Managing organizational units

Article
10/20/2016

Applies To: Forefront Identity Manager

BHOLD Core provides organizational units (orgunits) for two purposes: to represent the structure of your organization, and to group individual users together to make it easier to associate those users with roles.

Most larger organizations maintain their employee rolls in a system such as a human relations database. The data in such a database can be synchronized through Forefront Information Manager into BHOLD Core by using the Access Management Connector to create structural orgunits that show organizational hierarchy and to populate those orgunits with user objects for each employee. Roles can then be linked to those orgunits to provide users with permissions that are appropriate to their function within the organization. For information about using Access Management Connector, see Test Lab Guide: BHOLD Access Management Connector.

In addition to modeling the hierarchical structure of an organization, orgunits can also be used to arrange and group users for other purposes, such as to manage the access to IT resources by a project team that includes members from various parts of the larger organization. Another use of orgunits is to manage access by system users who are not part of your organization (such as contract employees or external auditors) who require the ability to access some of your IT resources.

All activities in this topic require the BHOLD Core portal. For information about using the BHOLD Core portal to administer BHOLD Core, see Using the BHOLD Core portal in this guide.

The following are basic tasks for managing orgunits:

Categorizing organizational units
Creating an organizational unit
Moving an organizational unit
Changing the attributes of an organizational unit
Managing users in an organizational unit
Assigning a role to an organizational unit
Managing supervisor roles for an organizational unit
Removing an organizational unit

Categorizing organizational units

To help you locate and manage organizational units (orgunits), you can create categories (types) for orgunits. You apply those types when you create an orgunit, or you can change the type of an orgunit at any time. You can also change the name of an orgunit type.

To create an organizational unit type

In the BHOLD Core portal, in the left pane, click Organizational unit types.
On the Organizational unit types page, click Add.
On the Add organizational unit type page, in Organizational unit type, type the name of the category, and then click OK.

To rename an organizational unit type

In the BHOLD Core portal, in the left pane, click Organizational unit types.
On the Organizational unit types page, click the orgunit type you want to rename.
On the Organizational unit type/<type> page, click Modify.
On the Modify organizational unit type/<type> page, in Organizational unit type, type the new name for the orgunit type, and then click OK.

Creating an organizational unit

Except for the root organizational unit (orgunit) that was created when you installed BHOLD Core, every orgunit in BHOLD Core must be created as a member of another orgunit. This requirement results in a hierarchical arrangement of orgunits that can mirror the hierarchical arrangement of your company, projects, or other organizational structures. This hierarchical arrangement simplifies the management of orgunits by allowing inheritance of roles down the organizational structure, reducing the number of roles that must be directly assigned to an orgunit.

To create an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the orgunit in which you want to create a new orgunit.

Tip

If the desired parent orgunit is not listed, in the Attribute type list, click Description, in Search string, type the parent orgunit name, and then click the Search button.
On the Organizational unit/<orgunit> page, next to Organizational unit structure, click Add.
On the Add organizational unit page, in Description, type the name of the new orgunit, and then in the Organizational unit type list, click the type of the new orgunit.
If you do not want the new orgunit to inherit roles from its parent, clear the Roles from parent check box. Otherwise, leave the check box selected.
Click OK.

Moving an organizational unit

You can move an organizational unit (orgunit) from one parent orgunit to another parent orgunit.

Important

Moving an orgunit is performed as an asynchronous background process. For this reason, you might see a warning message when you successfully move an orgunit, and it may take up to a minute for the change to be reflected in the BHOLD Core portal.

To move an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the orgunit that you want to move.

Tip

If the desired orgunit is not listed, in the Attribute type list, click Description, in Search string, type the orgunit name, and then click the Search button.
On the Organizational unit/<orgunit> page, next to Organizational unit structure, click Move.
On the Move organizational unit/<orgunit>, in Organizational unit, click the orgunit that will be the new parent of the orgunit that you are moving, and then click OK.

Note

A Session ID Missing warning might appear. This is normal and does not indicate that there was a problem with the move operation.

Changing the attributes of an organizational unit

You can change the description (name) or type of an organizational unit (orgunit), and you can change whether the orgunit inherits roles from its parent.

To change the attributes of an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the orgunit that you want to modify.

Tip

If the desired orgunit is not listed, in the Attribute type list, click Description, in Search string, type the orgunit name, and then click the Search button.
On the Organizational unit/<orgunit> page, click Modify.
On the Modify organizational unit attributes/<orgunit> page, do one or more of the following, and then click OK:
- In Description, type a new name for the orgunit.
- In Organizational unit type, click a new orgunit type.
- Select the Roles from parent check box to allow the orgunit to inherit roles from its parent orgunit, or clear the check box to prevent the orgunit from inheriting roles.

Managing users in an organizational unit

Most often, the users in an orgunit are added and removed automatically when FIM synchronizes the BHOLD Core database with an external, authoritative identity data source, such as Active Directory Domain Services or a human relations database. If your BHOLD deployment is not configured to synchronize with another identity data source, you can use the BHOLD Core portal to add a user to an orgunit and to move a user to another orgunit.

The following are the typical tasks for managing users in an organizational unit:

Add a user to an organizational unit
Move a user to a different organizational unit
Remove a user from an organizational unit

Add a user to an organizational unit

When orgunit membership is managed manually, there are two ways to add a user to an orgunit:

You can create a new user in the orgunit.
You can add an existing user to the orgunit.

Every user in the BHOLD Core database must belong to at least one orgunit. For this reason, all new users must be created in an orgunit.

To create a new user in an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
In the Organizational units list, click the orgunit in which you want to add a user.
On the Organizational unit/<orgunit> page, expand Users, and then click Add.

On the Add user page, enter the following information, and then click OK.

Field	Description	Required?
Description	The user’s name, or another identifying label.	Yes
Default alias	The unique identifier for the user. Often, this is the user’s domain and user name in Active Directory. If you enter an alias that has already been used, the BHOLD Core portal displays an error message.	Yes
End date	The date after which the user loses all permissions and all roles are disabled. Use this entry to ensure that temporary users do not retain permissions past their planned termination date.	No
Disabled	When selected, the user is deactivated and so does not receive permissions, aliases, or active roles. Use this setting when you want to prevent a user from receiving permissions until you explicitly enable the user.	No
Maximum number of permissions	The highest number of permissions that can be assigned to the user. Leave blank or set to 0 for unlimited permissions.	No
Maximum number of roles	The highest number of roles that can be assigned to the user. Leave blank or set to 0 for unlimited roles.	No
Email	The user’s email address.	No

To add more users to the orgunit, in the left pane under History, click the orgunit, and then repeat steps 3 and 4.

You can add an existing user to another orgunit.

To add an existing user to an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
In the Organizational units list, click the orgunit in which you want to add a user.
On the Organizational unit/<orgunit> page, expand Users, and then click Modify.
On the Organizational unit – Users/<orgunit> page, in the Attribute type list, click the attribute you want to use to locate the user you want to add to the orgunit, in Search string (Users), type the user’s description (name) or default alias, and then click the Search button.

Tip

To display all users, leave Search string (Users) empty when you click the Search button.
Under UnLinked Users, next to the user you want to add to the orgunit, click Add.
When you have finished adding users to the orgunit, click Done.

Move a user to a different organizational unit

Every user must be a member of at least one orgunit. If a user belongs to only one orgunit, removing the user from that orgunit deletes the user from the BHOLD Core database. For this reason, moving a user from one orgunit to another orgunit is a two-step process: You add the user to the new orgunit, and then you remove the user from the old orgunit.

To move a user to a different organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
In the Organizational units list, click the orgunit to which you want to move a user.
On the Organizational unit/<orgunit> page, expand Users, and then click Modify.
On the Organizational unit – Users/<orgunit> page, in the Attribute type list, click the attribute you want to use to locate the user you want to add to the orgunit, in Search string (Users), type the user’s description (name) or default alias, and then click the Search button.

Tip

To display all users, leave Search string (Users) empty when you click the Search button.
Under UnLinked Users, next to the user you want to move to the orgunit, click Add, and then click Done.
In the left pane, click Organizational units.
In the Organizational units list, click the orgunit from which you want to move the user.
On the Organizational unit/<orgunit> page, expand Users, and then click Modify.
Under Linked Users, click Remove next to the user being moved, and then click Done.

Remove a user from an organizational unit

You can remove a user from an organizational unit (orgunit) if the user belongs to another orgunit. Because every user must belong to at least one orgunit, you cannot remove a user from the only orgunit of which it is a member.

To remove a user from an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
In the Organizational units list, click the orgunit from which you want to remove the user.
On the Organizational unit/<orgunit> page, expand Users, and then click Modify.
Under Linked Users, click Remove next to the user being moved, and then click Done.

Assigning a role to an organizational unit

When an organizational unit (orgunit) is created, BHOLD Core automatically creates a role that it links to the orgunit. The name of the role is the name of the orgunit with the prefix MR- added to indicated that the role is a default membership role. In addition to the default membership role, you can link additional roles to an orgunit. For information about creating and managing roles, see Managing roles in this guide.

To assign a role to an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the orgunit which you want to link to a role.
On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.
On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the role’s description (name), and then click the Search button.

Tip

To display all roles, leave Search string (Roles) empty when you click the Search button.
In the UnLinked Roles list, next to the role you want to assign to the orgunit, click Add.
Under Link role, in the Relation type list, click Effective to assign the role immediately to the orgunit, or click Proposed to require approval of the role assignment to the orgunit.
To allow the role to be inherited by member orgunits, select the Children inherit this role check box.
To limit the amount of time that the role is linked to an orgunit, do the following:
1. In the Relation type list, click Proposed.
2. In the Duration type list, click Hours or Days to specify the units you will use to specify the duration.
3. Select the Duration fixed check box.
4. In Duration length, type the number of hours or days you want the role to be effective for the orgunit.
Click Add, and then click Done.

Managing supervisor roles for an organizational unit

Users who are assigned to a supervisor role for an organizational unit (orgunit) are able to add and remove members (users and other orgunits) to the orgunit, to link roles to the orgunit, and to modify the attributes of the orgunit. Every orgunit must have at least one supervisor role. When an orgunit is created, it automatically inherits the supervisor roles of its parent orgunit. You can assign additional supervisor roles to an orgunit to give other users the ability to manage the orgunit. You can also revoke an assigned or inherited supervisor role.

For more information about creating and managing roles, see Managing roles in this guide.

To assign a supervisor role to an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the orgunit which you want to assign a supervisor role to.
On the Organizational unit/<orgunit> page, expand Supervisor roles, and then click Modify.
On the Organizational unit–supervisors/<orgunit> page, in the Role list, click the role you want to assign to the orgunit, click Add, and then click Done.

To revoke a supervisor role for an organizational unit

In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the orgunit which you want to revoke a supervisor role for.
On the Organizational unit/<orgunit> page, expand Supervisor roles, and then click Modify.
Do one of the following:
- To revoke an inherited supervisor role, expand Inherited supervisor roles.
- To revoke an assigned supervisor role, expand Supervisors.
Next to the supervisor role you want to revoke, click Remove, and then click Done.

Note

If you revoke an inherited supervisor role, the revoked role will continue to be listed as an inherited supervisor role, but it will be marked as disabled. This allows you to activate the inherited supervisor role at a later time.

Removing an organizational unit

You can remove an organizational unit (orgunit) if it does not contain users or other orgunits. For information about removing users from an orgunit, see Remove a user from an organizational unit in this topic.