, no inheritance processes
should be calculated for this employee. Existing group memberships are deleted!

Assigning account definitions to employees

Account definitions are assigned to company employees.
Indirect assignment is the default method for assigning account definitions to employees.
Account definitions are assigned to departments, cost centers, locations, or roles. The
employees are categorized into these departments, cost centers, locations, or roles
depending on their function in the company and thus obtain their account definitions. To

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 11
Basic mechanisms for employee and user account administration
react quickly to special requests, you can assign individual account definitions directly to
employees.
You can automatically assign special account definitions to all company employees. It is
possible to assign account definitions to the IT Shop as requestable products. A department
manager can then request user accounts from the Web Portal for his staff. It is also
possible to add account definitions to system roles. These system roles can be assigned to
employees through hierarchical roles or directly or added as products in the IT Shop.

Determining valid IT operating data for the

target systems
To create user accounts with the Full managed manage level, the required IT operating
data must be determined. The operating data required to automatically supply an
employee with IT resources is shown in the business roles, departments, locations, or cost
centers. An employee is assigned a primary business role, primary location, primary
department, or primary cost center. The necessary IT operating data is ascertained from
these assignments and used in creating the user accounts. Default values are used if valid
IT operating data cannot be found over the primary roles.
The process sequence for automatically assigning IT operating data to the employee’s user
account within the One Identity Manager should be made clearer with the help of the
following diagram.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 12
Basic mechanisms for employee and user account administration
Figure 2: Displaying IT Operating Data on Top of a User Account

You can also specify IT operating data directly for a specific account definition.

Example

Normally, each employee in department A obtains a default user account in the

domain A. In addition, certain employees in department A obtain administrative user
accounts in the domain A.
Create an account definition A for the default user account of the domain A and an
account definition B for the administrative user account of domain A. Specify the
"Department" property in the IT operating data formatting rule for the account
definitions A and B in order to determine the valid IT operating data.
Specify the effective IT operating data of department A for the domain A. This IT
operating data is used for standard user accounts. In addition, specify the effective
account definition B IT operating data for department A. This IT operating data is
used for administrative user accounts.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 13
Basic mechanisms for employee and user account administration
IT operating data for the One Identity
Manager default configuration
The IT operating data necessary in the One Identity Manager default configuration for
automatically creating or changing employee user accounts and mailboxes in the target
system is itemized in the following table.
NOTE: IT operating data is dependent on the target system and is contained in One
Identity Manager modules. The data is not available until the modules are installed.

Table 1: Target system dependent IT operating data

Target system type IT operating data

Active Directory Container

Home server

Profile server

Terminal home server

Terminal profile server

Groups can be inherited

Identity

Privileged user account

Microsoft Exchange Mailbox database

LDAP Container

Groups can be inherited

Identity

Privileged user account

IBM Notes Server

Certificate

Template for mail file

Identity

SharePoint Authentication mode

Groups can be inherited

Identity

Privileged user account

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 14
Basic mechanisms for employee and user account administration
Target system type IT operating data

SharePoint Online Groups can be inherited

Privileged user account

Authentication mode
Custom target systems Container (per target system)

Groups can be inherited

Identity

Privileged user account

Azure Active Directory Groups can be inherited
Identity

Privileged user account

Change password at next login

Cloud target system Container (per target system)

Groups can be inherited

Identity

Privileged user account

Unix-based target system Login shell

Groups can be inherited

Identity

Privileged user account

Oracle E-Business Suite Identity

Groups can be inherited

Privileged user account

Exchange Online Groups can be inherited

Privileged Account Management Authentication provider

Identity

Groups can be inherited

Privileged user account

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 15
Basic mechanisms for employee and user account administration
Target system type IT operating data

G Suite Organization
Identity

Groups can be inherited

Privileged user account

Change password at next login

Employee's central user account

Table 2: Configuration parameter for forming the central user accounts

Configuration parameter Meaning

QER | Person | This configuration parameter specifies how the central user
CentralAccountGlobalUnique account is mapped.
If this configuration parameter is set, the central user
account for an employee is formed uniquely in relation to
the central user accounts of all employees and the user
account names of all permitted target systems.
If the configuration parameter is not set, it is only formed
uniquely related to the central user accounts of all
employees.

The employee’s central user account is used to form the user account login name in the
active system. The central user account is still used for logging into the One Identity
Manager tools. In One Identity Manager default installation, the central user account is
made up of the first and the last name of the employee. If only one of these is known, then
it is used for the central user account. One Identity Manager checks to see if a central user
account with that value already exists. If this is the case, an incremental number is added
to the end of the value.

Table 3: Example of forming of central user accounts

First name Last name Central user account

Clara CLARA

Harris HARRIS

Clara Harris CLARAH

Clara Harrison CLARAH1

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 16
Basic mechanisms for employee and user account administration
Related topics

l Employee's default email address on page 17

l Changing employee master data on page 17

Employee's default email address

The employee’s default email address is displayed on the mailboxes in the activated target
system. In the One Identity Manager default installation, the default email address is
formed from the employee’s central user account and the default mail domain of the active
target system.
The default mail domain is determined using the QER | Person | DefaultMailDomain
configuration parameter.

l In the Designer, set the configuration parameter and enter the default mail domain
name as a value.

Related topics

l Employee's central user account on page 16

l Changing employee master data on page 17

Changing employee master data

The following covers only the employee master data that affects the user account of an
employee with the manage level Full managed when it is changed in the One Identity
Manager default installation.

General changes

General changes refer to data changes relating to an employee’s telephone number, fax
number, mobile telephone, street, postal, or ZIP code. This process changes the data in the
target system to which the employees are assigned, assuming this data is mapped in the
respective target systems.

Changing an employee’s name

Changes to an employee’s name influence how an employee’s central user account is set
up. The central user account is made up of the employee’s first and last names according to
the formatting rules. The central user account is used as a template for formatting user
account login names in some target systems. When a user account is added, other
overriding formatting rules control how, for example, the home and profile directories are
formatted up from the central user account.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 17
Basic mechanisms for employee and user account administration
Employee job rotation inhouse

Job rotation is affected by changes to the company data location or department. In One
Identity Manager, the administrative tasks for changing the target-system-specific IT
operating data, for example, domains, home servers, or profile servers, are automated.
There are other sub-processes for each target system due to system-dependent
differences in the actions necessary for changing departments.

Related topics

l Employee's central user account on page 16

l Employee's default email address on page 17

Templates and processes for implementing

account definitions
Only user account properties used in the script template TSB_ITDataFromOrg are available.
Create custom templates using this script if you want to use different or additional
properties than those in the default installation.
In the One Identity Manager default installation there is one process per target system type
for creating user accounts through account definitions. These can be used as templates for
the company-specific implementation of the method.
NOTE: Processes are defined in the One Identity Manager modules and are not available
until the modules are installed.
The name of the process is formatted as follows:
<MMM>_PersonHasTSBAccountDef_Autocreate_<user account table>
where:
<MMM> = module ID
<user account table> = Table, in which the user account of the target system
type is mapped.

Examples for implementing several account

definitions within a target system type
If several target systems are managed using account definitions in a target system type, a
separate account definition must be set up for each target system. When the employee is
assigned both account definitions, subsequent script and process handling ensure that the
employee obtains the user accounts in both target systems.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 18
Basic mechanisms for employee and user account administration
Example 1

There are two domains in an Active Directory environment. The employees can only have a
user account in one of the domains. The department operational data is used to determine
whether the user account is created in domain A or domain B.
Create an account definition A for domain A and an account definition B for domain B and
assign them the Full managed manage level. This manage level uses the One Identity
Manager default templates to determine the IT operating data. In the IT operating data
formatting rule, specify the "department" property for both account definitions for finding
the valid IT operating data.
If the employee belongs to department A, they receive (for example by dynamic
assignment) the account definition A and as a result, a user account in domain A. If the
employee belongs to department B, they are assigned the account definition B and they
receive a user account in domain B.

Figure 3: Creating User Accounts based on Account Definitions

Example 2

There are two domains in an Active Directory environment. The employees can have a user
account in both of the domains. The user account in domain A is allocated IT operating data
through the employee’s department. The user account in domain B is allocated IT operating
data through the employee’s primary business role.
Create an account definition A for domain A and an account definition B for domain B and
assign them the Full managed manage level. The Full managed manage level uses One
Identity Manager default templates to determine the IT operating data. Specify the
property "department" for account definition A in the IT operating data formatting rule for

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 19
Basic mechanisms for employee and user account administration
finding the valid IT operating data. Specify the property "business role" for account
definition B in the IT operating data formatting rule for finding the valid IT operating data.

Figure 4: Creating User Accounts based on Account Definitions

Automatic assignment of employees to

user accounts
Automatic employee assignment is used to:

l Assign existing employees to user accounts

l Create employee master data based on existing user accounts

Through synchronization user accounts are initially loaded from the target system into One
Identity Manager. Automatic assignment of user accounts to existing employees can take
place by subsequently modifying scripts and processes. If necessary, new employees can
be created based on existing user accounts to which they are then assigned. However, this
is not the One Identity Manager default method. You can also use this procedure to create
employee data from existing target system user accounts during synchronization.
If you run this procedure during working hours, automatic assignment of employees to
user accounts takes place from that moment onwards. If you disable the procedure again

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 20
Basic mechanisms for employee and user account administration
later, the changes only affect user accounts added or updated after this point in time.
Existing employee assignment to user accounts remain intact.
The criterion for automatically assigning employees to user accounts can be customized to
meet the company’s needs. Employees can be directly assigned to existing user accounts
as required, based on a suggestion list.
Run the following tasks to assign employees automatically.

l In the Designer, set the configuration parameter for automatic assignment of

employees to user accounts and select the required mode.
l Define search criteria for the employee assignment.
l If managed user accounts should arise through automatic employee assignment
(Linked configured state), assign an account definition to the target system.
Ensure that the manage level to be used is entered as the default manage level.
If no account definition is provided in the target system, the user accounts are only
linked to the employee (Linked state). This is the case on initial synchronization,
for example.

Related topics

l Handling employees and user accounts on page 7

l Configuring automatic employee assignment on page 21
l Editing search criteria for automatic employee assignment on page 23
l Modifying scripts for automatic employee assignment on page 28

Configuring automatic employee assignment

In the One Identity Manager default installation, the automatic assignment of employees to
user accounts is controlled by configuration parameters and therefore globally effective for
a target system type. A distinction is made here between the synchronization and the
default methods.
NOTE:
The following applies for synchronization:

l Automatic employee assignment takes effect if user accounts are added or

updated.

The following applies outside synchronization:

l Automatic employee assignment takes effect if user accounts are added.

NOTE: The configuration parameters are included in the One Identity Manager modules
and are available once the modules are installed.
Configuration parameters for automatic employee assignment:

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 21
Basic mechanisms for employee and user account administration
 l TargetSystem | <Target system type> | PersonAutoDefault
l TargetSystem | <Target system type> | PersonAutoFullSync

Each configuration parameter has one of the permitted modes:

l NO: There is no automatic assignment of a person to the user account. This is the
default value that is also displayed when the configuration parameter is not active.
l SEARCH: If no employee is assigned to the user account, the system searches for
the appropriate employee based on defined criteria and assigns the employees found
to the user account. If an employee is not found, no new employee is added.
l CREATE: If no employee is assigned to the user account, a new employee is
always created, some properties are initialized, and the employee is assigned to
the user account.
NOTE: This mode is not available for all target system types.
l SEARCH AND CREATE: If no employee is assigned to the user account, the
system searches for the appropriate employee based on defined criteria and assigns
the employees found to the user account. If no employee is found, a new one is
added, some of the properties are initialized, and the employee is assigned to the
user account.
NOTE: This mode is not available for all target system types.

If a user account is linked to an employee through the current mode, the user account is
given, through an internal process, the default manage level of the account definition
entered in the user account's target system. You can change this manage level later.
NOTE:
Following a synchronization, employees are automatically created for the user accounts
in the default installation. If an account definition for the target system is not yet known
at the time of synchronization, user accounts are linked with employees. However,
account definitions are not assigned. The user accounts are therefore in a Linked state.
To manage the user accounts using account definitions, assign an account definition and a
manage level to these user accounts.

To select user accounts through account definitions

1. Create an account definition.

2. Assign an account definition to the target system.
3. Assign the account definition and manage level to user accounts in linked status.
a. In the Manager, select the Custom target systems | <target
system> | User accounts | Linked but not configured | <target
system> category.
b. Select the Assign account definition to linked accounts task.

In the target-system-dependent Insert/Update processes of the One Identity Manager

default installation, the configuration parameters are evaluated and the execution mode is
determined. The names of the corresponding process steps are Search and Create Person
for Account and Search and Create Person for Account (Fullsync). Process steps can be

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 22
Basic mechanisms for employee and user account administration
used as templates to put into effect the automatic employee assignment in different areas
of a target system, such as, the separate domains of an Active Directory environment.

Editing search criteria for automatic

employee assignment
The criteria for employee assignment are defined for the target system. In this case, you
specify which user account properties must match the employee’s properties such that the
employee can be assigned to the user account. You can limit search criteria further by
using format definitions. The search criterion is written in XML notation to the Search
criteria for automatic employee assignment column (AccountToPersonMatchingRule) in
the target system table.
Search criteria are evaluated when employees are automatically assigned to user
accounts. Furthermore, you can create a suggestion list for assignments of employees to
user accounts based on the search criteria and make the assignment directly.
NOTE: When the employees are assigned to user accounts on the basis of search criteria,
user accounts are given the default manage level of the account definition entered in the
user account's target system. You can customize user account properties depending on
how the behavior of the manage level is defined.
It is not recommended to make assignment to administrative user accounts based on
search criteria. Use Change master data to assign employees to administrative user
account for the respective user account.

Detailed information about this topic

l Define search criteria for employee assignment on page 24

l Finding employees and directly assigning them to user accounts on page 26

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 23
Basic mechanisms for employee and user account administration
Define search criteria for employee assignment
Figure 5: Search criteria for employee assignment

NOTE: One Identity Manager supplies a default mapping for employee assignment. Only
carry out the following steps when you want to customize the default mapping.

To define search criteria for employee assignment

1. Select the Target system type | <target system> category.

2. Select the target system in the result list and run the Define search criteria for
employee assignment task.
3. Select the object type for the mapping.
Object types are user accounts with particular characteristics, for example, Active
Directory contacts or active Notes user accounts.
a. To add a new object type, click Add | Criteria. Select the object type for
which to define the search criteria using Apply to.
The search criteria is applied to all user accounts if no object type is selected.
b. To change the object type of an existing search criterion, select the search
criterion in the Search criteria view. Select the object type for which to
define the search criteria using Apply to.
If the existing selection is deleted, the search criterion is applied to all
user accounts.
4. Select the object properties to map.
l Column for employee
Select the column in the Employee table on which the search is executed.
l Column for user account

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 24
Basic mechanisms for employee and user account administration
 Select the column in the user account table that supplies the value for
searching for a person.
5. Define the formatting rule to limit the search criteria.
In the Add format menu, select a format template. Define the formatting rule to
apply to the search string. You can combine different format templates.

Table 4: Format templates

Format Meaning
template

Character Characters in the character string to be used as the search

range criterion.

Crop to fixed Defines the length of the character string to search for. Use fill
length characters at the beginning or end of the string to ensure it
reaches the fixed length.

Remove leading Characters that are to be removed at the start or end of the
or trailing character string. The remaining string forms the search criteria.
characters

Split value Characters for which the character string should be split and for
which the remaining parts should be used as a search criterion.

6. Test the format rules.

In the Format preview view, enter a character string to which the formatting is
applied. Use this to test the effects of your search criteria formatting.
7. Apply the formatting rules.
Enable Use format on the columns on which to limit the search criteria.
8. Save the changes.

Different object properties can be joined for search criteria. Both AND and OR operators
can be used.

Example for AND

To assign employees to Notes user accounts, the surname as well as first name
must be the same for the employee and the user account. The following table
columns are mapped:
AND
[Link] – [Link]
[Link] – [Link]

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 25
Basic mechanisms for employee and user account administration
 Example for an OR operation.

To assign employees to Active Directory user accounts, either the employee's

central user account and the user account's login name must be identical or the
employee's full name and the user account's display name. The following table
columns are mapped:
OR
[Link] – [Link]
[Link] – [Link]

To link object properties in search criteria

1. In the Search criteria view, select the operator to which you want to add another
object property. Click Change operator to select the operator for the link.
2. Click Add | Criteria.
3. Select the object properties to map.
4. Select the object properties to be mapped.
5. If you want to nest links, click Add | AND operator or Add | OR operator and
rerun steps 2 to 4.
6. Save the changes.

To delete search criteria

1. Mark the search criteria and click Delete.

2. Save the changes.

Finding employees and directly assigning them to

user accounts
Based on the search criteria, you can create a suggestion list for the assignment of
employees to user accounts and make the assignment directly. User accounts are grouped
in different views for this.

Table 5: Manual assignment view

View Description

Suggested This view lists all user accounts to which One Identity Manager can assign
assignments an employee. All employees are shown who were found using the search
criteria and can be assigned.

Assigned This view lists all user accounts to which an employee is assigned.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 26
Basic mechanisms for employee and user account administration
View Description

user
accounts

Without This view lists all user accounts to which no employee is assigned and for
employee which no employee was found using the search criteria.
assignment

To apply search criteria to user accounts

l At the bottom of the Define search criteria for employee assignment form,
click Reload.
All possible assignments based on the search criteria are found in the target system
for all user accounts. The three views are updated.

TIP: By double-clicking on an entry in the view, you can view the user account and
employee master data.
The assignment of employees to user accounts creates connected user accounts (Linked
state). To create managed user accounts (Linked configured state), you can assign an
account definition at the same time.

To assign employees directly over a suggestion list

l Click Suggested assignments.

1. Click the Selection box of all user accounts to which you want to assign the
suggested employees. Multi-select is possible.
2. (Optional) Select an account definition in the Assign this account
definition menu, and select a manage level in the Assign this account
manage level menu.
3. Click Assign selected.
4. Confirm the security prompt with Yes.
The employees determined using the search criteria are assigned to the
selected user accounts. If an account definition was selected, this is assigned
to all selected user accounts.
- OR -
l Click No employee assignment.
1. Click Select employee for the user account to which you want to assign an
employee. Select an employee from the menu.
2. Click the Selection box of all user accounts to which you want to assign the
selected employees. Multi-select is possible.
3. (Optional) Select an account definition in the Assign this account
definition menu, and select a manage level in the Assign this account
manage level menu.
4. Click Assign selected.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 27
Basic mechanisms for employee and user account administration
 5. Confirm the security prompt with Yes.
The employees displayed in the Employee column are assigned to the
selected user accounts. If an account definition was selected, this is assigned
to all selected user accounts.

To remove assignments

l Click Assigned user accounts.

1. Click the Selection box of all the user accounts you want to delete the
employee assignment from. Multi-select is possible.
2. Click Remove selected.
3. Confirm the security prompt with Yes.
The assigned employees are removed from the selected user accounts.

Related topics

l Handling employees and user accounts on page 7

Modifying scripts for automatic employee

assignment
Automatic employee assignments are controlled through scripts. In SEARCH mode, these
scripts assign existing employees to the user accounts based on the defined search criteria.
The scripts for CREATE mode also define the properties that are initialized when a new
person is generated. These scripts are implemented in a default One Identity Manager
installation for each target system type. The name of this script is:
<target system type>_PersonAuto_Mapping_<account type>
where:
<target system type> = short name of the addressed target system type
<account type> = Table containing the user accounts
TIP: You can customize scripts to extend search criteria for automatic employee
assignment or the properties of new employees. The scripts can be overwritten. To do
this, create a copy of the existing script and customize the copy.
In automatic employee assignment in CREATE mode, some properties of the user account
are transferred to the new employee object. Initializing the employee properties is done
using "VI_PersonAuto_<targetsystem>". Initializing the properties when an employee is
being created for a user account is done by evaluating the entry in the table
DialogNotification. In this table the connected properties are mapped as a bidirectional
pair through the formatting rules. Evaluation of entries in DialogNotification are
exemplified in the following by showing initialization of an employee’s surname:

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 28
Basic mechanisms for employee and user account administration
Example

The last name of an Active Directory user account is made up of the surname of
the employee.
Value template for [Link]:
Value = $FK(UID_Person).Lastname$
If the employee’s surname changes, the last name of the Active Directory user changes,
too. The column [Link] is therefore the sender and the column [Link]
is the receiver.
Relationship as in the table Dialognotification:

[Link] -- > [Link]

The table DialogNotification can be used to help with the initialization of the properties for
a new employee in that the relationships can be removed in reverse. The surname of an
employee can be replaced with the surname of the Active Directory user. Thus, certain
presets for the employee object can be automatically generated. However, only explicit
relationships can be removed.

Example

The display name of an Active Directory user account should be made up of the surname
and the first name of an employee.
Relationships as in the table DialogNotification:
[Link] -- > [Link]
[Link] -- > [Link]
The [Link] and [Link] cannot be determined from the
[Link], since this is a compound value.
You can use the script TSB_PersonAuto_GetPropMappings to make it easier to map employee
properties to user account properties. This script evaluates the relationship of the
properties as used in the table DialogNotification. The script creates a [Link] script
code and the possible assignments, when it is run by the System Debugger. This code
can subsequently be inserted into the script <target system type>_PersonAuto_Mapping_
<account type>.

Example version of the TSB_PersonAuto_GetPropMappings script

' PROPERTY MAPPINGS ADSAccount - Person
' [Link] -- > [Link]
' [Link]-- > [Link]
...
Try
[Link]("Initials", [Link]("Initials").String)
Catch ex As Exception

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 29
Basic mechanisms for employee and user account administration
End Try
Try
[Link]("City", [Link]("Locality").String)
Catch ex As Exception
End Try
...

Disabling and deleting employees and

user accounts
How employees are handled, particularly in the case of permanent or partial withdrawal of
an employee, varies between individual companies. There are companies that never delete
employees, and only disable them when they leave the company. Other firms delete the
employee, but only after they have ensured that all the user accounts are removed.
How employees are handled when they are disabled or deleted depends on the type of user
account management. The following scenarios apply:

1. User accounts are linked to employees and managed through account definitions.
2. User accounts are linked to employees. No account definition is applied.

The following methods are available in the One Identity Manager standard version:

l Temporarily deactivating employees

l Permanently deactivating employees
l Deferred deletion of an employee
l Disabling and deleting using account definitions

Temporarily deactivating employees

The employee has temporarily left the company and is expected to return at a predefined
date. The desired course of action could be to disable the user account and remove all
group memberships. Or the user accounts could be deleted and reestablished with the
employee’s return, even if it is with a new system identification number (SID).
Temporary disabling of an employee is triggered by:

l TheTemporary disabled option

l The start and end date for deactivation (Temporary disabled from and
Temporary disabled until)

NOTE:

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 30
Basic mechanisms for employee and user account administration
 l Configure the Lock accounts of employees that have left the company
schedule in the Designer. This schedule checks the start date for disabling and sets
Temporarily disabled when it is reached.
l In the Designer, configure the Enable temporarily disabled accounts schedule.
This schedule monitors the end date of the disabled period and enables the
employee with their user accounts when the date expires. Employee's user
accounts that were disabled before the period of temporary absence are also re-
enabled once the period has expired.

Scenario: user accounts are linked to employees and are managed through account
definitions.

l Specify in the account definitions, how temporary disabling of an employee affects

the user account.

Scenario: user accounts are linked to employees. No account definition is applied.

l Specify the desired behavior using the QER | Person | TemporaryDeactivation

configuration parameter. If the configuration parameter is set, the employee’s user
accounts are locked if the employee is permanently or temporarily disabled. If the
configuration parameter is not set, the employee’s properties do not have any effect
on the associated user accounts.

Related topics

l Disabling and deleting using account definitions on page 33

Permanently deactivating employees

Employees can be disabled permanently when, for example, they leave the company. It
might be necessary, to remove access to this employee’s entitlements in connected target
systems and their company resources.
Effects of permanent disabling of an employee are:

l The employee cannot be assigned to employees as a manager.

l The employee cannot be assigned to roles as a supervisor.
l The employee cannot be assigned to attestation policies as an owner.
l There is no inheritance of company resources through roles, if the additional option
No inheritance is set for an employee.
l Employee user accounts are locked or deleted and then removed from group
memberships.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 31
Basic mechanisms for employee and user account administration
Trigger permanent deactivation through:

l The Disable employee permanently task

This task ensures that the Permanently disabled option is enabled and that the
leaving date and the date of the last working day are set to the current date.
l Arrival of the leaving date
NOTE: Check the Lock accounts of employees that have left the company
schedule in the Designer. This schedule regularly checks the leaving date and sets
the option Permanently disabled on reaching the date.
NOTE: The Re-enable employee task ensures that the employee is re-enabled.
l The Denied certification status
If an employee's certification status is set to Denied through attestation or
manually, the employee is permanently disabled with immediate effect. When
the employee's certification status is changed to Certified the employee is
activated again.
NOTE: This function is only available if the Attestation Module is installed.

Scenario: user accounts are linked to employees and are managed through account
definitions.

l Specify in the account definitions, how temporary disabling of an employee affects

the user account.

Scenario: user accounts are linked to employees. No account definition is applied.

l Specify the desired behavior using the QER | Person | TemporaryDeactivation

configuration parameter. If the configuration parameter is set, the employee’s user
accounts are locked if the employee is permanently or temporarily disabled. If the
configuration parameter is not set, the employee’s properties do not have any effect
on the associated user accounts.

Related topics

l Disabling and deleting using account definitions on page 33

Deferred deletion of an employee

When an employee is deleted, they are tested to see if user accounts and company
resources are still assigned, or if there are still pending requests in the IT Shop. The
employee is marked for deletion and therefore locked out of further processing. Before an
employee can finally be deleted from the One Identity Manager database, you need to
delete all company resource assignments and close all requests. You can do this manually
or implement custom processes to do it. All the user accounts linked to one employee could
be deleted by default by One Identity Manager once this employee has been deleted. If no
more company resources are assigned, the employee is finally deleted.
Scenario: user accounts are linked to employees and are managed through account
definitions.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 32
Basic mechanisms for employee and user account administration
 l Specify in the account definitions, how deletion of an employee affects their user
accounts. The user accounts can be locked or enabled for the period that deletion is
deferred. In any case, the user accounts are deleted from the One Identity Manager
database once the deferred deletion period has expired.

Scenario: user accounts are linked to employees. No account definition is applied.

l Implement custom processes to delete linked user accounts. The employee stays
marked for deletion until all user accounts are deleted and assignments to company
resources have been removed. The user accounts remain enabled with deferred
deletion until they are physically deleted.

Related topics

l Disabling and deleting using account definitions on page 33

Disabling and deleting using account

definitions
If user accounts are managed through account definitions, you can specify the desired
behavior for handling user accounts and group memberships through account definitions
and manage levels for temporary disabling, permanent disabling, deletion, and security
risk to employees.
You can define special handling for each target system belonging to a target system type,
through the relationship between the target system and account definition. For more
information, see Using account definitions to create user accounts on page 10.
You can configure the following behavior:

1. Assigning account definitions to employees

The effects on account definition inheritance of temporary disabling, permanent
disabling, deletion, and security risk to employees is specified for each account
definition. The settings of previous account definitions are overwritten.
You may want employees that are disabled or marked for deletion to inherit account
definitions to ensure that all necessary permissions are made immediately available
when the employee is reactivated at a later time.
IMPORTANT: As long as an account definition applies to an employee, this
employee keeps its linked user accounts. If the account definition assignment no
longer applies, the user account created through this account definition is deleted.
The following user account definition options are available for mapping behavior.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 33
Basic mechanisms for employee and user account administration
 Table 6: Master data for an account definition for the assignment behavior
of the account definition

Property Description

Retain account definition Specifies the account definition assignment to

if permanently disabled permanently disabled employees.
Option set: the account definition assignment remains
in effect. The user account stays the same.
Option not set: the account definition assignment is not
in [Link] associated user account is deleted.

Retain account definition Specifies the account definition assignment to

if temporarily disabled temporarily disabled employees.
Option set: the account definition assignment remains
in effect. The user account stays the same.
Option not set: the account definition assignment is not
in [Link] associated user account is deleted.

Retain account definition Specifies the account definition assignment on deferred

on deferred deletion deletion of employees.
Option set: the account definition assignment remains
in effect. The user account stays the same.
Option not set: the account definition assignment is not
in [Link] associated user account is deleted.

Retain account definition Specifies the account definition assignment to

on security risk employees posing a security risk.
Option set: the account definition assignment remains
in effect. The user account stays the same.
Option not set: the account definition assignment is not
in [Link] associated user account is deleted.

2. Handling employee user accounts

The effects on user accounts of temporary disabling, permanent disabling, deletion,
and security risk of an employee is specified for each manage level.
In order to remove permissions from an employee when they are being disabled or
deleted, the employee’s user accounts can be locked. If the employee is reinstated at
a later date, the user accounts are also reactivated.
The following options are available for each manage level on an account definition for
handling user accounts:

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 34
Basic mechanisms for employee and user account administration
 Table 7: Master data for a manage level for handling user accounts

Property Description

Lock user accounts if Specifies whether user accounts of temporarily

temporarily disabled disabled employees are locked.

Lock user accounts if Specifies whether user accounts of permanently

permanently disabled disabled employees are locked.

Lock user accounts if Specifies whether user accounts of employees

deletion is deferred marked for deletion are locked.

Lock user accounts if Specifies whether user accounts of employees posing

security is at risk a security risk are locked.

3. Inheritance of group memberships to employees' user accounts

The effects on the group memberships of user accounts in the event of temporary
disabling, permanent disabling, deletion, and security risk of an employee is
specified for each manage level.
If an employee is deactivated or marked for deletion, inheritance of groups
memberships can be suppressed for the account definition target system. You might
want this behavior if an employee's user accounts and mailboxes are locked and
therefore cannot be included in distribution lists. During this deactivation period, no
inheritance processes should be calculated for this employee. Existing group
memberships are deleted.
The following options are available for each manage level on an account definition for
handling group memberships:

Table 8: Master data for a manage level for handling group memberships

Property Description

Retain groups if Specifies whether user accounts of temporarily disabled

temporarily disabled employees retain their group memberships.

Retain groups if Specifies whether user accounts of permanently disabled

permanently disabled employees inherit group memberships.

Retain groups on Specifies whether user accounts of employees marked for

deferred deletion deletion retain their group memberships.

Retain groups on Specifies whether user accounts of employees posing a

security risk security risk retain their group memberships.

Retain groups if user Specifies whether locked user accounts retain their group
account disabled memberships.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 35
Basic mechanisms for employee and user account administration
 2

Unified Namespace

The Unified Namespace is a virtual system in which different target systems can be
mapped with their structures, user accounts, system entitlements and memberships. The
Unified Namespace allows a general, cross-target system mapping of all connected target
systems. This means that target systems like Active Directory domains can be mapped just
the same as custom target systems.
You can use other Unified Namespace core functionality across target systems by mapping
target systems in the One Identity Manager, such as identity audit, attestation, or report
functions. You are supplied with several reports by default.

Mapping target system objects in

Unified Namespace
Each Unified Namespace object type joins the various tables of the One Identity
Manager data model required for mapping connected target systems. The various target
system tables are joined in database layers. This allows different object properties to be
mapped uniformly.
Use the following database views to execute compliance checks or attestation across target
systems and also to create reports across target systems.
Target systems (UNSRoot)
The UNSRoot view maps the base objects of target system synchronization.

Target system type Table

Active Directory ADSDomain

Microsoft Exchange EX0Organization

SharePoint SPSSite

SharePoint Online O3SSite

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 36
Unified Namespace
Target system type Table

IBM Notes NotesDomain

SAP R/3 SAPMandant

LDAP LDPDomain

Custom target systems UNSRootB

Unix UNXHost

Azure Active Directory AADOrganization

G Suite GAPCustomer

Cloud target systems CSMRoot

Oracle E-Business Suite EBSSystem

Privileged Account Management PAGAppliance

Container (UNSContainer)
The UNSContainer view maps the target system's container structures.

Target system type Table

Active Directory ADSContainer

SharePoint SPSWeb

SharePoint Online O3SWeb

LDAP LDAPContainer

Custom target systems UNSContainerB

Cloud target systems CSMContainer

G Suite GAPOrgUnit

User accounts (UNSAccount)

The UNSAccount view maps the user accounts of target system.

Target system type Table

Active Directory ADSAccount, ADSContact

Microsoft Exchange EX0MailUser, EX0MailContact, EX0Mailbox

SharePoint SPSUser

SharePoint Online O3SUser

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 37
Unified Namespace
Target system type Table

IBM Notes NotesUser

SAP R/3 SAPUser, SAPBWUser, SAPUserMandant

LDAP LDAPAccount

Custom target systems UNSAccounB

Unix UNXAccount

Azure Active Directory AADUser

Exchange Online O3EMailbox, O3EMailContact, O3EMailUser

G Suite GAPUser

Cloud target systems CSMUser

Oracle E-Business Suite EBSUser

Privileged Account Management PAGUser

System entitlements (UNSGroup)

The UNSGroup view maps the target system's system entitlements, such as groups, role,
or profiles.

Target system type Table

Active Directory ADSGroup

Microsoft Exchange EX0DL

SharePoint SPSGroup, SPSRLAsgn

SharePoint Online O3SGroup, O3SRLAsgn

IBM Notes NotesGroup

SAP R/3 SAPGrp, SAPProfile, SAPRole, SAPHRP, SAPBWP

LDAP LDAPGroup

Custom target systems UNSGroupB

Unix UNXGroup

Azure Active Directory AADGroup, AADDeniedServicePlan, AADDirectoryRole,

AADSubSku

Exchange Online O3EDL, O3EUnifiedGroup

G Suite GAPGroup, GAPPaSku

Cloud target systems CSMGroup

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 38
Unified Namespace
Target system type Table

Oracle E-Business Suite EBSResp

Privileged Account Manage- PAGUsrGroup

ment

Permissions controls (UNSItem)

The UNSItem view maps the target system's additional permissions controls.

Target system type Table

Custom target systems UNSItemB

Cloud target systems CSMItem

Assignment system entitlements (UNSAccountInUNSGroup)

The UNSAccountInUNSGroup view maps system entitlement assignments to the target
system's user accounts.

Target system type Table

Active Directory ADSAccountInADSGroup, ADSContactInADSGroup

SharePoint SPSUserInSPSGroup, SPSUserHASSPSRLAsgn

IBM Notes NotesUserInGroup

SAP R/3 SAPUserInSAPGrp, HelperSAPUserInSAPRole,

SAPUserInSAPProfile, HelperSAPUserInSAPHRP,
SAPBWUserInSAPBWP

LDAP LDAPAccountInLDAPGroup

Custom target UNSAccounBInUNSGroupB

systems

Unix UNXAccountInUNXGroup

Azure Active AADUserHasDeniedService, AADUserInDirectoryRole,

Directory AADUserInAADGroup

Exchange Online O3EAADUserInUnifiedGroup, O3EMailboxInDL,

O3EMailContactInDL, O3EMailUserInDL

G Suite GAPUserInGroup, GAPUserInPaSku

Cloud target systems CSMUserInGroup

Oracle E-Business EBSUserInRespCompressed

Suite

Privileged Account PAGUserInUsrGroup

Management

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 39
Unified Namespace
Assignment permissions controls (UNSAccountHasUNSItem)
The UNSAccountHasUNSItem view maps assignments of additional permissions controls to the
target system's user accounts.

Target system type Table

Custom target systems UNSAccountBHasUNSItemB

Cloud target systems CSMUserHasItem

Assignment system entitlements (UNSGroupInUNSGroup)

The UNSGroupInUNSGroup view maps system entitlement assignments to the target system's
system entitlements.

Target system type Table

Active Directory ADSGroupInADSGroup

SharePoint SPSGroupHasSPSRLAsgn

IBM Notes NotesGroupInGroup

SAP R/3 SAPProfileInSAPProfile, SAPRoleInSAPRole,

SAPProfileInSAPRole

LDAP LDAPGroupInLDAPGroup

Custom target UNSGroupBInUNSGroupB

systems

Azure Active Directory AADGroupInGroup

Exchange Online O3EDLInDL

G Suite GAPGroupInGroup

Cloud target systems CSMGroupInGroup

Assignment permissions controls (UNSGroupHasUNSItem)

The UNSGroupHasUNSItem view maps assignments of additional permissions controls to the
target system's system entitlements.

Target system type Table

Custom target systems UNSGroupBHasUnsItemB

Cloud target systems CSMGroupHasItem

Inheritance exclusion (UNSGroupExclusion)

The UNSGroupExclusion view maps system entitlement definitions that are mutually

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 40
Unified Namespace
exclusive.

Target system type Table

Active Directory ADSGroupExclusion

SharePoint SPSGroupExclusion, SPSRLAsgnExclusion

IBM Notes NotesGroupExclusion

SAP R/3 SAPGrpExclusion, SAPProfileExclusion,

SAPRoleExclusion

LDAP LDAPGroupExclusion

Custom target systems UNSGroupBExclusion

Unix UNXGroupExclusion

Azure Active Directory AADGroupExclusion, AADSubSkuExclusion

G Suite GAPGroupExclusion

Cloud target systems CSMGroupExclusion

Oracle E-Business Suite EBSRespExclusion

Privileged Account Manage- PAGUsrGroupExclusion

ment

System entitlement hierarchy (UNSGroupCollection)

The UNSGroupCollection view maps hierarchies of system entitlements.

Target system type Table

Active Directory ADSGroupCollection

SharePoint SPSGroupCollection, SPSRLAsgn

IBM Notes NotesGroupCollection

SAP R/3 SAPCollectionRPG

LDAP LDAPGroupCollection

Custom target systems UNSGroupBCollection

Unix-based target system UNXGroupExclusion

Azure Active Directory AADGroupCollection

Exchange Online O3EDLCollection

G Suite GAPGroupCollection

Cloud target systems CSMGroupCollection

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 41
Unified Namespace
Special features for mapping object
properties
In certain target systems, assignments of system entitlements to user accounts can have a
limited duration.

l The validity period is not mapped in the Unified Namespace.

l The Marked for deletion ([Link]) ID cannot be
set for these assignments. Therefore, in the Unified Namespace, you cannot tell
whether an assignment was marked as outstanding by synchronization.

One Identity Manager users for

managing target systems in Unified
Namespace
The following users are used for managing target systems in the Unified Namespace.

Table 9: Users

User Tasks

Target system Target system administrators must be assigned to the Target

administrators systems | Administrators application role.
Users with this application role:

l Administrate application roles for individual target systems

types.
l Specify the target system manager.
l Set up other application roles for target system managers if
required.
l Specify which application roles for target system managers are
mutually exclusive.
l Authorize other employee to be target system administrators.
l Do not assume any administrative tasks within the target
system.

Target system Target system managers must be assigned to the Target systems |
managers Unified Namespace application role or a child application role.
Users with this application role:

l Obtain view of the objects in the connected target systems across

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 42
Unified Namespace
User Tasks

all target systems.

l Can create reports across all target systems.

If the users are also target system managers of the basic underlying
target systems, you can manage these target systems through the
Unified Namespace.

One Identity l Create customized permissions groups for application roles for
Manager role-based login to administration tools in the Designer as
administrators required.
l Create system users and permissions groups for non role-based
login to administration tools in the Designer as required.
l Enable or disable additional configuration parameters in the
Designer as required.
l Create custom processes in the Designer as required.
l Create and configure schedules as required.
l Create and configure password policies as required.

Displaying Unified Namespace objects

To display Unified Namespace objects

l Select Unified Namespace.

User accounts, system entitlements and structure elements of all the connected
target systems are displayed hierarchically in the navigation view. This shows the
master data and existing assignments of all objects. The object properties and
assignments cannot be edited.
NOTE: The object properties and assignments cannot be edited in Unified
Namespace.
Use Show base object to change to the connected target system object. As target
system administrator, you can edit the objects of your target system as usual.

Reports about the Unified Namespace

One Identity Manager supplies various report with information about all the target
systems mapped in the Unified Namespace. The data is combined and grouped by target
system type.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 43
Unified Namespace
Table 10: Data quality analysis report

Report Description

Orphaned user This report shows all user accounts to which no employee is
accounts in all assigned. You can find the report in the My One Identity Manager
target systems | Data quality analysis category .

Unused user This report contains all user accounts, which have not been used in
accounts in all the last few months. You can find the report in the My One Identity
target systems Manager | Data quality analysis category.

System entitle- This report shows all system entitlements that are the result of
ment drifts in all manual operations in the target system rather than provisioned by
target systems One Identity Manager. You can find the report in the My One
Identity Manager | Data quality analysis category.

User accounts This report contains all user accounts with an above average number
with an above of system entitlements. You can find the report in the My One
average number Identity Manager | Data quality analysis category.
of system entitle-
ments

Unified The report shows an overview of the distribution of user accounts

Namespace user and system authorizations in Unified Namespace. You can find the
account system report in the My One Identity Manager | Target system
entitlements distri- overviews category.
bution
User account This report shows modified user accounts from all target systems for
operations across a specific time period. You can find the report in the My One
all systems Identity Manager | Target system overviews category.

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 44
Unified Namespace
 About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
[Link]

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
[Link]
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request

l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at [Link]/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 45
About us
 Index
I ndex

A mode "NO" 21

account definition 10, 18 mode "SEARCH AND CREATE" 21

IT operating data 10, 12, 14 mode "SEARCH" 21

manage level 10 remove 26

assignment search criteria 23

deletion flag 42 formatting 24

outstanding 42 object type 24

validity period 42 table column 24

E I

employee IT operating data

account definition 10 account definition 10, 12, 14

assign automatically 20
central user account 16 S
change 17
search criteria
default email address 17
employee assignment 23
delete 32-33
system entitlement
general changes 17
limited assignment 42
job rotation 17
name change 17
U
permanently disabled 31
reenable 31 Unified Namespace 36

temporarily disabled 30 objects

employee assignment display 43

automatic 20 mapping 36

change mapping 28 report 43

configure 21 target system administrator 42

criteria 23 target system manager 42

custom script 28 user account

manual 26 account definition 10

mode "CREATE" 21

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 46
Index
assign employee (automatic) 20
central 16
full managed 7
limited assignment 42
linked 7
configured 7
manage level 7
state 7
unlinked 7
unmanaged 7

One Identity Manager 8.1.2 Target System Base Module Administration

Guide 47
Index