The Technical Accounts module in Identity Management (IdM) is designed to help manage accounts that are not tied to a specific user identity, but instead serve a technical or system purpose.
These accounts – often referred to as technical accounts – are used by systems, applications, or devices to communicate with other systems, access services, or perform automated tasks. For example, a projector or printer account accessing the network, or an integration scenario where Application A retrieves data from System B using a technical account.
Unlike regular user accounts, technical accounts:
The module allows administrators and guarantors to:
Version | Compatible with product | Notes |
---|---|---|
1.0.0 | 13.0.0 | First module implementation |
1.0.1 | 13.0.4 | — |
1.1.0 | 13.0.6 | — |
1.1.1 | 13.0.6 | — |
1.1.2 | 13.0.11 | — |
2.0.0 | 14.0.0 | Upgrade Java to 21 |
2.0.1 | 14.7.0 | Fixes with compatibility |
2.1.0 | 14.11.0 | New evaluators |
"Compatible with the product" means that this is the recommended product version
Operations that can be performed with technical accounts within IdM:
CREATE
of a technical account in the target system via a wizard in IdM.UPDATE
of managed attributes (e.g., description, extended attributes, etc.) and their propagation to the end system.MEMBERSHIP
on the target system for the given technical account, controlled through IdM.Approving of role request
in IdM for the technical account – the process may be subject to approval, for example by the role guarantor, etc.CHANGE PASSWORD
of the technical account.Assig guarantor
in the IdM to the technical account – the guarantor then gains the authorization to perform the listed operations.Report
of all managed technical accounts in IdM in .xls (Excel) format.The technical account serves as the owner of the account in the target system. This allows you to manage it without having an identity which owns it.
A technical account can also have guarantors, either directly (an identity), or by role. A guarantor is a user who is responsible for managing the account, and making sure that correct attributes and roles are set for it. This also allows you to apply permissions and allow guarantors to only the technical accounts for which they are guarantors.
A technical account can either be created by synchronization from a target system (if the account already exists), or a new account can be created via the wizard. Technical accounts can be managed via standard provisioning mapping but some attributes will require manual management.
Two processes ensure the state of technical account:
EndTechnicalAccountProcess
invalidates technical accounts where validTill already past,StartTechnicalAccountProcess
will validate them if date is between validFrom and validTill.This section describes the installation process of the Technical Accounts module, including its activation, required prerequisites, access rights configuration, and integration with target systems. It serves as a starting point for administrators when introducing the module into the IdM environment.
# list of attributes from account connector object added to technical account entity report idm.sec.tech.account.report.connector.object.attributes=
idm.sec.tech.role.guarantor=techAccountGuarantorRole
idm.sec.tech.role.systemowner=techAccountSystemOwnerRole
In your connected system, chances are that you already have some technical accounts and want to start using the IdM to manage them. Follow this tutorial to synchronize these technical accounts in IdM.
Have a standard system supporting provisioning. Any system can be used (MS AD, database…). The only things that need to be configured are mapping and roles.
Open the detail of the system and select Mapping. Click add new.
Create the mapping and select the entity type "Technical account". The account type selected must be "Technical".
After that, finish the mapping configuration as needed (and as usual). Since technical accounts are created via a wizard, you don't need to use scripts covering every potential scenario. During the creation process, users can manually set the values for the account.
If you want to use roles representing permissions in the target system (e. g., MS AD groups), you will have to create a separate set of roles. You can use standard synchronization for this. As of 13.0., however, during synchronization, these roles will not be assigned to the accounts.
In this step, you will create the technical account objects in the IdM using a standard synchronization. This is a relatively standard synchronization but you will have to make sure that identifiers are unique (which they should be in the target system anyway). Technical accounts themselves don't get many attributes which makes synchronization mapping easier. At the synchronization mapping detail, select your provisioning mapping as Connected mapping. The mapping should be created like this:
In the mapping configuration, you only need to fill the identificator of the technical account (typically the __NAME__ attribute).
Then, create a new synchronization and run it. New technical accounts will be created.
You can finish their configuration after they are synchronized. We recommend you at least set the guarantors for the accounts (since this information is unlikely to be available in the system, you probably cannot synchronize it).
A technical account can either be created by synchronization from a target system (if the account already exists), or a new account can be created via the wizard. This allows you to configure the details of the technical accounts.
Navigate to System > Accounts, click the Add button. Select "Technical account" from the windows.
Select your system, user type (needs to be a provisioning mapping), and the guarantor.
Click Next. Now you can edit the attribute values for the accounts. If you have mapping configured, you will see the default values. Make sure that the UID (typically __NAME__) is unique. Any value you change will be managed manually and will not be changed based on the mapping.
Click Next. You can now review the attribute values for the account.
If you are happy with them, click Next again. The account will be created. You can exit the wizard now.
Using the Technical Accounts module, you can perform various tasks related to managing technical accounts. These tasks cover different aspects of technical account management and are typically divided among specific types of users.
Each user type is responsible for a defined set of tasks. Tasks are assigned based on user responsibilities and assigned permissions (see permissions/evaluators section).
By selecting a specific user type, you can learn more about:
This task structure, based on user types, ensures clear accountability, transparent processes, and simplifies the management of technical accounts within the organization.
Admin
user type refers to a user who usually has the superAdminRole
with the APP_ADMIN permission. This user can perform all operations and is not restricted by any permissions in IdM. Typically, this identity does not have an account in any connected system and is used only for technical access to IdM.
The Admin's tasks in the Technical Accounts module may include:
Technical account guarantor
user type is defined by permissions in specific roles assigned by the IdM administrator. Typically, the user has a role that includes permissions for managing technical accounts and their assigned roles. Common permissions (evaluators) include:
For a description of permissions, see the section below.
The user's tasks may include:
Own technical account" means a technical account where the user is set as the guarantor.
The system owner
is a user type who usually has permissions to configure and manage a system for which they are responsible. Their permissions typically include:
This user’s tasks may include:
A role guarantor
is a user or a group of users who are responsible for a specific role or a set of roles in IdM. From a business perspective, this is usually a person responsible for managing access to certain permissions (e.g. in Active Directory) and ensuring that unauthorized users or accounts do not receive access they should not have.
In combination with the Technical Accounts module, the main responsibility of a role guarantor is to prevent technical accounts from receiving roles they should not have – for example, when a request is made by mistake. In such cases, the guarantor usually rejects the request.
The role guarantor's permissions are typically included in the default user role (userRole
). This role usually allows the following actions:
In the context of the Technical Accounts module, the guarantor’s main role is to review and approve (or reject) role requests for technical accounts, and to monitor which accounts have these roles assigned.
A security
user is typically responsible for reviewing and validating role assignments for both users and technical accounts. In practice, this means that no user or account should have a role (permission) that does not match their job position or intended purpose. The security user can verify this using the recertification process (this is a paid module and not included in the default IdM installation).
Typical permissions for this user type include:
The following section describes how to configure permissions for the Technical Accounts module. All listed evaluators are available only after the module (idm-tech) is deployed. We recommend configuring them either in the main userRole or in specific roles related to the Technical Accounts module.
role guarantor
and a technical account
.technical account guarantor
and role requests
for the technical account
they guarantee.user
I have access to (such as my subordinate
), who is also a guarantor of technical accounts
, and the role requests for those technical accounts.technical account
and its guarantor
.
zde doplnit běžný troubleshooting, aktuálně nedokážu vyhodnotit
The Troubleshooting section provides solutions to common issues that may arise when working with the Technical Accounts module. It helps identify errors, understand their causes, and suggests steps to resolve them.
TODO doplnit
The Glossary section provides explanations of key terms used within the Technical Accounts module. It serves as a reference to help users understand the terminology, as well as the functions and roles associated with the module.