Managing users

  • Article

 

Applies To: Forefront Identity Manager

In most BHOLD deployments, users are principally managed in the context of other authoritative identity data sources, such as Forefront Identity Manager (FIM), Active Directory Domain Services (AD DS), third-party human relations (HR) applications, and so on. By synchronizing through FIM with these data sources, BHOLD user attributes are kept consistent with other identity data stores. For this reason, it’s rarely necessary to use the BHOLD Core portal to manage user attributes directly, except when the attributes are specific to BHOLD itself.

The following are basic tasks for managing users in BHOLD:

  • Creating a user

  • Limiting permissions and roles

  • Managing role inheritance

  • Managing role assignment

  • Managing user accounts

  • Removing a user

Creating a user

As noted earlier in this topic, it is rarely necessary in production BHOLD deployments to create users by using the BHOLD Core portal. Instead, in production deployments, users are usually added to BHOLD by synchronizing with Forefront Identity Manager, by using the BHOLD Model Generator, or a combination of the two.

All users in BHOLD must belong to at least one organizational unit (orgunit). For that reason, you create a user by adding the user to an existing orgunit.

To create a user by using the BHOLD Core portal

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit in which you want to add a user.

  3. On the Organizational unit/<orgunit> page, expand Users, and then click Add.

  4. On the Add user page, enter the following information, and then click OK.

    Field Description Required?
    Description The user’s name, or another identifying label. Yes
    Default alias The unique identifier for the user. Often, this is the user’s domain and user name in Active Directory. If you enter an alias that has already been used, the BHOLD Core portal displays an error message. Yes
    End date The date after which the user loses all permissions and all roles are disabled. Use this entry to ensure that temporary users do not retain permissions past their planned termination date. No
    Disabled When selected, the user is deactivated and so does not receive permissions, aliases, or active roles. Use this setting when you want to prevent a user from receiving permissions until you explicitly enable the user. No
    Maximum number of permissions The highest number of permissions that can be assigned to the user. Leave blank or set to 0 for unlimited permissions. No
    Maximum number of roles The highest number of roles that can be assigned to the user. Leave blank or set to 0 for unlimited roles. No
    Email The user’s email address. No

Limiting permissions and roles

One way to ensure that a user is not being assigned permissions and roles inappropriately is to apply limits to the number of permissions or roles that the user can be assigned. That way you can make sure that errors in the implementation of features such as inheritance or attribute-based authorization (ABA) policies do not result in a user being assigned more permissions or roles than is desired. This limitation in the number of permissions or roles that a user can be assigned is known as cardinality. You can also apply the principles of cardinality to roles (to limit the number of users or permissions assigned to the role) and to permissions (to limit the number of roles and users the permission can be assigned to).

To limit permissions and roles for a user

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user for which you want to manage cardinality.

  3. On the User/<user> page, click Modify.

  4. On the Edit user attributes/<user> page, in Maximum number of permissions, type a number specifying the maximum number of permissions you want to allow to be assigned to the user, or leave blank to allow an unlimited number.

  5. In Maximum number of roles, type a number specifying the maximum number of roles you want to allow to be assigned to the user, or leave blank to allow an unlimited number.

  6. Click OK, and then click Done.

Managing role inheritance

In addition to being directly assigned a role, a user can inherit a role by, for example, being a member of an organizational unit (orgunit) that has a membership role assigned to it. In some cases, it is necessary to block inheritance of a role, such as when a user is being transferred from one orgunit to another. You can revoke an inherited role for a user and, afterwards, you can also reactivate the inherited role if needed.

To revoke or activate an inherited role

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user for which you want to manage an inherited role.

  3. On the User/<user> page, expand Inherited roles, and then click Modify.

  4. On the User–roles/<user> page, expand Inherited roles, and then do one of the following:

    • To revoke a role, next to the role, click Revoke.

    • To activate a previously revoked role, next to the role, click Activate.

  5. On the User–roles/<user> page, click Done.

Managing role assignment

In addition to inheriting roles, a user can be directly assigned (linked to) a role. In many cases, BHOLD automatically links roles to a user, as when BHOLD creates a personal role for a user when the user is added to BHOLD. You can also manually link a role to a user, and you can remove any role that has been assigned to a user. When you manually link a role to a user, you can specify the time during which the role is in effect for the user.

Important

Unlike revoking an inherited role, removing a role that has been directly assigned to a user is permanent. To restore the role to the user, you must manually link the role to the user.

To assign a role to a user

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user to which you want to assign a role.

  3. On the User/<user> page, expand Roles, and then click Modify.

  4. On the User–roles/<user> page, in the Attribute type list, click the attribute you want to use to search for the role you want to assign, in Search string (Roles), type the value of the search attribute, and then click the Search button.

    Tip

    To list all roles, leave Search string (Roles) empty.

  5. Next to the role you want to assign to the user, click Add.

  6. To limit the time period during which the role is in effect for the user, do one of the following:

    • To specify the number of hours the role is to be in effect for the user, in Duration type, click hours, and then, in Duration length, type the number of hours you want the role to be effective for the user.

    • To specify the number of days the role is to be in effect for the user, in Duration type, click days, and then, in Duration length, type the number of days you want the role to be effective for the user.

    • To place a precise limit on the time period, in Duration type, click free, and then in Start date-time, type a date, time, or date and time combination when you want the role to begin to be effective for the user, in End date-time, type a date, time (in 24-hour format), or date and time combination when you want the role to cease to be effective for the user.

      Important

      You must specify the date in the correct format for your Windows locale settings. However, when the role is created, the date is displayed in the format dd-mm-yyyy.

  7. In Reason for linking, type a brief explanation for why the role is being assigned to the user.

    Note

    Although Reason for linking is not required, if you leave it blank, BHOLD displays a warning after linking the role to the user. This does not affect the way in which the role is linked to the user, however.

  8. Click Add.

To remove a role assigned to a user

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user from which you want to remove a role.

  3. On the User/<user> page, expand Roles, and then click Modify.

  4. On the User–roles/<user> page, expand Roles, and then, next to the role you want to remove, click Remove.

  5. Click Done.

Managing user accounts

A user account (also known as an alias) is the link between a BHOLD user and an application. In other words, the user account identifies the BHOLD user to the application. In the case of the Active Directory Domain Services (AD DS) application, for example, a BHOLD user’s AD DS alias is typically the user’s pre-Windows 2000 logon name, in the form <domain>\<user_name>.

You can add and modify BHOLD user accounts. A user account is deleted only when the corresponding user is removed from BHOLD.

To add a user account

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user you want to create an account for.

  3. On the User/<user> page, expand Aliases, and then click Add.

  4. On the User–add aliases/<user> page, in the Application list, click the application that the alias applies to, in Alias, type the user’s identifier for the application, and then click OK.

To modify a user account

  1. In the BHOLD Core portal, in the left pane, click Accounts.

  2. On the Accounts page, click the account (alias) you want to modify.

  3. On the Account/<alias> page, click Modify.

  4. On the Edit account attributes/<alias> page, in Account, type a new alias, and then click OK.

Removing a user

As with creating a user, in most BHOLD production deployments, removing a user is usually performed as part of the process of synchronizing user identities with Forefront Identity Manager (FIM). That is, when the user is removed from an authoritative identity source, a well-designed FIM deployment deprovisions the corresponding user with all other external systems that it synchronizes, including BHOLD. When FIM synchronization cannot be relied on to remove a user (in a demonstration lab, for example), you can manually remove a user from BHOLD.

A user can belong to more than one organizational unit (orgunit). If a user belongs to more than one orgunit, you must remove the user from all but one orgunit before you can remove the user from BHOLD.

To remove a user

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user that you want to remove.

  3. On the User/<user> page, expand Organizational units, and, if more than one orgunit is listed, do the following:

    1. Click Modify.

    2. On the User–organizational units/<user> page, next to each orgunit, click Remove until only one orgunit remains, and then click Done.

  4. On the User/<user> page, click Remove, and then, on the Remove user/<user> page, click OK.

See also