Help Center/ OneAccess/ User Guide/ Enterprise Administrator Guide/ Resources/ Applications/ Authorization Management/ Managing Application Accounts
Updated on 2024-12-30 GMT+08:00
View PDF
Share

Managing Application Accounts

You can manage the mappings between OneAccess users and application accounts. That is, you can map a OneAccess user to accounts of different applications.

If synchronization parameters have been configured and the synchronization is normal, adding, deleting, editing, enabling, and disabling application accounts through authorization policies will trigger the synchronization to downstream applications. For details, see Synchronizing Data to Applications Through Event Callback.

Application accounts include new accounts and existing accounts.

  • New accounts

    New accounts are assigned accounts. You can grant enterprise users the permission to access applications by manually adding accounts or through authorization policies.

  • Existing accounts

    Existing accounts are bound accounts. If OneAccess users are bound to existing accounts, you can import these existing accounts to application accounts. Or, you can import existing accounts to orphan accounts, then bind OneAccess user to these existing accounts. For details, see Application Accounts.

Adding Accounts

You can manually grant application permissions to users by adding accounts. If automatic authorization is required, see Configuring Authorization Policies for Application Accounts.

If automatic authorization is enabled for application organizations, you can select only automatically authorized organizations when adding an account. For details, see Configuring Authorization Policies for Application Organizations.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. Click add Accounts. On the displayed page, select the users to whom you want to grant application permissions, and click Save.

Consolidating User Organizations

If automatic authorization is enabled and no organization mapping is set for the application account model, you can click Consolidate Organizations to show the application organization to which the application account belongs in the account list. For details about automatic authorization, see Configuring Authorization Policies for Application Organizations. For details about application account model configuration, see Application Accounts.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts.
  6. Click Consolidate Organizations.

    Figure 1 Consolidating user organizations

Clearing Accounts

If you clear accounts, the authorization data of the application will be initialized. This means that the application access permissions granted to authorized users will be cancelled.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. Click Clear Accounts.

    In the displayed dialog box, if you select Delete all orphan accounts and shared accounts, the orphan accounts and shared accounts will be cleared. After the shared accounts are cleared, they will not be displayed in the shared account list.

  7. Click OK.

Configuring Authorization Policies for Application Accounts

Users' permissions to access applications can be automatically granted and deleted through authorization policies. This allows you to manage user permissions in a unified manner.

After automatic user authorization is enabled, any actions performed on an authorized organization, such as adding and deleting users, adjusting user organizations, as well as adding and deleting users within an authorized user group, can be automatically synchronized to the applications.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. Click Authorization Policy.

  7. On the Authorization Policy page, click to enable automatic user authorization, select users, and click Save to save the current policy.

    • When automatic authorization is enabled for an application organization and users in all organizations or custom users are selected, the organization scope is limited to automatically authorized organizations. In this case, users in these organizations can be granted the permission to access the application. However, the user group scope is not restricted by automatic organization authorization. For details, see Configuring Authorization Policies for Application Organizations.
    • After a disabled user is enabled again, automatic authorization will not be triggered. You need to manually authorize the user.
    • If you select all users in the organizations, all organizations are displayed, indicating that all users are granted the permission to access the application.
    • When Users is set to Custom:
      • If the condition is set to AND, you can select either or both of the organization and user group. In this case, users in the selected organizations, user groups, or both will be granted the permission to access applications.
      • If the condition is set to OR, you need to select both the organizations and user groups to grant all users in the selected organizations and user groups the permission to access applications.

  8. Click Add to complete user authorization. Click to make the selected user displayed in the application account list.
  9. If you want to cancel organization-based and user group-based authorization in batches, deselect the organizations and user groups to be deleted on the authorization policy page and click Save. The current policy is saved but user authorization will not be canceled immediately. Click Delete to cancel the authorization. After the deletion, click . The user whose authorization has been canceled is not displayed in the application account list.

Modifying an Account

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. Click Modify in the Operation column of the application account to modify user authorization information. The account attributes displayed on this page can be configured based on the attribute definition of the application account. For details, see Application Accounts.
  7. Click Save.

Application Roles and Permissions

The prerequisite for granting application roles/permissions is to configure application permissions. For details, see Application Permission Management.

On the application account page, choose More > Application Roles/Permissions in the Operation column.

  • If you choose to authorize application permissions by role, you can grant permissions only by application role. Select the account to which the role is to be granted and click OK. For details, see Managing Permissions by Roles.
    Figure 2 Granting permissions by role
  • If you choose to manage application authorization based on roles, permissions, and resources, you can authorize permissions by application role or by application permission. Only one authorization mode can be selected for each account.
    • Click Authorize by permission and click Add Permission. On the displayed page, select a permission type, select all resources or specify desired resources, and click OK. Resource items and their subitems have separate permissions that need to be granted individually.
      Figure 3 Granting permissions by role

      After you grant permissions by application permission, you can choose Application Permissions > Permissions to view the permissions in the authorized account.

    • For details about authorizing permissions by role, see Granting Permissions by Role.

Transferring To an Orphan Account

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. In the Operation column of the target application account, choose More > Transfer to orphan account.
  7. Click OK. The transferred account is displayed on the Authorization > Orphan Accounts page.

Deleting an Account

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. In the Operation column of the target application account, choose More > Delete.
  7. In the displayed dialog box, click OK. After an authorized account is deleted, the account no longer has the permissions to access the application. For details about batch deletion, see Configuring Authorization Policies for Application Accounts.

Enabling or Disabling an Account

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. On the displayed page, click an application name to access the application details page.
  4. Click the application icon to access the general information page.
  5. In the navigation pane on the left, choose Authorization > Application Accounts to access the application accounts page.
  6. On the application account page, click in the Status column to disable an account. After the account is disabled, the application is not displayed on the user portal of the user.
  7. Click in the Status column to enable the account. After the account is enabled, the application is displayed on the user portal, allowing users to access it. For details about how to access an application, see Logging In to the User Portal and Accessing Applications.
Parent topic: Authorization Management