Personal other accounts are accounts that belong to a particular identity. Unlike standard personal accounts, there can be more than one personal other account per person per system. Permissions for personal other accounts are always managed manually. They are typically used for testing or administration.
For the purposes of assigning roles to personal other accounts, each personal account and each role has parameters Zone and Tier. If we want to assign a role to a personal other account, their respective Zone and Tier attributes must match, otherwise the role won't be assigned.
The possible values of Zone and Tier are defined in code lists security-zones and security-tiers respectively.
Zone and tier are propagated into system mapping transformation scripts and during account creation they can be accessed using context.get("wizard").get("zone"/"tier"). For more information about transformation scripts, see here.
There is a known issue in CzechIdM related to role assignment on a *contract* when roles contain mapping for *additional personal accounts*. In the current product behavior, all roles assigned on the contract affect not only the primary personal account, but also all additional personal accounts of the same identity. This behavior is unintended.
Example: An identity has two accounts – a primary personal account and an additional personal account (e.g., an admin account). When a role is assigned on the contract and the role maps to a system where both accounts exist, the expected behavior is that the role affects only the primary account. However, in the current implementation, the assigned permissions are also applied to the additional personal account, even if the role was not assigned to that account. This is incorrect behavior.
We plan to redesign the account management for additional personal accounts in future product versions to define correct and predictable behavior.
To limit the impact of this issue until the redesign is complete, a new configuration option has been introduced:
# Warning: this is a new configuration option in Beta mode. Use with extreme caution. # This configuration option will be removed after the account management for additional personal accounts is updated. # The behavior will be replaced by the correct product functionality. # If enabled, provisioning for secondary accounts will only use contract roles # that are marked as "create account by default". # This prevents standard contract-based roles (used for primary employment accounts) # from propagating their permissions to secondary/admin accounts, which are supposed # to have their own dedicated role assignments. idm.sec.acc.provisioning.personalOtherAccounts.onlyRolesCreatingAccount=false
The default value of this configuration option is false. If set to true, CzechIdM will ignore all contract roles that do *not* have "Create account by default" enabled when provisioning additional personal accounts. This ensures that standard employment roles do not affect additional personal/admin accounts.
If your roles map both the primary and additional personal accounts, and they also assign permissions or modify attributes, this configuration ensures that the role affects only the account it was assigned to:
* role assigned on the contract → affects only the primary personal account, * role assigned directly to an additional personal account → affects only that additional personal account.
This prevents unwanted propagation of contract roles to additional personal accounts.