The aim of account management is to create accounts in the IdM internal warehouse (AccAccount entity) in the same form in which they should be created (according to the IdM settings) on end systems. Account management therefore does not run provisioning as such but it is its indicator, in most cases.
Basic account management is used for all entities that support provisioning. Identities utilise more complex account management, relying on roles assignments.
If an entity supports basic account management, then the method ProvisioningService.accountManagement is executed when the entity has been created/updated.
Provisioning ensures the following:
Account management is carried out when triggered by events that impact accounts on the end system. These events may include:
By default, if there is a contract that is valid in the future, and you assign a role to this contract (assigning a system), this assigned role is then discarded (not currently valid) during account management. That is, no accounts are created on end systems. This behavior constitutes the default and correct result.
In some cases, however, you need to create an account on an end system before a respective contract becomes valid (for example, when a new employee is expected to arrive). As a solution to this requirement, you can use forward identity account management.
In some cases, one user can have multiple accounts in one target system (think of testing or admin accounts). IdM can manage these as well. See this tutorial for more details.
Some accounts are not owned by an identity but are managed as technical accounts. This class of accounts can be managed by the IdM with a separate module. See here for more details.