Context-Sensitive Help

The user object represents a user of an IT infrastructure. DirX Identity Provisioning manages the user’s access to all parts of the IT infrastructure.

Use this tab to display the general properties of the user object. Since it is fully configurable by the domain administrator, the items shown here may vary from installation to installation or even from domain to domain. It is also possible to set up several user types that show a different set of properties.

The following properties explain the default configuration of DirX Identity:

General (Identification) Properties

Name (mandatory) - used as the relative distinguished name (RDN) for the user entry and identifies the user uniquely within the sub-tree. Once set during adding a new user entry, it can no longer be changed by simply editing this field after the initial save operation. Use the Rename command of the user entry’s context menu instead. A change of the common name is also possible by running the user integration workflow.

First Name (optional) - the first name of the user.

Middle Name (optional) - the middle name of the user.

Salutation (optional) - the salutation of the user. Values for different countries are available.

Title (optional) - the title of this user.

Last Name (mandatory) - the last name of the user. This item corresponds to the "surname" attribute saved in the Identity Store.

Gender (optional) - the gender of this user.

Day of birth (optional) - the day of birth for this user.

Master (optional) - the name of the directory that masters the user entry.

Employee number (optional) - the employee number.

Identifier (optional) - the user’s global unique identifier.

Description (optional) - a description for the user. This field is often useful when user entries are listed in tables with only their names but with a description column to better identify them.

Employee Type (optional) - one of the following user’s employee types:

Business Category (optional) - the business the user works for.

Related Topics

Multi-Value Editor

Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to define relationships to other user objects.

Owner (optional) - the owner of the user entry. You can use this field in two ways:

Manager (optional) - the user’s manager. Used for user type Internal Employee.

Secretary (optional) - the user’s secretary.

Representative (optional - the user’s representative.

Sponsor (optional) - the user’s sponsor. Used mainly for user type Contractor.

Note that these links are very useful when setting up participants for request workflows. For more information see the section "Participant Calculation" in the DirX Identity Application Development Guide.

Related Topics

General
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to display the operational parameters necessary for correct operation on this user within DirX Identity.

Status fields

To be analyzed (read-only) - indicates when checked that this entry has been changed. For example, an import workflow added or modified some attributes. The privilege resolution or the consistency checker uses this flag to detect and resolve records that are not up-to-date. After the check or resolution operation completes, the flag is cleared.

Is Inconsistent - indicates whether (unchecked) or not (checked) the stored access rights of the user are consistent with the assigned privileges. DirX Identity Provisioning checks the flag (sets the entry’s flag to TRUE), if it fails to resolve the assigned privileges due to errors in the privilege structure. In this case, the user keeps the previous access rights, but DirX Identity Provisioning sets an end date for this state: the Error expiration date. The resolution error is stored in the Error field. So the administrator has time to repair the error. The flag is unchecked if the entry is consistent.

Use as Template - indicates when checked that DirX Identity will not resolve privileges assigned to this user. A likely reason for the checked flag is that the user object has been copied from another object. In this case, the user is marked as a template until appropriate changes have been made to the copied user. If the user is set correctly, uncheck the flag to enforce privilege resolution and target system provisioning.

+ A template user may also have been deliberately created to be used as a basis for creating additional accounts that are fully controlled by DirX Identity. You can use the owner link to point from this copied user to another (primary) user. This reference can help you to understand which secondary user entries belong to a primary one.

Status - shows the status of the user entry. For more information, see the section "Managing States" in the chapter "Managing Provisioning". Possible values are:

Lifetime Start - shows the date on which the privilege assignments to the user will become active for the first time (usually the date on which the user enters the company).

Lifetime End - shows the date on which the privilege assignments to the user will become inactive for the last time (usually the date on which the user leaves the company).

Deactivation Start - shows the date on which the privilege assignments will become inactive for the next time.

Deactivation End - shows the date on which the privilege assignments will be reactivated again for the next time.

Delete - shows the date on which the entry will finally be deleted despite any existing accounts in target systems.

Create time stamp - shows the date and time at which this entry was created.

Modify time stamp - shows the date and time at which this entry was last changed.

Notification fields

Notification Level - controls suppression of the first e-mail of the e-mail notification of an approval workflow. Possible values are:

Tasks fields

To do - shows a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks it cannot repair automatically. The items are overwritten on the next consistency check.

Possible messages in this field besides warnings from the service agent are:
INF:530:Missing values for attributes: attributelist.
*INF:531:More than one peer account exists for account DN=*dn.
*INF:532:No peer account exists for account DN=*dn.

Error - stores the list of error messages that give the detailed reason for inconsistent states or To do entries. They are cleared automatically when a privilege resolution succeeds.

Error expiration date - shows the date on which the access rights of the user will be updated despite any resolution errors. See the Is Inconsistent field.

Related Topics

General
Relationships
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to display communication attributes for a user object.

E-Mail (optional) - the user’s e-mail addresses.

Phone (optional) - the user’s main phone number (business phone number).

Fax (optional) - the user’s fax number.

Mobile (optional) - the user’s mobile number.

Home (optional) - the user’s home phone number.

Web address (optional) - the Web address of the Internet home page for this user.

Preferred language (optional) - the preferred language of this user, which controls, for example, the language used in an e-mail if this user is referenced in the To field. For more information, see the chapter "Using Variable Substitution" in the DirX Identity Application Development Guide.

Note that the phone number might be used by default when DirX Identity Provisioning creates a new account for the user. The account name is generated using the user’s surname, given name and phone number. See the object description for the accounts.

Related Topics

General
Relationships
Operational Properties
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to display the authentication properties for this user.

Password Management

One-Way Password (read-only) - the user password (userPassword attribute). Authentication against the Identity Store is performed using this password. The password is usually not readable.

Encrypted Password (read-only) - the encrypted (or scrambled) password of this user (dxmPassword attribute). This attribute is used for password synchronization to target systems.

Password Changed Time (read-only) - the time at which the password was last changed.

Password Expiration Notified (read-only) - the time at which the Password Notification service notified the system about the password expiration.

Password History (read-only) - the password history (one-way encrypted). This field shows only that there is a password history.

Password Reset (read-only) - if active, the password was reset by the administrator.

Password Policy - a link to the relevant password policy. If no link is set, the default policy is used by the system.

Logins with Password

This group of fields is related to logins with password.

Failure Count (read-only) – the number of failed login attempts. The number is reset on any successful login attempt.

Last Failure Time (read-only) – the time of the last failed login attempt. The time is cleared on any successful login attempt.

Locked Until (read-only) – the time until which login attempts by the user are rejected.

Challenge Response Authentications

This group of fields is related to challenge-response authentications.

Challenges and Responses (read-only) - the challenge and response questions (one-way encrypted). This field shows only that challenge and response questions have been set up.

Failure Count (read-only) – the number of failed authentication attempts. The number is reset on any successful login attempt.

Last Failure Time (read-only) – the time of the last failed authentication attempt. The time is cleared on any successful login attempt.

Locked Until (read-only) – the time until which authentication attempts by the user are rejected.

SASL EXTERNAL Bind

Mirrored User - a link to the mirrored user for SASL EXTERNAL binds. For details, see the chapter "Configure DirX Identity - Provisioning" in the Use Case Document DXI Smart Card Login Manager.

Certificate

Certificate (read-only) - the certificate of the user.

Related Topics

General
Relationships
Operational Properties
Communication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to display the organization and organizational unit properties of a user. These properties can be linked with the relevant business objects.

Organizations

Organization Link (optional) - sets a link to an organization object (business object).

Organization (optional) - defines the organization to which the user belongs. If the Organization Link is set, this attribute is read-only and is controlled by the linked object.

More Organizations (optional) - defines more organization links for this user.

Organizational Units

Org. Unit Link (optional) - sets a link to an organizational unit object (business object).

Organizational Unit (optional) - the organizational unit to which the user belongs. If the Org. Unit Link is set, this attribute is read-only and controlled by the linked object.

Department Number (optional) - the department number of the organizational unit. If the Org. Unit Link is set, this attribute is read-only and controlled by the linked object.

More Organizational Units (optional) - defines more organizational unit links for this user.

Cost Units

Cost Unit (optional) - defines the cost unit to which the user belongs.

More Cost Units (optional) - defines more cost units for this user.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

User this tab to display and set location information associated with the user.

Location Link (optional) - sets a link to a location object (business object).

Country (optional) - the country of the user. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

State (optional) - the state of the user. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Postal Code (optional) - the postal code of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Location (optional) - the location(s) of the user. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Street (optional) - the street of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Room (optional) - the room where this user is located.

Postal Address (optional) - the postal address of this location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

More Locations (optional) - defines more location links for this user.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

This tab is an example of other context information. Pre-configured links are:

Contexts (optional) - a link to any type of context object (business object).

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to view and manage the roles assigned to a user. The tab displays the list of roles currently assigned to the user.

For each role, the following properties are shown:

Role - the role’s name as it is displayed throughout the DirX Identity Provisioning system. If the role’s name ends with an asterisk character (*), the role has assigned one or more junior roles. These junior roles are automatically assigned to the user as well.

Description - the description for the role.

Start Date - the date on which this role became or will become active for the user; that is, the date on which the user was/is granted the permissions assigned to this role.

End Date - the date on which this role became or will become inactive for the user; that is, the date on which the permissions granted to the user was or will be revoked. If the re-approval flag is set, the end date shown is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) the assignment requires regular re-approval. The next re-approval will occur at the shown end date. Unchecking this flag removes the privilege from re-approval at the shown end date (re-approvals no longer occur).

Role Parameters - shows the first few assigned role parameters. Use the button to view all role parameter settings for this assignment.

Assigned by - how the assignment was made. Possible values are:

State - the state of the assignment. Possible values include:

To add or remove roles, use the assignment editor, which is displayed when you click Edit. To examine the details of a particular role, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Permissions
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to view and manage the permissions assigned to a user. The tab displays the list of permissions currently assigned to the user.

For each permission, the following properties are shown:

Permission - the permission’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description for the permission.

Start Date - the date on which this permission became or will become active for the user.

End Date - the date on which this permission became or will become inactive for the user. If the re-approval flag is set, the end date shown is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment requires regular re-approval. The next re-approval occurs at the shown end date. If you uncheck this flag, privilege re-approval is removed at the shown end date (re-approvals no longer occur after the end date is reached).

Assigned by - how the permission assignment was made. Possible values are:

State - The state of the assignment. Possible values are:

To add or remove permissions manually, use the assignment editor, which is displayed when you click Edit. To inspect the details of a particular permission, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Groups
Accounts
Orders
SoD Exceptions

Use this tab to view and manage the groups assigned to a user. The tab displays the list of groups currently assigned to the user.

For each group, the following properties are shown:

Target system - the name of the target system to which the group belongs.

Group - the group’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description for the group.

Start Date - the date on which this direct group assignment became or will become inactive for the user.

End Date - the date on which this direct group assignment became or will become inactive for the user. If the re-approval flag is set, the end date shown is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment will require regular re-approval. The next re-approval will occur at the end date shown. Unchecking this flag removes the privilege from re-approval at the shown end date (re-approvals are no longer required after this date is reached).

Assigned by - how the group assignment was made:

State - the status of the group assignment. Possible values are:

The reason for this state is that the dxrGroupLink at the user has been populated, but the member attributes at the group or account are not yet populated.

To add or remove groups, use the assignment editor, which is visible when you click Edit. To examine the details of a particular group, click on the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Accounts
Orders
SoD Exceptions

Use this tab to display the list of accounts currently assigned to the user.

For each account, the following properties are shown:

Account - the account’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description for the account.

State - the status of the account. Possible values are:

Target System - the target system to which this account belongs.

State in TS (target system) - the status of the account in the respective target system. This status may differ from the status of the account entry in DirX Identity Provisioning as long as the information is not synchronized. Possible values are:

Priv - whether the account is an assigned privileged account (checked) or a personal account that is a member in the assigned groups that define the access rights in the connected systems (unchecked). A privileged account can be used by many persons in parallel. Examples are the Administrator account in Windows or the root account in UNIX. Assignment of a privileged account means:
1) You can read the password of this account in clear text to log in to the corresponding target system.
2) Your certificates are copied to the account in the connected system, which allows you to log in with the corresponding card.

You cannot make direct assignment of accounts in this tab. To examine the details of a particular account, click to the right of the respective table row.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Orders
SoD Exceptions

Use this tab to display all currently pending changes for this user. This information is kept in order objects (mostly part of running request workflows).

The upper part of this tab shows pending attribute modification requests, while the lower part shows pending privilege assignments or privilege assignment attribute changes.

The Attribute Modifications pane shows a line for each relevant attribute. The columns are:

Due Date - the date on which this change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Attribute - the name of the attribute.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

- opens a detail page for this line.

The Assignments to add (+), modify (*) or delete (-) pane shows a line for each assignment or change. The columns are:

Op(eration) - the type of line. Possible values are:

(+) - the privilege is to be assigned (to be added).

(*) - the assignment is subject to a change. One or more of the attributes - for example, the start or end date or a role parameter - has changed.

(-) - the privilege is to be removed (to be deleted).

Due date - the date on which this assignment or assignment change will be valid. If no value is supplied, the change is dependent on a pending attribute approval step of a running request workflow.

Type - the privilege type (role, permission or group).

Name - the privilege name.

Attribute - the name of the attribute to be changed.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

Assigned by - the type of assignment (manual or by rule).

- opens a detail page for this line. It shows the corresponding request workflow instance.

Note that the assignment information is also visible in the Assigned Roles, Assigned Permissions and Assigned Group tabs in a slightly different format.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
SoD Exceptions

Use this tab to display all segregation of duty (SoD) exceptions for this user. SoD exceptions are SoD conflicts that have been approved successfully via an assignment approval workflow.

The upper part of this tab shows approved SoD violations, the lower part shows pending SoD violations.

For each SoD exception line in the Approved SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the user.

Activity - the approval activity of the corresponding request workflow.

Reason - the reason why the approver accepted this SoD conflict.

Who - the approver.

When - the date of approval.

For each SoD exception line in the Pending SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the user.

Click to open a detail page for this line.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders

Use this tab to display the risk assessment properties for a user.

The Overall Risk section displays the computed overall risk level and the compound score. It includes the following properties:

Risk Level - the overall risk level for the user. Possible values are Low, Medium or High.

Compound Score - the calculated compound score for the user. All of the user’s standard scores are used to compute the compound score.

The Risk Factors section provides the values for every risk factor defined in the domain’s risk policy. Each risk factor is listed by name; for example, GroupMemberships, ImportedAccounts, PrivilegedAccounts. Risk factors shown as RiskFactor*number - for example, *RiskFactor6 - represent risk factors that have not been configured and have so not been processed by the Risk Calculation workflow. For every risk factor, the following properties are shown:

Raw Value - the raw value for the risk factor. This value is the computed score of the factor at the user.

Standard Score - the standard score for the risk factor. This value is a normalized score for the factor at the user.

See the section "Managing Risk" in the chapter "Managing Compliance" for details on risk calculation.

Related Topics

General
Relationships
Operational Properties
Communication
Authentication
Organization
Location
Context
Assigned Roles
Assigned Permissions
Assigned Groups
Accounts
Orders

Risk Policy - General

User facets are alternative representations of a user. User facets are intended for users with different capacities or positions. For example, suppose you have a student who works as a teaching assistant and as a tutor. In some instances, you might be interested in the privileges that derive from his capacity as a student; in other cases, you might want to know about the privileges that derive from his position as a tutor. You can model these different profiles by creating two user facets; both of which are linked to the real user. If you are only interested in the privileges granted from his capacity as a tutor, then look at the "tutor" user facet. At the user, you can view all of the user’s privileges with the resulting accounts.

This tab shows all general properties of the user facet object. Since it is fully configurable by the domain administrator, the items shown here may vary from installation to installation or even from domain to domain.

Note that a user facet is related via its owner link to its user. Depending on the processes in a company, it may make sense to use the master mechanism so that the user facet inherits the properties of the user. In this case, the text entry fields are not editable but are automatically populated from the owner.

The following properties explain the default configuration of DirX Identity:

General (Identification) Properties

Name (mandatory) - used as the relative distinguished name (RDN) for the user facet entry and identifies the user facet uniquely within the sub-tree. Once set during adding a new user facet entry, it can no longer be changed by simply editing this field after the initial save operation. Use the Rename command of the user facet entry’s context menu instead. A change of the common name is also possible by running the user facet integration workflow.

First Name (optional) - the first name of the user facet.

Middle Name (optional) - the middle name of the user facet.

Salutation (optional) - the salutation of the user facet. Values for different countries are available.

Title (optional) - the title of this user facet. Mastered from the user.

Last Name (mandatory) - the last name of the user facet. This item corresponds to the "surname" attribute saved in the Identity Store.

Gender (optional) - the gender of this user facet. Mastered from the user.

Day of birth (optional) - the day of birth for this user facet.

Master (optional) - the name of the directory that masters the user facet entry.

Employee number (optional) - the employee number.

Identifier (optional) - the user facet’s global unique identifier.

Description (optional) - A description for the user facet. This is often useful, when user facet entries are listed in tables just with their names but with a description column to better identify them.

Employee Type (optional) - one of the following user facet’s employee types:

Business Category (optional) - the business the user facet works for.

Related Topics:

Multi-Value Editor
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to define relationships to other user facet objects.

Owner (mandatory) - the owner of the user facet entry. It references the user facet’s related user.

Manager (optional) - the user facet’s manager. Used for user facet type Internal Employee. Mastered from the user.

Secretary (optional) - the user facet’s secretary.

Representative (optional) - the user facet’s representative.

Sponsor (optional) - the user facet’s sponsor. Used mainly for user type Contractor.

Note that these links are very useful when setting up participants for request workflows. For more information, see the section "Participant Calculation" in the DirX Identity Application Development Guide.

Related Topics

User Facet - General Properties
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to display the operational parameters necessary for correct operation on the user facet entry within DirX Identity.

Status fields

To be analyzed (read-only) - indicates when checked that this entry has been changed. For example, an import workflow added or modified some attributes. The privilege resolution or the consistency checker uses this flag to detect and resolve records that are not up-to-date. After the check or resolution operation completes, the flag is cleared.

Is Inconsistent - indicates whether (unchecked) or not (checked) the stored access rights of the user facet are consistent with the assigned privileges. DirX Identity Provisioning checks the flag (sets the entry’s flag to TRUE), if it fails to resolve the assigned privileges due to errors in the privilege structure. In this case, the user facet keeps the previous access rights, but DirX Identity Provisioning sets an end date for this state: the Error expiration date. The resolution error is stored in the Error field. So the administrator has time to repair the error. The flag is unchecked if the entry is consistent.

Use as Template - indicates when checked that DirX Identity will not resolve privileges assigned to this user facet. A likely reason for the checked flag is that the user facet object has been copied from another object. In this case, the user facet is marked as a template until appropriate changes have been made to the copied user facet. If the user facet is set correctly, uncheck the flag to enforce privilege resolution and target system provisioning.

+ A template user facet may also have been deliberately created to be used as a basis for creating additional accounts that are fully controlled by DirX Identity. You can use the owner link to point from this user facet its main identity. This reference can help you to understand which secondary user facet entries belong to a main identity one.

Status - shows the status of the user facet entry. For more information, see the section "Managing States". Possible values are:

Lifetime Start - shows the date on which the privilege assignments to the user facet will become active for the first time (usually the date on which the user facet’s privileges must be activated for the main identity).

Lifetime End - shows the date on which the privilege assignments to the user facet will become inactive for the last time (usually the date on which the user facet’s purpose has been satisfied so that the main identity no longer needs its privileges). Note that when the status of the main identity changes to TBDEL, the user facet’s state changes as well and its EndDate is set.

Deactivation Start - shows the date on which the privilege assignments will become inactive for the next time.

Deactivation End - shows the date on which the privilege assignments will be reactivated again for the next time.

Delete - shows the date on which the entry will finally be deleted despite any existing accounts in target systems.

Create time stamp - shows the date and time at which this entry was created.

Modify time stamp - shows the date and time at which this entry was last changed.

Notification fields

Notification Level - controls suppression of the first e-mail of the e-mail notification of an approval workflow. Possible values are:

Tasks fields

To do - shows a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks it cannot repair automatically. The items are overwritten on the next consistency check.

Possible messages in this field besides warnings from the service agent are:
INF:530:Missing values for attributes: attributelist.
*INF:531:More than one peer account exists for account DN=*dn.
*INF:532:No peer account exists for account DN=*dn.

Error - stores the list of error messages that give the detailed reason for inconsistent states or To do entries. They are cleared automatically when a privilege resolution succeeds.

Error expiration date - shows the date on which the access rights of the user will be updated despite any resolution errors. See the Is Inconsistent field.

Related Topics

User Facet - General
User Facet - Relationships
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Accounts
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to display communication attributes for a user facet object.

E-Mail (optional) - the user facet’s e-mail addresses. Mastered from the user.

Phone (optional) - the user facet’s main phone number (business phone number).

Fax (optional) - the user facet’s fax number.

Mobile (optional) - the user facet’s mobile number. Mastered from the user.

Home (optional) - the user facet’s home phone number. Mastered from the user.

Web address (optional) - the Web address of the Internet home page for this user facet.

Preferred language (optional) - the preferred language of this user facet (mastered from the user), which controls, for example, the language used in an e-mail if this user facet is referenced in the To field. For more information, see the chapter "Using Variable Substitution" in the DirX Identity Application Development Guide.

Note that the phone number might be used by default when DirX Identity Provisioning creates a new account for the user facet. The account name is generated using the user facet’s surname, given name and phone number. See the object description for the accounts.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to display the authentication properties for this user facet.

Encrypted Password - the encrypted (or scrambled) password of this user facet (dxmPassword attribute). This attribute is used for password synchronization to target systems. Authentication against the Identity Store is performed via the stored one-way password (userPassword attribute).

Password Account Locked Time (read-only) - the time at which the account was locked.

Password Changed Time (read-only) - the time at which the password was last changed.

Password Expiration Notified (read-only) - the time at which Password Notification service notified the system about the password expiration.

Password Failure Time (read-only) - the time at which the password was entered incorrectly.

Password History (read-only) - the password history (one-way encrypted). This field shows only that there is a password history.

Password Reset (read-only) - if active, the password was reset by the administrator.

Password Policy - a link to the relevant password policy. If no link is set, the default policy is used by the system.

Challenges and Responses (read-only) - the challenge and response questions (one-way encrypted). This field shows only that challenge and response questions have been set up.

Certificate (read-only) - the certificate of the user facet.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to display the organization and organizational units properties of a user facet. These properties can be linked with the relevant business objects.

Organizations

Organization Link (optional) - sets a link to an organization object (business object).

Organization (optional) - defines the organization to which the user facet belongs. If the Organization Link is set, this attribute is read-only and is controlled by the linked object.

Organizational Units

Org. Unit Link (optional) - sets a link to an organizational unit object (business object).

Organizational Unit (optional) - the organizational unit to which the user facet belongs. If the Org. Unit Link is set, this attribute is read-only and controlled by the linked object.

Department Number (optional) - the department number of the organizational unit. If the Org. Unit Link is set, this attribute is read-only and controlled by the linked object.

More Organizational Units (optional) - defines more organizational unit links for this user facet.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to display and set location information associated with the user facet.

Location Link (optional) - sets a link to a location object (business object).

Country (optional) - the country of the user facet. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

State (optional) - the state of the user facet. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Postal Code (optional) - the postal code of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Location (optional) - the location(s) of the user facet. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Street (optional) - the street name of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Room (optional) - the room where this user facet is located.

Postal Address (optional) - the postal address of this location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

This tab is an example of other context information. Pre-configured links are:

Contexts (optional) - a link to any type of context object (business object).

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to view and manage the roles assigned to a user facet. The tab displays the list of roles currently assigned to the user facet.

For each role, the following properties are shown:

Role - the role’s name as it is displayed throughout the DirX Identity Provisioning system. If the role’s name ends with an asterisk character (*), the role has assigned one or more junior roles. These junior roles are automatically assigned to the user as well.

Description - the description for the role.

Start Date - the date on which this role became or will become active for the user facet; that is, when the user facet was/is granted the permissions assigned to this role.

End Date - the date on which this role became or will become inactive for the user facet; that is, when the permissions granted to the user facet was or will be revoked. If the re-approval flag is set, the end date shown is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment will be regularly reapproved. The next re-approval will occur at the shown end date. Unchecking this flag removes the privilege at the shown end date (re-approvals no longer occur).

Role Parameters - shows the first few assigned role parameters. Use the button to view all role parameter settings for this assignment.

Assigned by - how the assignment was made. Possible values are:

State - the state of the assignment:

To add or remove roles, use the assignment editor, which is displayed when you click Edit. To examine the details of a particular role, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you may see a white line that defines the current state and possibly several gray lines that define changes for this assignment that are still in approval.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to view and manage the permissions assigned to a user facet. The tab shows the list of permissions currently assigned to the user facet.

For each permission, the following properties are displayed:

Permission - the permission’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the permission.

Start Date - the date on which this permission became or will become active for the user facet.

End Date - the date on which this permission became or will become inactive for the user facet. If the re-approval flag is set, the shown end date is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment requires regular re-approval. The next re-approval occurs at the shown end date. If you uncheck this flag, privilege re-approval is removed at the shown end date (re-approvals no longer occur after the end date is reached).

Assigned by - how the permission assignment was made. Possible values are:

State - the state of the assignment:

To add or remove permissions manually, use the assignment editor, which is visible when you click Edit. To examine the details of a particular permission, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Groups
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to view and manage the groups assigned to a user facet. The tab displays the list of groups currently assigned to the user facet.

For each group, the following properties are shown:

Target system - the name of the target system to which the group belongs.

Group - the group’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the group.

Start Date - the date on which this direct group assignment became or will become inactive for the user facet.

End Date - the date on which this direct group assignment became or will become inactive for the user facet. If the re-approval flag is set, the shown end date is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment will require regular re-approval. The next re-approval will occur at the end date shown. Unchecking this flag removes the privilege from re-approval at the shown end date (re-approvals are no longer required after this date is reached).

Assigned by - how the assignment was made:

State - the status of the group assignment. Possible values are:

The reason for this state is that the dxrGroupLink at the user facet is already populated, but the member attributes at the group or account are not yet populated.

To add or remove groups manually, use the assignment editor, which is visible when you click Edit. To examine the details of a particular group, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Orders
User Facet - SoD Exceptions

Use this tab to display all currently pending changes for this user facet. This information is kept in order objects (mostly part of running request workflows).

The upper part of this tab shows pending attribute modification requests, the lower part shows pending privilege assignments or privilege assignment attribute changes.

The Attribute Modifications pane shows a line for each relevant attribute. The columns are:

Due Date - the date on which this change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Attribute - the name of the attribute.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

- opens a detail page for this line.

The Assignments to add (+), modify (*) or delete (-) pane shows a line for each assignment or change. The columns are:

Op(eration) - the type of line. Possible values are:

(+) - the privilege is to be assigned (to be added).

(*) - the assignment is subject to a change. One or more of the attributes - for example, the start or end date or a role parameter - has changed.

(-) - the privilege is to be removed (to be deleted).

Due date - the date on which this assignment or assignment change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Type - the privilege type (role, permission or group).

Name - the privilege name.

Attribute - the name of the attribute to be changed.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

Assigned by - the type of the assignment (manual or by rule).

- opens a detail page for this line. It shows the corresponding request workflow instance.

Note that the assignment information is also visible in the Assigned Roles, Assigned Permissions and Assigned Group tabs in a slightly different format.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - SoD Exceptions

Use this tab to display all segregation of duty (SoD) exceptions for this user facet. SoD exceptions are SoD conflicts that have been approved successfully via an assignment approval workflow.

Note that the scope of SOD checking is limited to single users or user facets only. Thus. if a user facet has a privilege assigned that violates an SOD policy for another privilege being assigned to its user or to another user facet of its user, no violation is detected.

The upper part of this tab shows approved SoD violations, the lower part shows pending SoD violations.

For each SoD exception line in the Approved SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the user facet.

Activity - the approval activity of the corresponding request workflow.

Reason - the reason why the approver accepted this SoD conflict.

Who - the approver.

When - the date of approval.

For each SoD exception line in the Pending SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the user facet.

Click to open a detail page for this line.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders

Use this tab to display the risk assessment properties for the user facet.

The Overall Risk section displays the computed overall risk level and the compound score. It includes the following properties:

Risk Level - the overall risk level for the user facet. Possible values are Low, Medium or High.

Compound Score - the calculated compound score for the user facet. All of the user facet’s standard scores are used to compute the compound score.

The Risk Factors section provides the values for every risk factor defined in the domain’s risk policy. Each risk factor is listed by name; for example, GroupMemberships, ImportedAccounts, PrivilegedAccounts. Risk factors shown as RiskFactor*number - for example, *RiskFactor6 - represent risk factors that have not been configured and have so not been processed by the Risk Calculation workflow. For every risk factor, the following properties are shown:

Raw Value - the raw value for the risk factor. This value is the computed score of the factor at the user facet.

Standard Score - the standard score for the risk factor. This value is a normalized score for the factor at the user facet.

See the section "Managing Risk" in the chapter "Managing Compliance" for details on risk calculation.

Related Topics

User Facet - General Properties
User Facet - Relationships
User Facet - Operational Properties
User Facet - Communication
User Facet - Authentication
User Facet - Organization
User Facet - Location
User Facet - Context
User Facet - Assigned Roles
User Facet - Assigned Permissions
User Facet - Assigned Groups
User Facet - Orders

Risk Policy - General

Personas are alternative representations of a user. The user works in different functions in the company, for example as an administrator or as a project manager. The accounts and the access rights for each representation might be quite different and also auditing should be able to distinguish between these functions of a user.

The persona object represents a profile of a user of an IT infrastructure. DirX Identity Provisioning manages the persona’s access to all parts of the IT infrastructure.

This tab shows all general properties of the persona object. Since it is fully configurable by the domain administrator, the items shown here may vary from installation to installation or even from domain to domain.

Note that a persona is related via its owner link to its user. Depending on the processes in a company, it makes sense to inherit properties of the user to the persona by the master mechanism. In that case, the text entry fields are not editable but are automatically filled from the owner.

The following properties explain the default configuration of DirX Identity:

General (Identification) Properties

Name (mandatory) - used as the relative distinguished name (RDN) for the persona entry and identifies the persona uniquely within the sub-tree. Once set during adding a new persona entry, it can no longer be changed by simply editing this field after the initial save operation. Use the Rename command of the persona entry’s context menu instead. A change of the common name is also possible by running the persona integration workflow.

First Name (optional) - the first name of the persona.

Middle Name (optional) - the middle name of the persona.

Salutation (optional) - the salutation of the persona. Values for different countries are available.

Title (optional) - the title of this persona. Mastered from the user.

Last Name (mandatory) - the last name of the persona. This item corresponds to the "surname" attribute saved in the Identity Store.

Gender (optional) - the gender of this persona. Mastered from the user.

Day of birth (optional) - the day of birth for this persona.

Master (optional) - the name of the directory that masters the persona entry.

Employee number (optional) - the employee number.

Identifier (optional) - the persona’s global unique identifier.

Description (optional) - A description for the persona. This is often useful, when persona entries are listed in tables just with their names but with a description column to better identify them.

Employee Type (optional) - one of the following persona’s employee types:

Business Category (optional) - the business the persona works for.

Related Topics:

Multi-Value Editor

Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to define relationships to other user objects.

Owner (mandatory) - the owner of the persona entry. It references the persona’s related user.

Manager (optional) - the persona’s manager. Used for persona type Internal Employee. Mastered from the user.

Secretary (optional) - the persona’s secretary.

Representative (optional - the persona’s representative.

Sponsor (optional) - the persona’s sponsor. Used mainly for user type Contractor.

Note that these links are very useful when setting up participants for request workflows. For more information, see the section "Participant Calculation" in the DirX Identity Application Development Guide.

Related Topics

Persona - General
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to display the operational parameters necessary for correct operation on the persona entry within DirX Identity.

Status fields

To be analyzed (read-only) - indicates when checked that this entry has been changed. For example, an import workflow added or modified some attributes. The privilege resolution or the consistency checker uses this flag to detect and resolve records that are not up to date. These operations clear the flag after the check or resolution completes.

Is Inconsistent - indicates whether (unchecked) or not (checked) the stored access rights of the persona are consistent with the assigned privileges. DirX Identity Provisioning checks this field (sets the entry’s flag to TRUE) if it fails to resolve the assigned privileges due to errors in the privilege structure. In this case, the persona keeps the previous access rights, but DirX Identity Provisioning sets an end date for this state: the Error expiration date. The resolution error is stored in the Error field so that the administrator has time to repair the error.

Use as Template - indicates when checked that DirX Identity will not resolve privileges assigned to this persona. When this flag is checked, a likely reason is that the persona object has been copied from another one. In this case, the persona is marked as a template until appropriate changes have been made to the copied persona. If the persona is set correctly, uncheck the flag to enforce privilege resolution and target system provisioning.

+ A template persona may also have been deliberately created to be used as a basis for creating additional accounts that are fully controlled by DirX Identity. You can use the owner link to point from this persona to its main identity. This reference can help you to understand which secondary persona entries belong to a main identity one.

Status - the status of the persona entry. For more information, see the section "Managing States". Possible values are:

Lifetime Start - shows the date on which the privilege assignments to the persona will become active for the first time (usually the date on which the persona’s privileges have to become active for the main identity).

Lifetime End - shows the date on which the privilege assignments to the persona will become inactive for the last time (usually the date on which the persona’s purpose is fulfilled, so that the main identity no longer requires its privileges). Note that when the status of the main identity changes to TBDEL, the persona’s state changes as well, and its EndDate is set.

Deactivation Start - shows the date on which the privilege assignments will become inactive for the next time.

Deactivation End - shows the date on which the privilege assignments will be reactivated again for the next time.

Delete - shows the date on which the entry will be finally deleted despite any existing accounts in target systems.

Create time stamp - shows the date and time at which this entry was created.

Modify time stamp - shows the date and time at which this entry was last changed.

Notification fields

Notification Level - controls the suppression of the first e-mail of the e-mail notification of an approval workflow:

Tasks fields

To do - shows a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks it cannot repair automatically. The items are overwritten on the next consistency check.

Possible messages in this field besides warnings from the service agent are:
INF:530:Missing values for attributes: attributelist.
*INF:531:More than one peer account exists for account DN=*dn.
*INF:532:No peer account exists for account DN=*dn.

Error - stores a list of error messages that show the detailed reason for inconsistent states or To do entries. They are cleared automatically when a privilege resolution succeeds.

Error expiration date - shows the date on which the access rights of the persona will be updated despite any resolution errors. See the Is Inconsistent field.

Related Topics

Persona - General
Persona - Relationships
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to display communication attributes for a persona object.

E-Mail (optional) - the persona’s e-mail addresses. Mastered from the user.

Phone (optional) - the persona’s main phone number (business phone number).

Fax (optional) - the persona’s fax number.

Mobile (optional) - the persona’s mobile number. Mastered from the user.

Home (optional) - the persona’s home phone number. Mastered from the user.

Web address (optional) - the Web address of the Internet home page for this persona.

Preferred language (optional) - the preferred language of this persona (mastered from the user), which controls, for example, the language used in an e-mail if this persona is referenced in the To field. For more information, see the chapter "Using Variable Substitution" in the DirX Identity Application Development Guide.

Note that the phone number might be used by default when DirX Identity Provisioning creates a new account for the persona. The account name is generated using the persona’s surname, given name and phone number. See the object description for the accounts.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to display the authentication properties for this persona.

Encrypted Password - the encrypted (or scrambled) password of this persona (dxmPassword attribute). This attribute is used for password synchronization to target systems. Authentication against the Identity Store is performed via the stored one-way password (userPassword attribute).

Password Account Locked Time (read-only) - the time at which the account was locked.

Password Changed Time (read-only) - the time at which the password was last changed.

Password Expiration Notified (read-only) - the time at which Password Notification service notified the system about the password expiration.

Password Failure Time (read-only) - the time at which the password was entered incorrectly.

Password History (read-only) - the password history (one-way encrypted). This field shows only that there is a password history.

Password Reset (read-only) - if active, the password was reset by the administrator.

Password Policy - a link to the relevant password policy. If no link is set, the default policy is used by the system.

Challenges and Responses (read-only) - the challenge and response questions (one-way encrypted). This field shows only that challenge and response questions have been set up.

Certificate (read-only) - the certificate of the persona.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to display the organization and organizational units properties of a persona. These properties can be linked with the relevant business objects.

Organizations

Organization Link (optional) - sets a link to an organization object (business object).

Organization (optional) - defines the organization to which the persona belongs. If the Organization Link is set, this attribute is read-only and is controlled by the linked object.

Organizational Units

Org. Unit Link (optional) - sets a link to an organizational unit object (business object).

Organizational Unit (optional) - the organizational unit to which the persona belongs. If the Org. Unit Link is set, this attribute is read-only and controlled by the linked object.

Department Number (optional) - the department number of the organizational unit. If the Org. Unit Link is set, this attribute is read-only and controlled by the linked object.

More Organizational Units (optional) - defines more organizational unit links for this persona.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to display and set location information associated with the persona.

Location Link (optional) - sets a link to a location object (business object).

Country (optional) - the country of the persona. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

State (optional) - the state of the persona. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Postal Code (optional) - the postal code of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Location (optional) - the location(s) of the persona. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Street (optional) - the street name of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Room (optional) - the room where this persona is located.

Postal Address (optional) - the postal address of this location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

This tab is an example of other context information. Pre-configured links are:

Contexts (optional) - a link to any type of context object (business object).

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to view and manage the roles assigned to a persona. The tab displays the list of roles currently assigned to the persona.

For each role, the following properties are shown:

Role - the role’s name as it is displayed throughout the DirX Identity Provisioning system. If the role’s name ends with an asterisk character (*), the role has assigned one or more junior roles. These junior roles are automatically assigned to the user as well.

Description - the description for the role.

Start Date - the date on which this role became or will become active for the persona; that is, when the persona was/is granted the permissions assigned to this role.

End Date - the date on which this role became or will become inactive for the persona; that is, when the permissions granted to the persona was or will be revoked. If the re-approval flag is set, the end date shown is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment will be regularly reapproved. The next re-approval will occur at the shown end date. Unchecking this flag removes the privilege at the shown end date (re-approvals no longer occur).

Role Parameters - shows the first few assigned role parameters. Use the button to view all role parameter settings for this assignment.

Assigned by - how the assignment was made. Possible values are:

State - the state of the assignment:

To add or remove roles, use the assignment editor, which is displayed when you click Edit. To examine the details of a particular role, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you may see a white line that defines the current state and possibly several gray lines that define changes for this assignment that are still in approval.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to view and manage the permissions assigned to a persona. The tab shows the list of permissions currently assigned to the persona.

For each permission, the following properties are displayed:

Permission - the permission’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the permission.

Start Date - the date on which this permission became or will become active for the persona.

End Date - the date on which this permission became or will become inactive for the persona. If the re-approval flag is set, the shown end date is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment requires regular re-approval. The next re-approval occurs at the shown end date. If you uncheck this flag, privilege re-approval is removed at the shown end date (re-approvals no longer occur after the end date is reached).

Assigned by - how the permission assignment was made. Possible values are:

State - the state of the assignment:

To add or remove permissions manually, use the assignment editor, which is visible when you click Edit. To examine the details of a particular permission, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Groups
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to view and manage the groups assigned to a persona. The tab displays the list of groups currently assigned to the persona.

For each group, the following properties are shown:

Target system - the name of the target system to which the group belongs.

Group - the group’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the group.

Start Date - the date on which this direct group assignment became or will become inactive for the persona.

End Date - the date on which this direct group assignment became or will become inactive for the persona. If the re-approval flag is set, the shown end date is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment will require regular re-approval. The next re-approval will occur at the end date shown. Unchecking this flag removes the privilege from re-approval at the shown end date (re-approvals are no longer required after this date is reached).

Assigned by - how the assignment was made:

State - the status of the group assignment. Possible values are:

The reason for this state is that the dxrGroupLink at the persona is already populated, but the member attributes at the group or account are not yet populated.

To add or remove groups manually, use the assignment editor, which is visible when you click Edit. To examine the details of a particular group, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Accounts
Persona - Orders
Persona - SoD Exceptions

Use this tab to display the list of accounts currently assigned to the persona.

For each account, the following properties are shown:

Account - the account’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the account.

State - the status of the account. Possible values are:

Target System - the target system to which this account belongs.

State in TS (target system) - the status of the account in the respective target system. This value may differ from the status of the account entry in DirX Identity Provisioning as long as the information is not synchronized. Possible values are:

Priv - whether the account is an assigned privileged account (checked) or a personal account that is a member in the assigned groups that define the access rights in the connected systems (unchecked). A privileged account can be used by many persons in parallel. Examples are the Administrator account in Windows or the root account in UNIX. Assignment of a privileged account means:
1) You can read the password of this account in clear text to log in to the corresponding target system.
2) Your certificates are copied to the account in the connected system, which allows you to log in with the corresponding card.

You cannot make direct assignment of accounts in this tab. To examine the details of a particular account, click to the right of the respective table row.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Orders
Persona - SoD Exceptions

Use this tab to display all currently pending changes for this persona. This information is kept in order objects (mostly part of running request workflows).

The upper part of this tab shows pending attribute modification requests, the lower part shows pending privilege assignments or privilege assignment attribute changes.

The Attribute Modifications pane shows a line for each relevant attribute. The columns are:

Due Date - the date on which this change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Attribute - the name of the attribute.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

- opens a detail page for this line.

The Assignments to add (+), modify (*) or delete (-) pane shows a line for each assignment or change. The columns are:

Op(eration) - the type of line. Possible values are:

(+) - the privilege is to be assigned (to be added).

(*) - the assignment is subject to a change. One or more of the attributes - for example, the start or end date or a role parameter - has changed.

(-) - the privilege is to be removed (to be deleted).

Due date - the date on which this assignment or assignment change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Type - the privilege type (role, permission or group).

Name - the privilege name.

Attribute - the name of the attribute to be changed.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

Assigned by - the type of the assignment (manual or by rule).

- opens a detail page for this line. It shows the corresponding request workflow instance.

Note that the assignment information is also visible in the Assigned Roles, Assigned Permissions and Assigned Group tabs in a slightly different format.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - SoD Exceptions

Use this tab to display all segregation of duty (SoD) exceptions for this persona. SoD exceptions are SoD conflicts that have been approved successfully via an assignment approval workflow.

Note that the scope of SOD checking is limited to single users or personas only. Thus. if a persona has a privilege assigned that violates an SOD policy for another privilege being assigned to its user or to another persona of its user, no violation is detected.

The upper part of this tab shows approved SoD violations, the lower part shows pending SoD violations.

For each SoD exception line in the Approved SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the persona.

Activity - the approval activity of the corresponding request workflow.

Reason - the reason why the approver accepted this SoD conflict.

Who - the approver.

When - the date of approval.

For each SoD exception line in the Pending SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the persona.

Click to open a detail page for this line.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders

Use this tab to display the risk assessment properties for the persona.

The Overall Risk section displays the computed overall risk level and the compound score. It includes the following properties:

Risk Level - the overall risk level for the persona. Possible values are Low, Medium or High.

Compound Score - the calculated compound score for the persona. All of the persona’s standard scores are used to compute the compound score.

The Risk Factors section provides the values for every risk factor defined in the domain’s risk policy. Each risk factor is listed by name; for example, GroupMemberships, ImportedAccounts, PrivilegedAccounts. Risk factors shown as RiskFactor*number - for example, *RiskFactor6 - represent risk factors that have not been configured and have so not been processed by the Risk Calculation workflow. For every risk factor, the following properties are shown:

Raw Value - the raw value for the risk factor. This value is the computed score of the factor at the persona.

Standard Score - the standard score for the risk factor. This value is a normalized score for the factor at the persona.

See the section "Managing Risk" in the chapter "Managing Compliance" for details on risk calculation.

Related Topics

Persona - General
Persona - Relationships
Persona - Operational Properties
Persona - Communication
Persona - Authentication
Persona - Organization
Persona - Location
Persona - Context
Persona - Assigned Roles
Persona - Assigned Permissions
Persona - Assigned Groups
Persona - Accounts
Persona - Orders

Risk Policy - General

A functional user is a resource that is assigned to an identity; for example, a global or group mailbox, a physical room with a phone or a working student entry. The functional user either manages or is responsible for these resources.

A functional user’s sponsor attribute links it to the responsible user. DirX Identity Provisioning manages the functional user’s access to all parts of the IT infrastructure.

The Functional User - General Properties tab shows all of the general properties of the functional user object. Since a domain administrator is allowed to configure all aspects of a functional user, the items shown here may vary from installation to installation or even from domain to domain. The domain administrator can also set up several functional user types that show a different set of properties.

The following properties describe the default configuration of DirX Identity. Note that the functional user’s default properties have been taken almost completely from the user object, since the use of functional users and their properties varies from customer to customer.

General (Identification) Properties

Name (mandatory) - used as the relative distinguished name (RDN) for the functional user entry and identifies the functional user uniquely within the sub-tree. Once this property is set and saved during the addition of a new functional user entry, you can no longer change it by simply editing this field. Use the Rename command of the functional user entry’s context menu instead.

First Name (optional) - the first name of the functional user.

Middle Name (optional) - the middle name of the functional user.

Salutation (optional) - the salutation of the functional user. Values for different countries are available.

Title (optional) - the title of this functional user.

Last Name (mandatory) - the last name of the functional user. This item corresponds to the "surname" attribute saved in the Identity Store.

Note that the use of first name and last name varies from customer to customer. Some customers use it to display the names of the related sponsor, others use it to describe the type of resource (mailbox, meeting room, trainee,…) with those attributes.

Gender (optional) - the gender of this functional user.

Day of birth (optional) - the date of birth for this functional user.

Master (optional) - the name of the directory that masters the functional user entry.

Employee number (optional) - the employee number.

Identifier (optional) - the functional user’s global unique identifier.

Description (optional) - the description for the functional user. This field is often useful when functional user entries are listed in tables just with their names but with a description column to better identify them.

Employee Type (optional) - one of the following functional user’s employee types:

Business Category (optional) - the business for which the functional user works.

Related Topics

Multi-Value Editor

Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to define the relationship of this functional user to other functional user objects.

Owner (optional) - the owner of the functional user entry. The standard attribute to reference its responsible user is the sponsor attribute, so you may use the owner attribute for own purposes.

Manager (optional) - the functional user’s manager. Used for functional user type Internal Employee.

Secretary (optional) - the functional user’s secretary.

Representative (optional - the functional user’s representative.

Sponsor (mandatory) - the functional user’s responsible person.

Note that these links are very useful when setting up participants for request workflows. For more information, see the section "Participant Calculation" in the DirX Identity Application Development Guide.

Related Topics

Functional User - General Properties
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to display the operational parameters necessary for correct operation within DirX Identity.

Status fields

To be analyzed (read-only) - indicates when checked that this entry has been changed. For example, an import workflow added or modified some attributes. The privilege resolution process and the consistency checker uses this flag to detect and resolve records that are not up to date. They reset this flag after completing the check or resolution operation.

Is Inconsistent - indicates whether (unchecked) or not (checked) the stored access rights of the functional user are consistent with the assigned privileges. DirX Identity Provisioning checks the flag (sets the entry’s flag to TRUE), if it fails to resolve the assigned privileges due to errors in the privilege structure. In this case, the functional user keeps the previous access rights, but DirX Identity Provisioning sets an end date for this state: the Error expiration date. The resolution error is stored in the Error field so that the administrator has time to repair the error. The flag is unchecked if the entry is consistent.

Use as Template - indicates when checked that DirX Identity will not resolve privileges assigned to this functional user. A likely reason for the box to be checked is that the functional user object has been copied from another object. In this case, the functional user is marked as a template until appropriate changes have been made to the copied functional user. If the functional user is set correctly, uncheck the flag to enforce privilege resolution and target system provisioning.

+ A template functional user may also have been deliberately created to be used as a basis for creating additional accounts that are fully controlled by DirX Identity. Use the sponsor link to point from this copied functional user to its main identity (user).

Status - shows the status of the functional user entry. The field can be one of the following values (for more information, see the section "Managing States" in the chapter "Managing Provisioning"):

Lifetime Start - shows the date on which the privilege assignments to the functional user will become active for the first time. This is normally the case when the resource modeled by the functional user becomes available.

Lifetime End - shows the date on which the privilege assignments to the functional user will become inactive for the last time (usually the date when the functional user is removed since the resource modeled by the functional user entry does no longer exist).

Deactivation Start - shows the date on which the privilege assignments will become inactive for the next time.

Deactivation End - shows the date on which the privilege assignments will be reactivated again for the next time.

Delete - shows the date when the entry will be finally deleted despite of existing accounts in target systems.

Create time stamp - shows the date and time at which this entry was created.

Modify time stamp - shows the date and time at which this entry was last changed.

Notification fields

Notification Level - controls suppression of the first e-mail of the e-mail notification of an approval workflow:

Tasks fields

To do - shows a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks it cannot repair automatically. The items are overwritten upon the next consistency check.

+ Possible messages in this field besides warnings from the service agent are:
INF:530:Missing values for attributes: attributelist*.*
INF:531:More than one peer account exists for account DN=*dn.*
INF:532:No peer account exists for account DN=*dn.*

Error - stores a list of error messages that provide the detailed reason for inconsistent states or To do entries. They are cleared automatically when a privilege resolution succeeds.

Error expiration date - shows the date on which the access rights of the functional user will be updated despite any resolution errors. See the Is Inconsistent field.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to display communication attributes for a functional user object.

E-Mail (optional) - the functional user’s e-mail addresses.

Phone (optional) - the functional user’s main phone number (business phone number).

Fax (optional) - the functional user’s fax number.

Mobile (optional) - the functional user’s mobile number.

Home (optional) - the functional user’s home phone number.

Web address (optional) - the Web address of the Internet home page for this functional user.

Preferred language (optional) - the preferred language of this functional user, which controls, for example, the language used in an e-mail if this functional user is referenced in the To field. For more information, see the chapter "Using Variable Substitution" in the DirX Identity Application Development Guide.

Note that the phone number might be used by default when DirX Identity Provisioning creates a new account for the functional user. The account name is generated using the functional user’s surname, given name and phone number. See the object description for the accounts.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to display the authentication properties for this functional user.

Encrypted Password - the encrypted (or scrambled) password of this functional user (dxmPassword attribute). This attribute is used for password synchronization to target systems. Authentication against the Identity Store is performed via the stored one-way password (userPassword attribute).

Password Account Locked Time (read-only) - the time when the account was locked.

Password Changed Time (read-only) - the time at which the password was last changed.

Password Expiration Notified (read-only) - the time at which the Password Notification service notified the system about the password expiration.

Password Failure Time (read-only) - the time at which the password was entered incorrectly.

Password History (read-only) - the password history (one-way encrypted). This field shows only that there is a password history.

Password Reset (read-only) - if active, the password was reset by the administrator.

Password Policy - a link to the relevant password policy. If no link is set, the default policy is used by the system.

Challenges and Responses (read-only) - the challenge and response questions (one-way encrypted). This field shows only that challenge and response questions have been set up.

Certificate (read-only) - the certificate of the functional user.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to display the organization and organizational units properties of a functional user. These properties can be linked with the relevant business objects.

Organizations

Organization Link (optional) - sets a link to an organization object (business object).

Organization (optional) - defines the organization to which the functional user belongs. If the Organization Link is set, this attribute is read-only and is controlled by the linked object.

More Organizations (optional) - defines more organization links for this functional user.

Organizational Units

Org. Unit Link (optional) - sets a link to an organizational unit object (business object).

Organizational Unit (optional) - the organizational unit to which the functional user belongs. If the Org. Unit Link is set, this attribute is read-only and is controlled by the linked object.

Department Number (optional) - the department number of the organizational unit. If the Org. Unit Link is set, this attribute is read-only and is controlled by the linked object.

More Organizational Units (optional) - defines more organizational unit links for this functional user.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

User this tab to display and set location information associated with the user.

Location Link (optional) - sets a link to a location object (business object).

Country (optional) - the country of the functional user. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

State (optional) - the state of the functional user. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Postal Code (optional) - the postal code of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Location (optional) - the location(s) of the functional user. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Street (optional) - the street name of the location. If the Location Link is set, this attribute is read-only and is controlled by the linked object.

Room (optional) - the room where this functional user is located.

Postal Address (optional) - the postal address of this location. If the Location Link is set, this attribute is read only and is controlled by the linked object.

More Locations (optional) - you can define more location links for this functional user with this editor.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

This tab is an example of other context information. Pre-configured links are:

Contexts (optional) - a link to any type of context object (business object).

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to view and manage the roles assigned to a functional user. The tab displays the list of roles currently assigned to the functional user.

For each role, the following properties are shown:

Role - the role’s name as it is displayed throughout the DirX Identity Provisioning system. If the role’s name ends with an asterisk character (*), the role has assigned one or more junior roles. These junior roles are automatically assigned to the user as well.

Description - the description for the role.

Start Date - the date on which this role became or will become active for the functional user; that is, the date on which the functional user was/is granted the permissions assigned to this role.

End Date - the date on which this role became or will become inactive for the functional user; that is, the date on which the permissions granted to the functional user was or will be revoked. If the re-approval flag is set, the shown end date is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) the assignment requires regular re-approval. The next re-approval will occur at the displayed end date. Unchecking this field causes the privilege to be removed at the displayed end date (re-approvals no longer occur).

Role Parameters - shows the first few assigned role parameters. Click to view all role parameter settings for this assignment.

Assigned by - the type of assignment:

State - the state of the assignment:

To add or remove roles, use the assignment editor, which is displayed when you click Edit. To examine the details of a particular role, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus, you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to view and manage the permissions assigned to a functional user. The tab displays the list of permissions currently assigned to the functional user.

For each permission, the following properties are displayed:

Permission - the permission’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the permission.

Start Date - the date on which this permission became or will become active for the functional user.

End Date - the date on which this permission became or will become inactive for the functional user. If the re-approval flag is set, the end date displayed is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment requires regular re-approval. The next re-approval occurs at the shown end date. If you uncheck this flag, privilege re-approval is removed at the shown end date (re-approvals no longer occur after the end date is reached).

Assigned by - how the permission assignment was made. Possible values are:

State - the state of the assignment:

To add or remove permissions manually, use the assignment editor, which is visible when you click Edit. To examine the details of a particular permission, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to view and manage the groups assigned to a functional user. The tab displays the list of groups currently assigned to the functional user.

For each group, the following properties are shown:

Target system - the name of the target system to which the group belongs.

Group - the group’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the group.

Start Date - the date on which this direct group assignment became or will become inactive for the functional user.

End Date - the date on which this direct group assignment became or will become inactive for the functional user. If the re-approval flag is set, the shown end date is the date of the re-approval. You can change the end date to shorten the period to the next re-approval but you cannot lengthen it.

Reapproval - whether (checked) or not (unchecked) this assignment will require regular re-approval. The next re-approval will occur at the end date shown. Unchecking this flag removes the privilege from re-approval at the shown end date (re-approvals are no longer required after this date is reached).

Assigned by - how the assignment was made:

State - the status of the group assignment. Possible values are:

The reason for this state is that the dxrGroupLink at the functional user is already populated, but the member attributes at the group or account are not yet populated.

To add or remove groups manually, use the assignment editor, which is visible when you click Edit. To examine the details of a particular role, click to the right of its row.

Note that a line is displayed in gray if this assignment is still in approval. Thus you can see a white line that defines the current state and maybe several gray lines that define changes for this assignment that are still in approval.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Accounts
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to display the list of accounts currently assigned to the functional user.

For each account, the following properties are shown:

Account - the account’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description of the account.

State - the status of the account. Possible values are:

Target System - the target system to which this account belongs.

State in TS (target system) - the status of the account in the respective target system. This value may differ from the status of the account entry in DirX Identity Provisioning as long as the information is not synchronized. Possible values are:

Priv - whether the account is an assigned privileged account (checked) or a personal account that is a member in the assigned groups that define the access rights in the connected systems (unchecked). A privileged account can be used by many persons in parallel. Examples are the Administrator account in Windows or the root account in UNIX. Assignment of a privileged account means:
1) You can read the password of this account in clear text to log in to the corresponding target system.
2) Your certificates are copied to the account in the connected system, which allows you to log in with the corresponding card.

You cannot make direct assignment of accounts in this tab. To examine the details of a particular account, click to the right of the respective table row.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Orders
Functional User - SoD Exceptions

Use this tab to display the currently pending changes for a functional user. This information is kept in order objects (which are mostly part of running request workflows).

The upper part of this tab shows pending attribute modification requests, while the lower part shows pending privilege assignments or privilege assignment attribute changes.

The Attribute Modifications pane shows a line for each relevant attribute. The columns are:

Due Date - the date on which this change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Attribute - the name of the attribute.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

- opens a detail page for this line.

The Assignments to add (+), modify (*) or delete (-) pane shows a line for each assignment or change. The columns are:

Op(eration) - the type of line. Possible values are:

(+) - the privilege is to be assigned (to be added).

(*) - the assignment is subject to a change. An attribute - for example, the start or end date or a role parameter - has changed.

(-) - the privilege is to be removed (to be deleted).

Due date - the date on which this assignment or assignment change will be valid. If no value is supplied, the change depends on a pending attribute approval step of a running request workflow.

Type - shows the privilege type (role, permission or group).

Name - displays the privilege name.

Attribute - the name of the attribute to be changed.

Old values - the old value(s) of the attribute.

New values - the new value(s) of the attribute.

Assigned by - type of the assignment (manual or by rule).

- opens a detail page for this line, which shows the corresponding request workflow instance.

Note that the assignment information is also visible in the Assigned Roles, Assigned Permissions and Assigned Group tabs in a slightly different format.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - SoD Exceptions

Use this tab to display all segregation of duty (SoD) exceptions for this functional user. SoD exceptions are SoD conflicts that have been approved successfully via an assignment approval workflow.

The upper part of this tab shows approved SoD violations, the lower part shows pending SoD violations.

For each SoD exception line in the Approved SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the functional user.

Activity - the approval activity of the corresponding request workflow.

Reason - the reason why the approver accepted this SoD conflict.

Who - the approver.

When - the date of approval.

For each SoD exception line in the Pending SoD violations table, the following columns are shown:

Policy - the SoD policy that caused this exception.

Privilege - the privilege that was assigned to the functional user.

Click to open a detail page for this line.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders

Use this tab to display the risk assessment properties for the functional user.

The Overall Risk section displays the computed overall risk level and the compound score. It includes the following properties:

Risk Level - the overall risk level for the functional user. Possible values are Low, Medium or High.

Compound Score - the calculated compound score for the functional user. All of the functional user’s standard scores are used to compute the compound score.

The Risk Factors section provides the values for every risk factor defined in the domain’s risk policy. Each risk factor is listed by name; for example, GroupMemberships, ImportedAccounts, PrivilegedAccounts. Risk factors shown as RiskFactor*number - for example, *RiskFactor6 - represent risk factors that have not been configured and have so not been processed by the Risk Calculation workflow. For every risk factor, the following properties are shown:

Raw Value - the raw value for the risk factor. This value is the computed score of the factor at the functional user.

Standard Score - the standard score for the risk factor. This value is a normalized score for the factor at the functional user.

See the section "Managing Risk" in the chapter "Managing Compliance" for details on risk calculation.

Related Topics

Functional User - General Properties
Functional User - Relationships
Functional User - Operational Properties
Functional User - Communication
Functional User - Authentication
Functional User - Organization
Functional User - Location
Functional User - Context
Functional User - Assigned Roles
Functional User - Assigned Permissions
Functional User - Assigned Groups
Functional User - Accounts
Functional User - Orders

Risk Policy - General

The role object represents a role, a set of permissions needed to perform a particular task in an appropriate personal function of an enterprise, completely managed by the DirX Identity Provisioning system.

Use this tab to display all general properties of the role object. General properties include:

Identification Properties

Name - (mandatory) the name of the role as it is used for display and identification purposes throughout the DirX Identity Provisioning system. Once set during adding a new role entry, it can no longer be changed by simply editing this field after the initial save operation. Use the Rename command of the user entry’s context menu instead.

Description - (optional) a description for the role. This is often useful when role entries are listed in tables just with their names but also with a description column to better identify them.

Role ID - (optional) a customer-specific identifier for the role.

User assignment possible - whether (checked) or not (unchecked) the role can be assigned to a user entry.

Once-only assignment - whether (checked) or not (unchecked) a user can assign the role just once even if it has role parameters.

Owner - the owners of this privilege. These entities are usually the persons that must approve if this privilege is assigned to a user.

Task fields

To do - a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks it cannot repair automatically. The items are overwritten upon the next consistency check.

Error - a list of error messages that show the detailed reason for inconsistent states or To do entries. They are cleared automatically when a privilege resolution succeeds.

To be analyzed - a flag for the consistency workflow. When checked, the role has been changed and a privilege resolution must be performed .This flag is read-only for the administrator and is set and reset automatically by DirX Identity Provisioning workflows.

Related Topics

Approval
Certification
Details
Role Parameters
Junior Roles
Assigned Permissions
Senior Roles
Users

Use this tab to view and manage the properties of the role object that define the approval process to be used when the role is assigned to another object (for more information about this feature, see the section Managing Request Workflows). These properties include:

For Assignment to Users - fields that apply to the assignment of a role to a user object. These fields include:

Requires approval - whether (checked) or not (unchecked) assigning this role to a user requires approval via request workflows.

Potential SoD conflict (read-only) - whether (checked) or not (unchecked) the role is part of one or more SoD policies, which means that a conflicting privilege exists.

Approval Workflows for

Assignment - the request workflow to be used for approval if this privilege is assigned to a user. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Modification - the request workflow to be used for approval if this privilege assignment is changed. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Removal - the request workflow to be used for approval if this privilege assignment is removed. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

SoD - the request workflow to be used for approval if, during assignment of this privilege, an SoD violation is detected. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

For Assignment to Senior Roles - fields that apply to the assignment of a role as a junior role to another role object (the senior role). These fields include:

Requires approval - whether (checked) or not (unchecked) assigning this role as a junior role to another role requires approval via request workflows.

Approval Workflows for

Assignment - the request workflow to be used for approval if this privilege is assigned as a junior role to another role. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Removal - the request workflow to be used for approval if this role is removed from another role. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Related Topics

Assignment Editor
General Properties
Certification
Details
Role Parameters
Assigned Permissions
Senior Roles
Users

Use this tab to view and manage the properties of the role object that define re-approval scenarios. These properties include:

Requires re-approval - whether (checked) or not (unchecked) all assignments of the role should be regularly re-approved. The DirX Identity re-approval process starts a re-approval workflow at the intervals specified in the other fields in this area.

Re-approval date - the next date for re-approval. Alternatively you can define a re-approval period.

Re-approval period - the frequency with which the re-approval workflows should be started. This value is only used when Re-approval date is not set.

Note: If neither Re-approval date nor Re-approval period are set, the default values from the domain object are used.

Workflow - the request workflow to be used for re-approval. If this field is left blank, the request workflow engine searches for a suitable workflow template. (See the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details.)
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Related Topics

Assignment Editor
General Properties
Approval
Details
Role Parameters
Assigned Permissions
Senior Roles
Users

Use this tab to view and manage the general properties of the role object. These properties include:

Sub Tasks - the list of activities to reach the global goal of a role. These are activities that users must perform when they are assigned to the role. The activities should be relevant for access management.

Responsibilities - the duties and responsibilities for a user assigned to this role (for example, controlling of budget, or signing of contracts).

Role Engineer - the Role Engineer (user or team) who is currently responsible for the specification of this role.

Role Admin - the Role Administrator (user or team) who is currently responsible for implementing the results of the life-cycle management processes for this role.

Role class (optional) - the type of the role. Possible values include:

Version - the role definition’s version.

Custom State - the part of the life-cycle in which the role currently resides.

Language (optional) - the language for the role. Possible values are:

Reference (optional) - an attribute to be used in customer-specific environments.

Related Topics

General Properties
Approval
Certification
Role Parameters
Junior Roles
Assigned Permissions
Senior Roles
Users

Use this tab to view and manage match rules for role parameters to be used when this role is assigned to a user. You can define a set of match rules. Note that these match rules are added to the permission match rules when this role is assigned to a user.

When in Edit mode, add new lines to the list, edit existing ones or delete lines in the list.

For each line, the following properties are shown:

Name - the name of the role parameter. This is a link that points to a role parameter object in the Domain Configuration view.

Operator - the operator expression used for matching. Click the arrow button when the respective table cell is selected for input to view the list of available operators and then select one.

Object - the object of the match expression. Click the arrow button when the respective table cell is selected for input to select one of the following items:

Value - the attribute or value to be matched with the role parameter attribute given in User attribute. Enter a group attribute or a constant value here, depending on what you selected in Object.

Proposals (optional) - add a proposal list to define the set of available values. This proposal list overwrites the role parameter list definition. Use this feature if you want to use the same role parameter definition for several roles but with a different list of values that is presented during role assignment.

Some notes apply to this feature:

Related Topics

Permission
Assignment Editor
Role Parameter
General Properties
Approval
Certification
Details
Junior Roles
Assigned Permissions
Senior Roles
Users

Use this tab to view and manage the junior roles assigned to the role. The tab displays the list of junior roles currently assigned to the role.

For each junior role, the following properties are shown:

Role - the name of the junior role.

Description - the description for the role.

To add or remove roles, use the assignment editor, which is visible when you click Edit. DirX Identity Provisioning checks automatically for role cycles when assigning junior roles (roles that lead to a role cycle are marked with a role icon in the Available Roles list).

to examine the details of a particular junior role, click to the right of its row.

Related Topics

Assignment Editor
General Properties
Approval
Certification
Details
Role Parameters
Assigned Permissions
Senior Roles
Users

Use this tab to view and manage the permissions assigned to the role. The tab shows the list of permissions currently assigned to this role.

For each permission, the following properties are shown:

Permission - the name of the permission.

Description - the description for the permission.

Source - Possible values are:

To add or remove permissions, use the assignment editor, which is visible when you click Edit. To examine the details of a particular permission, click to the right of its row.

Related Topics

Permission
Assignment Editor
General Properties
Approval
Certification
Details
Role Parameters
Junior Roles
Senior Roles
Users

Use this tab to display the list of senior roles that are using this role as a junior role.

For each senior role the following properties are shown:

Role - the name of the senior role.

Description - the description for the role.

The senior roles are the backward references to all roles which have this role assigned as a junior role. You cannot use this tab to make a direct assignment. To display the details of a particular senior role, click to the right of its row.

Related Topics

General Properties
Approval
Certification
Details
Role Parameters
Junior Roles
Assigned Permissions
Users

Use this tab to display the list of users who are assigned this role.

For each user, the following properties are shown:

User - the name of the user.

Description - the description of the user.

To examine the details of a particular user, click to the right of its row.

Related Topics

Assignment Editor
General Properties
Approval
Certification
Details
Role Parameters
Assigned Permissions
Senior Roles

The permission object represents a right of accessing any resource or service of a particular system environment. As with the other objects, the permission object is managed by the DirX Identity Provisioning system.

Use this tab to display all general properties of a permission object. General properties include:

Identification Properties

Name (mandatory) - the name of the permission as it is used for display and identification purposes throughout the DirX Identity Provisioning system. Once set during adding a new permission entry, it can no longer be changed by simply editing this field after the initial save operation. Use the Rename command of the user entry’s context menu instead.

Description (optional) - a description for the permission. This field is often useful when permission entries are listed in tables with just their names but also with a description column to better identify them.

User assignment possible - whether (checked) or not (unchecked) the permission can be assigned to a user entry.

Owner - the owners of this privilege. These entities are usually the persons that must approve if this privilege is assigned to a user.

Approval Properties - for more information about this feature, see the section "Managing Request Workflows".

Requires approval - whether (checked) or not (unchecked) assigning this permission to a user requires approval via request workflows.

Potential SoD conflict (read-only) - the permission is part of one or more SoD policies, which means that a conflicting privilege exists.

Approval workflow - the request workflow to be used for approval of this privilege. If you do not enter a value into this field, the request workflow engine searches for a suitable workflow template (it uses the first workflow template that matches based on the WhenApplicable section of the workflow definition object).

Requires reapproval - whether (checked) or not (unchecked) all assignments of this role require regular re-approval: a re-approval workflow is started at defined intervals.

Reapproval date - the next date for re-approval.

Reapproval period - the frequency of the re-approval workflows. This value is only used when Reapproval date is not specified.

Note: If neither the Reapproval date nor the Reapproval period is set, the default values from the domain object are used. A Reapproval period of less than 1 day it is treated as not set and the re-approval period from the domain is used. (You cannot set a Reapproval period of 0 days).

Task Properties

To do - a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks it cannot repair automatically. The items are overwritten upon the next consistency check.

Error - a list of error messages that show the detailed reason for inconsistent states or To do entries. They are cleared automatically when a privilege resolution succeeds.

To be analyzed - a flag for the consistency workflow. When checked, the permission has been changed and a privilege resolution must be performed. This flag is read-only for the administrator and is set and reset automatically by DirX Identity Provisioning workflows.

Related Topics

Approval
Certification
Match Rules
Assigned Groups
Roles

Use this tab to view and manage the properties of the permission object that define the approval process to be used when the permission is assigned to another object (for more information about this feature, see the section "Managing Request Workflows"). These properties include:

User Assignment - fields that apply to the assignment of a permission to a user object. These fields include:

Requires approval - whether (checked) or not (unchecked) assigning this permission to a user requires approval via request workflows.

Potential SoD conflict (read-only) - whether (checked) or not (unchecked) the permission is part of one or more SoD policies, which means that a conflicting privilege exists.

Approval Workflows for

Assignment - the request workflow to be used for approval if this privilege is assigned to a user. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Modification - the request workflow to be used for approval if this privilege assignment is changed. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Removal - the request workflow to be used for approval if this privilege assignment is removed. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

SoD - the request workflow to be used for approval if an SoD violation was detected during assignment of this privilege. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Permission Assignment - fields that apply to the assignment of a permission to a role object. These fields include:

Requires approval - whether (checked) or not (unchecked) assigning this permission to a role requires approval via request workflows.

Approval Workflows for

Assignment (Default) - the request workflow to be used for approval if this privilege is assigned to a role. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Removal - the request workflow to be used for approval if this permission is removed from a role. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Related Topics

General Properties
Certification
Match Rules
Assigned Groups
Roles

Use this tab to view and manage the properties of the permission object that define re-approval scenarios. These properties include:

Requires re-approval - whether (checked) or not (unchecked) all assignments of this permission should be regularly re-approved. The DirX Identity re-approval process starts a re-approval workflow at the intervals specified in the other fields in this area.

Re-approval date - the next date for re-approval. Alternatively, you can define a re-approval period.

Re-approval period - the frequency with which the re-approval workflows should be started. This value is only used when Re-approval date is not set.

Note: If neither Re-approval date nor Re-approval period is set, the default values from the domain object are used.

Workflow - the request workflow to be used for re-approval. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Related Topics

General Properties
Approval
Match Rules
Assigned Groups
Roles

Use this tab to view and manage the match rules defined for the permission.

For each match rule, the following properties are displayed:

And/Or - the combination operator, which can be AND or OR. Note that the first item always displays THIS. Changing the operator for one item changes it for the other items, too, except for the first item.

User attribute - the user attribute to be used for checking on a match. This value is one of the permission parameter attributes in the user entry’s general property page. Click the arrow button when the respective table cell is selected for input to display the list of available attributes and then select one.

Operator - the operator expression to be used for matching. Click the arrow button when the respective table cell is selected for input to display the list of available operators and then select one.

Object - the object of the match expression. Click the arrow button when the respective table cell is selected for input and then select one of the following items:

Attribute/Value - the attribute or value to be matched with the user attribute value entered in User attribute. Enter a group attribute or a constant value depending on what you selected for Object.

Related Topics

General Properties
Approval
Certification
Assigned Groups
Roles

Use this tab to view and manage the groups currently assigned to this permission.

For each group, the following properties are shown:

Group - the name of the group.

Target System - the target system in which this group is defined.

Description - the description for the group.

To add or remove groups, use the assignment editor, which is visible when you click Edit. To examine the details of a particular group, click to the right of its row.

Related Topics

Assignment Editor
General Properties
Approval
Certification
Match Rules
Roles

Use this tab to view the list of roles that are currently assigned to the permission.

For each role, the following properties are shown:

Role - the role’s name as it is displayed throughout the DirX Identity Provisioning system.

Description - the description for the role.

You cannot use this tab to make direct assignment of roles to the permission. To examine the details of a particular role, click to the right of its row.

Related Topics

Role
General Properties
Approval
Certification
Match Rules
Assigned Groups

The group object represents a user group in the target system. Groups are used to grant access to system resources by giving the group the right to access the resource and adding the user who should also have this access.

Use this tab to view and manage the general properties of a group. The following standard properties are always shown:

Identification Properties

Name (mandatory) - the name of the group as it is displayed throughout the DirX Identity Provisioning system. Once set during the addition of a new group entry, it cannot be changed after the initial save operation.

Description (optional) - a description for the group. This is often useful when group entries are listed in tables with just their names but with a description column to better identify them.

User assignment possible - whether (checked) or not (unchecked) the group can be assigned to a user entry.

Group for Priv. Accounts - whether the group handles privileged accounts (checked) or personal accounts (unchecked). In this case, the dxrUsedBy link is set to the user entry.
Note: a group can only handle privileged or personal accounts.

Owners - the owners of this privilege. These entities are usually the persons that must approve if this privilege is assigned to a user.

Related Topics

Multi-Value Editor
Approval
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to view and manage the properties of a group that define the approval process to be used when the group is assigned to another object (for more information about this feature, see the section "Managing Request Workflows"). These properties include:

User Assignment - properties that apply to the assignment of a group to a user object. These properties include:

Requires approval - whether (checked) or not (unchecked) assigning the group to a user requires approval via request workflows.

Potential SoD conflict (read-only) - whether (checked) or not (unchecked) the permission is part of one or more SoD policies, which means that a conflicting privilege exists.

Approval Workflows for

Assignment - the request workflow to be used for approval if this privilege is assigned to a user. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Modification - the request workflow to be used for approval if this privilege assignment is changed. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Removal - the request workflow to be used for approval if this privilege assignment is removed. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

SoD - the request workflow to be used for approval if, during assignment of this privilege, an SoD violation is detected. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Permission Assignment - properties that apply to the assignment of a group to a permission object. These properties include:

Requires approval - whether (checked) or not (unchecked) assigning the group to a permission requires approval via request workflows.

Approval Workflows for

Assignment (Default) - the request workflow to be used for approval if this privilege is assigned to a permission. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Removal - the request workflow to be used for approval if this group is removed from a role. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Related Topics

General Properties
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to view and manage the properties of the group that define re-approval scenarios. These properties include:

Requires re-approval - whether (checked) or not (unchecked) all assignments of this group must be regularly re-approved. The DirX Identity re-approval process starts a re-approval workflow at the intervals defined in the other fields in this area.

Re-approval date - the next date for re-approval. Alternatively, you can define a re-approval period.

Re-approval period - the frequency with which re-approval workflows should be started. This value is only used when the Re-approval date is not set.

Note: If neither Re-approval date nor Re-approval period are set, the default values from the domain object are used.

Workflow - the request workflow to be used for re-approval. If this field is left blank, the request workflow engine searches for a suitable workflow template (see the subsection "Selecting Request Workflows" in the section "Request Workflow Architecture" in the chapter "Understanding the Default Application Workflow Technology" in the DirX Identity Application Development Guide for details).
Note: you can define any workflow here regardless of the When applicable settings in the workflow definition.

Related Topics

General Properties
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to display and manage target-specific properties. These properties include:

Default target system-specific group properties

Dashboard

The Dashboard target system has no specific properties.

JDBC

The JDBC target system has the following specific properties:

JDBC Key - the value of the primary key in the JDBC target system.

LDAP

The LDAP target system has the following specific properties:

Primary Key (DN in TS) - the DN in the LDAP target system.

Mailing List

This target system has the following target system-specific properties:

EMail - the recipients' e-mail addresses.

Notes

This target system has the following specific properties:

List Name - the unique name of the group in the Notes target system.

Type - the type of the group. Valid values are:

Administrators - the list of administrators in the Notes target system.

ODBC

This target system has the following specific properties:

ODBC Key - the value of the primary key in the ODBC target system.

Office 365

This target system has the following specific properties:

Primary Key (ID in TS) - the identifier of the role (security group or service plan) generated by Office 365.

Display Name - the display name attribute of the role (security group or service plan).

Mail Nickname - the mail nickname attribute for the security group.

Sku ID - the license identifier related to the selected service plan.

Group Type - the type of group (Security, Microsoft 365 – Public, Microsoft 365 – Private, Microsoft 365 – Hiddenmembership).
The value is stored in dxrType - SecurityGroup, MS365GroupPublic, MS365GroupPrivate, MS365GroupHiddenMembership.

RACF

This target system has no specific properties.

SAP NetWeaver UM

This target system has the following specific properties:

dxrName - the name of the SAP NetWeaver UM target system in Provisioning.

Primary Key (DN in TS) - the DN in the SAP NetWeaver UM target system.

SAP ECC UM

This target system has no specific properties.

Sipass

This target system has no specific properties.

UNIX-OpenICF

This target system has the following specific properties:

Group Name - the unique group name in a UNIX system.

GID Number - the unique GID in a UNIX system.

Windows 2008/2012

This target system has the following specific properties:

Type - the type of the group. A group can be a local, global or universal security group or distribution list. Possible values are:

Internal Type - for internal use only. Usually, the groups have an empty value. DirX Identity Provisioning provides one special, pre-installed group named "dxr Mailbox Users", which can be used for granting an Exchange20xx mailbox to its members. This group is identified by its internal type MAILBOX. In its On Assignment and On Revocation tabs, it specifies naming rules that are applied to each member account added to or deleted from this group. These naming rules set / reset the mailbox-relevant attributes of the account.

Windows NT

This target system has the following specific properties:

Type - (optional) the type of the group. A group can be a local or global security group. Possible values are:

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Operational
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to view and manage the attributes for the group that are related to standard DirX Identity operation.

Operational Attributes

State - the status of the group entry. Possible values are (for more information, see the section "Managing States" in the chapter "Managing Provisioning"):

End date - the date on which the group is to be deleted. When this date occurs, the group entry is deleted in DirX Identity Provisioning independent of its state in the target system.

State in target system - the status of the group in the respective target system. This value can be different from the status of the group entry as long as this information is not synchronized. Possible values are (for more information, see the section "Managing States" in the chapter "Managing Provisioning"):

Timing Properties

Create time stamp - the date and time at which the object was created in the directory.

Modify time stamp - the date and time of the last modification of this object.

Task Properties

To do - a list of manual working items for the administrator. DirX Identity Provisioning stores the results of consistency checks that it cannot automatically repair in this field. The items here are overwritten on the next consistency check.

Error - a list of error messages that show the detailed reason for inconsistent states or To do entries. These messages are cleared automatically when a privilege resolution succeeds.

To be analyzed (read-only) - when checked, indicates to the consistency workflow that the group has been changed and that a privilege resolution must be performed for all affected users. This flag is read-only for the administrator and is set and reset automatically by DirX Identity Provisioning workflows.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to display the permission parameters for assigning the group. The privilege resolution process evaluates these attribute values for a user when the match rule of an assigned role or permission is applied. The user is granted the group when the attribute value of the group and the user (or user-to-role assignment) match.

For details, see the section "Managing Critical Parameters" in the "Managing Domain" chapter.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permissions
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to display the list of permissions currently assigned to this group.

For each permission, the following properties are shown:

Permission - the name of the permission.

Description - the description of the permission.

You cannot use this tab to make direct assignment of permissions. The list shows the backward references to all permissions which have this group assigned. To view the details of a permission, click to the right of its row.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permission Parameters
Privileged Members
Members
Remote Members
Member of Group
Obligations

Use this tab to display the list of privileged accounts currently assigned to the group.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Members
Remote Members
Member of Group
Obligations

Use this tab to display the list of members currently assigned to this group.

For each member, the following properties are shown:

Account or group - the name of the account or group.

State of Assignment - the status of the member’s assignment to the group. It can take one of the following values:

You cannot use this tab to make direct assignment of members. The access rights of groups can only be granted by the assigned privileges. To view the details of a member, click to the right of its row.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Remote Members
Member of Group
Obligations

Some target systems are structured into different domains. In this case, groups from one domain can contain accounts or groups from a foreign domain. Use this tab to display the list of members from foreign domains currently assigned to this group.

For each member, the following properties are shown:

Account or group - the name of the account or group.

You cannot use this tab to make direct assignment of members. To examine the details of a member, click to the right of its row.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Members
Member of Group
Obligations

Use this tab to display the groups of which this group is a member. The tab allows you to view the next higher level of groups in a hierarchical target system.

For each member, the following properties are shown:

Group - the name of the group to which this group belongs.

Description - the description of the group object.

State of Assignment - the status of the member’s assignment to the group. Possible values are:

You cannot use this tab to make direct assignments of members. The access rights of groups can only be granted by the assigned privileges. To examine the details of a particular member, click to the right of its row.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Obligations

Obligations are a method for setting or resetting account attributes when an account becomes a member of a group or is removed from the group. Obligations can be local to a group or common to several groups.

The local obligations page contains these properties:

Obligation link - the link to a common obligation object of this target system (see the Target Systems View and in this view, the folder Configuration -> Obligations).

For the rest of the properties on this page, see the description of the common obligation object.

Related Topics

Multi-Value Editor
General Properties
Approval
Certification
Target System Specific
Operational
Permission Parameters
Permissions
Privileged Members
Members
Remote Members
Member of Group

Use this tab to display the properties for an access policies folder. It can contain other access policy folders or access policies objects.

The property items shown here are the following:

Name - the displayed name of the access policy folder.

Description - the description for the access policy folder.

Related Topics

Access Policy

Attribute policies define when approval of object attribute changes is needed.

You can structure attribute policies in folders and define attribute policy objects.

Related Topics

Attribute Policies Folder
Attribute Policy

Delete policies define whether a request workflow should be started if an object is to be deleted.

You usually only need to define one delete policy for your domain, so using folders to structure this area is not necessary.

Related Topics

Delete Policy - General
Delete Policy - Configuration

+ Managing Delete Policies

Event policies define event-based handling of object attributes.

You usually need to define only one event policy for your domain, so folders for structuring this area are not necessary.

Related Topics

Event Policy - General
Event Policy - Configuration

+ Managing Event Policies

Risk policies define the risk factors that are to be used for risk calculation and their weights and specify upper and lower risk limits for risk classification. They also store the compound score deviation and the date of the last run of the Risk Calculation workflow. Only one risk policy can be active for a domain at a time.

Related Topics

Risk Policy - General

+ Managing Risk

Use this tab to display the properties for a rule folder. The rule folder contains either rule entries (consistency, provisioning or validation rules) or other rule folders for improving the ordering and grouping of rules.

The property items shown here include:

Name - the displayed name of the rules folder.

Description - the description for the rules folder.

Related Topics

Managing Rules
Operations
Consistency Rule - General Properties
Provisioning Rule - General Properties
Validation Rule - General Properties

Use this tab to display the properties for an operations folder. The operations folder contains either operation entries (Executable Operation, Java Class, JavaScript Operation) or other operations folders for improving the ordering and grouping of operations.

The property items shown here include:

Name - the displayed name of the operations folder.

Description - the description for the operations folder.

Related Topics

Managing Operations
Executables
Java Class
JavaScript Action

DirX Identity provides a set of password policies that restrict password changes. The password policies are handled in the DirX Identity Services layer and not in the LDAP directory itself.

The properties shown here are:

Name - the name of the password policy.

Description - the description for the password policy.

Customization class - the names of classes that implement customized password checks or password generations for this policy; see the chapter "Customizing Password Management" in the DirX Identity Customization Guide for details.

Active - whether (checked) or not (unchecked) the password policy is active.

Default policy - whether (checked) or not (unchecked) the password policy is to be used for all users that do not have an explicit password policy assigned.

The properties related to Windows compatibility checks are:

Must meet Windows password complexity requirements - whether (checked) or not (unchecked) the password policy requires passwords to comply with the Microsoft Windows (Active Directory) password complexity requirements. You can set additional password policies if required. The Windows password complexity requirements are:

Attributes for Windows account name checks - the user or account attributes in the DirX Identity database that contain the Windows account name; the default value is account:dxrName.

Attributes for Windows display name checks - the user or account attributes in the DirX Identity database that contain the Windows display name or parts thereof; default is account:cn.

When a user sets his password or an administrator resets the password of another user, the name checks are performed against all of the user’s Windows accounts. This doesn’t capture accounts that are assigned only later on after the password change. To make sure that the password complies with future accounts, you can define that the checks should also be performed against some user attributes that hold the Windows account or display names of the future accounts. For example, if the accounts' display names are comprised of the user’s first name and last name, enter account:cn; user:givenName; user:sn for the display name checks.

You can also perform the checks against one or more portions of an attribute value instead of the entire value. Just add a regular expression (java.util.regex syntax) to the attribute name that captures the desired parts. For example, user:cn:([a-z]+).* extracts the beginning of the common name up to the first non-ASCII letter.

History check-related properties are:

Number of passwords in history - the number of passwords that are stored in the history record. The user must define a password that is not in the history.

Don’t store current password if check disabled - disable storage of the current password. Whenever a user changes his password or his password is reset by an administrator, the new password is usually stored in the user’s password history even if the password history is disabled (that is, if Number of passwords in history is 0). This operation is performed to avoid issues in systems with one or more Windows Password Listeners. You can disable storing the password here, but do it only if you have not deployed any Windows Password Listeners. The flag is ignored if the history is enabled.

Aging check-related properties are:

Maximum age - the age after which the user’s password expires. The user must change the password after this period.

Expiration warning time - the amount of time before Maximum age is reached at which the user should be notified of the impending expiration. The password expiration notification workflow uses this value to calculate when the user needs to be warned about a password that is about to expire.

Character check-related properties are:

Minimum number of characters - the minimum length of the password.
Note: if the Windows compatibility flag is set, a number smaller than 6 is ignored.

Maximum number of characters - the maximum length of the password.

Minimum number of non-alphanumeric characters - the number of non-alphanumeric characters required for the password. Non-alphanumeric characters comprise all characters that are not letters and numbers.

Minimum number of numeric characters - the number of numeric characters required for the password.

Minimum number of special characters - the number of special characters required for the password. Special characters comprise all characters besides letters.

Minimum number of upper case characters - the number of uppercase characters required for the password.

Minimum number of lower case characters - the number of lowercase characters required for the password.

Not allowed characters - the list of characters that are not allowed in passwords.

Not allowed substrings - the list of substrings that are not allowed in passwords. You can define one or more substrings per line; separate substrings with space characters.

SoD policies specify user-privilege assignments that constitute conflicts of interest. The SoD checking algorithm checks the user-privilege assignments for compliance with one or more SoD policies and reports any discovered violations.

You can structure SoD policies in folders, define SoD policies and view the resulting SoD exceptions.

Related Topics

SoD Exception
SoD Policies
SoD Policy

In DirX Identity Provisioning, a delegation represents an object that collects the access rights inherited from a user.

The available attributes are:

Name - the name of the delegation object.

Description - a description for the delegation object. The description should denote the main reason for this delegation.

Delegator - the person that delegates access rights to the substitute.

Substitute - the person that gets access rights from the delegator.

Start Date - the start date if the delegation is time restricted.

End Date - the end date, if the delegation is time restricted.

Delete Date - the date on which this delegation object will be deleted from the Identity Store (Provisioning Configuration).

Access Right Link - links to all access rights that belong to this delegation object.

Prevent delegation - whether (checked) or not (unchecked) further delegation is not allowed.

Originated from - the object from which this object was derived. It is either a copy or a subset of it.

Related Topics

Delegations Folder
Access Rights

In DirX Identity Provisioning, an access right represents an object that defines the operations that can be performed on the list of resources.

The available attributes are:

Name - the name of the access right object.

Description - a description for the access right object. The description should denote the main reason for this access right.

Originator - the access right from which this object was derived. It is either a copy or a subset of it.

Operation - the operations that can be performed on the resources. Possible operations are:

Resource link - the list of resources (users, roles, permissions or groups).

Related Topics

Delegations Folder
Delegations

A campaign folder represents a campaign.It provides the following containers: