Creating a new department or division

Every organization in OpenIAM has its own organizational hierarchy, for example Organization > Division > Department or University > Campus > Faculty, or any other depending of a business need. The default organizational hierarchy in OpenIAM is built around a three-tier structure. However, users can create their own hierarchy among their pre-created organization types with more than three tiers and manage and customize them using organization tab in Administration menu.

Before managing the organizational hierarchy, one needs to create it. It can be done using the steps below.

Creating a new organization

  1. Create new organization first. Log in to webconsole and go to Access Management > Organization.
  2. Click Create New Organization and the below window will open.

Organization window

  1. Fill up the form with required information and then click Save.
  2. Proceed by creating a new department. Again, go to Access Management > Organization and create a new organization by filling in the form with required information and clicking Save, as in steps 1 and 2.
  3. Define the mapping for validation. Go to Access Control > Resource.
  4. Filter by Type - Mapping for GPDD and edit the Mapping for GP Users.

Mapping for GP users

  1. Define the mapping using Department.Division combination and click Save.

Defining mapping

  1. Add the birthright access to division department by going to Access Control > Role. Create a new role to newly created department or division. Select Role type as Provision Role.

New role

Role name should follow the Department_Division convention. Enter the required fields as shown below and click Save.

Role information

  1. Click on Role Entitlements, right click on Groups and add birthright access/groups by defining the groups for DA-AD and legacy AD.

Birthright1 Birthright2

Adding a new vendor

  1. Navigate to Administration > Custom Fields. Search for Vendor-DA and click on Edit.

Vendor DA

Click on + icon and add a new vendor in the Name and English fields. Click Save.

New vendor

Click Save again.

  1. Define the birthright access for the new vendor by navigating to Access Control > Organization. Click on Create New Organization. Enter the data in Required fields with Organization type as Vendor_Company.

Vendor organization

  1. Afterwards, navigate to Access Control > Role. Create a new Role with format- Vendor_Vendorcompanyname and enter the required fields as shown below.

New role

Click Save.

  1. Click on Role Entitlements, right click on Groups and add birthright access/groups by defining the groups for DA-AD and legacy AD.

Adding a new non-managed application

  1. Navigate to Provisioning > Managed System. Click on Create Managed System and define the Connector as “Remote_Connector_500” and define the name for the managed system.

Connector

  1. Select Category as Business Apps and click Save.
  2. Define entitlements for newly created managed system by navigating to Access Control > Groups and clicking Create New Group. Select Group Type as General Group. Define the password policy and group name. Select the managed system from dropdown and click Save.

New group

  1. Next, click on Approver Association. Using the Approver step, define the Approver Association.

Approver association

Note: Whoever creates the entitlement is automatically assigned as the default approver. Please ensure that this default approver association is removed before assigning a new approver.

Adding or changing a new approver for any non-managed system

  1. Go to Access Control > Group. Filter by Managed system
  2. Edit any group and click on Approver Association. Click on New Approver Step to add a new Approver or edit an existing Approver.

New approver

For more details on Approver workflow, refer to this document.

Troubleshooting an issue

Troubleshooting is usually performed via Log Viewer. It cab be accessed at Administration > Log Viewer.

Click on search to list all the logs and check for any error logs. Click on the Action icon against the log to check for any error.

Loa viewer

Troubleshooting an issue related to a user

Search for an user first navigating to User admin > User search. Search for user using AD_ID and Click Edit and then on User History.

User history

Check the logs to analyze any issue.

Troubleshooting services

First, login to .ssh. Check the services status using the following command.

sudo openiam-cli status

Troubleshooting services

Check the individual service status or start stop service.

Individual service status

You can also check the individual service logs by navigating to cd /usr/local/openiam/logs/.

Service logs

For more information on troubleshooting refer to this document.