eIAM Admin Portal

Access to the eIAM Admin Portal

Instance of the eIAM portal	Production PROD	Reception ABN	Reference REF
Link

: eIAM Portal Entry Panel

: eIAM Portal Entry Panel / Delegated management

Change Subordinate Department/Unit (Actions)

: Select or mark the unit and then select "Action" "Change".

Change Unit
Display name, abbreviation (4 languages), comments, change notes
Custom Attributes Add SAP BP ID, street, GLN or Sub-Unit]

Enter user with 'Del. Management' authorisation

: Via User Management -> Delegated Management to 'Unit Selection'.

: Select desired department/unit & 'Next' to 'User selection'.

Comment
If "Strict-Onboarding" is configured for the corresponding access client in the portal properties, the "Mobile nummer" must be entered (mandatory field). This also applies to Bulk-Onboarding of new users (see section below Bulk-Onboarding Functionality).

Tab 'Grant permissions'
In this tab, the administrator can assign individual roles or collective roles of the respective application to the user.

: In addition, roles with attributes can be assigned at this point.

Explaining special case roles with attributes:

Tab 'Grant permissions for delegated administration'
In this tab, the administrator can activate various settings for the user in the role as (future) delegated administrator. From a technical point of view, this processing is comparable to the 'Add IDM role' in IDM.

Checkbox "Delegated Management of (Sub-)Units"
"Delegated Administration of (Sub-)Units":
If enabled, the IDM role DelegatedAdmin_SubUnit is assigned to the user.
Checkbox "Delegated Management of Users".
"Delegated Administration of Users":
If enabled, the IDM role DelegatedAdmin_User is assigned to the user.
Checkbox "Delegated Management of Permissions".
"Delegated Administration of Permissions":
If checked, the IDM role DelegatedAdmin_Permissions is assigned to the user. If the checkbox is activated, the roles/business roles that the Del. Administrator may assign to other users.

Checkbox "incl. substitution (further delegation of management rights to deputies possible)" "incl. Substitution": If checked, the user will be allowed to edit the 'Grant Delegated Management Permissions' tab.

Check before sending:

: Show detailed information via function button 'Show more'

: Permissions granted

: Delegated management rights granted

: Details of the delegated management rights

Send onboarding link or send notification email

Comment
Function button 'Send notification email / Send onboarding email' is only enabled if text is entered in the Reason for authorisation (traceability) field.

Final Notification:

Reaset Onboarding

The onboarding reset for already onboarded users can be performed in the admin portal using the following option.

: Feature: reset onboarding

Example: Onboarding email to user

Example: notification mail when permissions change

Manual path onboarding (print)

Describe in prose why this may be necessary....

: Print

Option: Save onboarding links in ...

Option: Send Onboarding Mail

Already described in 'Send onboarding link'.

Bulk-Onboarding Functionality

With this extension it is now possible to assign delegAdmin roles to the user directly during onboarding. The following delegAdmin roles can be specified per user in the extended .csv file.

Supported IDM DelegAdmin roles

DelegatedManager_User
DelegatedManager_Subunit
DelegatedManager_Permission
DelegatedManager_DelegMgmt_Permission

CVS file

Name	Mandatory	Example	Explanation
firstName	Yes	Jon	FirstName
lastName	Yes	Smith	Name
email	Yes	jsmith@test.com	E-mail address
language	Yes	en	language
mobileNumber	only for Strict-Onboarding	0041791234567	phone number
addressLine1	only for onboarding by letter	Engehalde 22	street
addressLine2	only for onboarding by letter	Information technology Inc	additional information
postalCode	only for onboarding by letter	3005	Postcode
city	only for onboarding by letter	Bern	city
countryCode	only for onboarding by letter	ch	country
additionalRoles	No	DelegatedManager_User DelegatedManager_Subunit DelegatedManager_Permission DelegatedManager_DelegMgmt _Permission Default: none	One or more of the above supported IDM roles
unitExtId	No	1234 Default: the unit selected at the start of Bulk-Onboarding	ExtId of the Unit to which the user is to be added. Must be either the unit selected in the AdminPortal or a child unit of that unit
profile name	No	TestProfile	If the profile name is defined in the CSV file (i.e. the value in the column for a row is not empty), it should take precedence over the email address, which could come from the OnboardingDataSotrage function if it is enabled for the client. If the onboardingDataSotrage function is enabled and there is nothing in the profileName column for that row, the profile name should still be the email address.

Conditions for a successful execution of the extended Bulk-Onboarding.

only the supported IDM roles mentioned above are present
the IDM roles are correctly formatted (correct separator)
the executing administrator has the necessary rights to assign all requested IDM roles

If any of these conditions are not met, onboarding will not start and an error message will be displayed (the error message contains the line number and a reason text e.g. no rights).

Change user with 'Del. Management' permission (Actions)

Actions', 'Modify'

Edit user data]
Display name, abbreviation (4 languages), comments, change notes
Custom Attributes SAP BP ID, Street, GLN.
Mandatory fields: First Name, Last Name and eMail
Delete/archive user
User and profile will be deactivated.
User is marked for deletion after 95 days (ArchiveDate).
Email address will be removed and user's ExtID will be added.
Credentials are removed.
Profile information remains.
Disable user
No security question.
User and profile is deactivated (and remains so....)
Send new onboarding link

Edit profiles

Add new profile

Separation of different tasks (e.g. admin and user tasks)

Edit profiles
- Edit name

- Archive profile

- Deactivate

Status of profile is deactivated in IDM.
Deactivate temp. for tasks/job changes.
Provide same functionalities as in IDM.

Onboarding

Describe process.

Onboarding Status

Open	This user is ready to grant permissions.
Ready	This user has at least one role and is therefore ready for onboarding.
Ongoing	A successful onboarding was created for a user. Neither the profile nor the account has the sta-tus "onboarding", this is just the status of the onboarding. A onboarding link is valid for 30 days.
Overdue	A user has 30 days to complete the onboarding process. After this period, the user's onboarding status is "onboarding overdue". -> Inform user
Expired	The onboarding code has expired (valid for 30 days) -> User administrators must send a new onboarding code.
Completed	A user successfully did the onboarding with the onboarding link.

This step links the data (permissions/roles) entered in the eIAM portal to the CH-LOGIN user account.

Perform Onboarding

Prerequisites:

CH-LOGIN registration successfully completed.

User has been registered in eIAM Portal and has received Onboarding eMail.

1	Please open the received Onboarding Mail.
2	Please highlight the onboarding code. Please copy it to the clipboard via Ctrl-C.
3	Please click on the onboarding link.
4	Please click on the option: CH-LOGIN.
5	Log in to CH-LOGIN with an existing / or the new user account created in step 1.
6	Please paste the on-boarding code via Ctrl-V from the clipboard. Afterwards, please click on 'Send Onboarding Code'
7	After the successful 'Onboarding' process, you will be redirected to the self-administration area 'My-Account'. The 'My Applications' area lists all eGov Services applications for which you are authorised.

People Picker

The "People Picker" functionality is automatically available to every delegated manager with the role DelegatedManager_User. With the People Picker, existing eIAM identities can be searched in the enterprise context, onboarded directly in the access client and then authorised by the delegated manager. Without the need for an invitation process. The search for eIAM accounts is only possible with a fully qualified e-mail address. No wildcards are allowed for the search. The search results screen shows the delegated manager a list of search results including the identity type. The desired identity can be selected from the list. The user will then receive a mail notification "Your account has been created" with the login method i.e. FED-LOGIN or CH-LOGIN which must be used to access the application.

The "People Picker" supports the following identity types:

Employees (internal/external) of the central and decentralised Federal Administration (CIS-BV / CIS-OTHERS) - Authenticated via FED-LOGIN
Employees of the cantonal and communal administrations (equipped with SG-PKI Smart Card) (CIS-KTV) - Authenticated via FED-LOGIN
External, affiliates of the Federal Administration who have not been onboarded via HR processes (nHEC+) - Authenticated via CH-LOGIN

Options:
No use of People Picker in Access Client (opt-out)

The "People Picker" is available by default in all Access Clients of eIAM that use delegated management. Persons responsible for Access clients can request that the function is globally switched off on their client.
- In this case, the function is not displayed to the delegated managers.
The "People Picker" allows searching across all email domains by default. Domain managers can request that the search for identities from this domain be globally prevented (blacklisting).
- The delegated manager will receive an appropriate error message when searching for an identity with an e-mail address in such a domain.