Configuration Data for System User Dynamic Authentication

Hi Thilo,

it maybe easier for the community if you would share your use-case for having the Windows logon-id used for a person based authentifier There might be other authentifiers available that are better suited for your use-case.

And by the way, you are using which version?

Hi Markus, I'm using version 8.0

Use case looks something like this: there are standard Windows accounts, e.g. DOMAIN\johndoe, and admin Windows accounts identified by an "-a" suffix, e.g. DOMAIN\johndoe-a

Standard Windows accounts should have restricted (read-only) access in One Identity, whereas Windows admin accounts should have administrative access in One Identity.

Any suggestions?

Next question. Both accounts are assigned to the same person/identity or are you using sub-identities?

Sub-identities are being used, however the ADS accounts are not linked to the person via UID_Person but there is a CCC_LoginNames column on Person table storing information like DOMAIN\user-id (might be a list of values)

So, why aren't you using one of the User Account authentication modules (Role Based or static permission group)?

Both authentication modules require, that the permitted logins are entered in the employee's master data, property Person.AuthentifierLogins. The logins are expected in the form: domain\user.

https://support.oneidentity.com/technical-documents/identity-manager/8.0/identity-management-base-module-administration-guide/48#TOPIC-861304

Thanks Markus, that might work. But is there a way to configure a default dialog user with these authentication modules? Or do I have to set Person.UID_DialogUser (pointing to the read-only dialog user) for each and every Person object that does not have an "-a" account specified in AuthentifierLogins?

It depends. If you are using Role Based authentication, you do not have to set the Dialog User for each person.

Markus, please allow me a follow-up question because I still have not solved my root issue. There are three standard DYNAMIC authentication modules: Employee, Active Directory user account, and LDAP user account. However, there is only one example for dynamic authenticator configuration in the manual, specifiying "select 1 where %uid% in (select uid_personhead from profitcenter)" Obviously %uid% refers to UID_Person, assumingly to be used for authentication module "Employee (dynamic)". Question: when specifying %uid% for a dynamic user account authentication module (AD or LDAP), does %uid% also refer to UID_Person, or does it refer to UID_ADSAccount or UID_LDAPAccount, respectively?

%uid% is always the UID_Person that have been identified by the authenticator to be the identity to base the authorizations on.

After giving it some more thought, I finally understood that what I would really need is an authentication module "User account (dynamic)" which unfortunately does not exist. This would be a combination of modules "User account" and "Active Directory user account (dynamic)". I want to dynamically select the system user to be used, however based on a set of different Windows logins defined in Person.AuthentifierLogins (rather than just a single login defined via ADSAccount.UID_Person).