立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Target System Base Module Administration Guide

Basic mechanisms for identity and user account administration The Unified Namespace

Handling of group memberships

How group memberships are handled when user accounts are disabled or deleted depends on how you manage the user accounts.

Scenario: User accounts are linked to identities and are managed through account definitions.
  • You use the manage level of account definitions to specify how group memberships of user accounts are handled when identities are temporarily deactivated, permanently deactivated, deleted, or pose a security risk.

Scenario: User accounts are linked to identities. No account definition is applied.
  • If an identity is temporarily or permanently deactivated, the group memberships of the user accounts are retained.

  • Use the QER | Person | User | KeepMembershipsOfLinkedAccount configuration parameter to specify deferred deletion behavior.

Overriding inheritance settings for individual groups

Sometimes it may be necessary to define different behavior for individual group. For example, it is possible to define never to automatically remove a group from user accounts or never to override the account definition settings.

You can specify behavior different from the default for the following group inheritance settings.

  • Retain groups if temporarily disabled

  • Retain groups if permanently disabled

  • Retain groups on deferred deletion

  • Retain groups on security risk

  • Retain groups if user account disabled

Permitted values are:

  • According to manage level: The manage level settings apply to the group memberships. You use the manage level of account definitions to specify how group memberships are handled when identities are temporarily deactivated, permanently deactivated, deleted, or pose a security risk.

    The setting takes effect for user accounts linked to identities and managed via account definitions.

  • Never: The group is never inherited. Existing group memberships are removed. The group assignment is maintained but the assignment has no effect.

    The setting effects user accounts linked to identities. The setting takes effect regardless of whether the user accounts are managed via account definitions or not.

    IMPORTANT: If the Never value is applied to the Retain groups if user account disabled setting, the group memberships of user accounts that are not linked to an identity also become invalid.

    NOTE: This overrides the settings in the QER | Person | User | KeepMembershipsOfLinkedAccount configuration parameter.

  • Always: The group is always inherited. Existing group memberships are remain intact.

    The setting effects user accounts linked to identities. The setting takes effect regardless of whether the user accounts are managed via account definitions or not.

    NOTE: This overrides the settings in the QER | Person | User | KeepMembershipsOfLinkedAccount configuration parameter.

To override inheritance settings

  1. In the Manager, select the <target system type> > Groups > Override inheritance settings category.

  2. To add a new group, in the result list, click .

    1. Next to the Group field, click .
    2. Under Table, select the table that maps the group.
    3. Under Group, select the group.
    4. Click OK.

    - OR -

  3. To change the values for an existing group, select the group in the result list.

  4. Enter the values for the inheritance settings.

  5. Save the changes.

NOTE: Depending on the target system type, the inheritance settings of other permissions types may be overridden.

Related topics

The Unified Namespace

The Unified Namespace is a virtual system in which different target systems can be mapped with their structures, user accounts, system entitlements and memberships. The Unified Namespace allows a general, cross-target system mapping of all connected target systems. This means that target systems like Active Directory domains can be mapped just the same as custom target systems.

You can use other Unified Namespace core functionality across target systems by mapping target systems in the One Identity Manager, such as identity audit, attestation, or report functions. You are supplied with several reports by default.

Detailed information about this topic

Mapping target system objects in Unified Namespace

Each Unified Namespace object type joins the various tables of the One Identity Manager schema required for mapping connected target systems. The various target system tables are joined in database layers. This allows different object properties to be mapped uniformly.

Use the following database views to run compliance checks or attestation across target systems and also to create reports across target systems.

Special features for mapping object properties

In certain target systems, assignments of system entitlements to user accounts can have a limited duration.

  • The validity period is not mapped in the Unified Namespace.

  • The Marked for deletion (UNSAccountInUNSGroup.XMarkedForDeletion) identifier cannot be set for these assignments. Therefore, in the Unified Namespace, you cannot tell whether an assignment was marked as outstanding by synchronization.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级