Table of Contents

, , , ,

Modules - Technical accounts [tech]

This is a paid module. If you're interested, please contact your consultant.

The Technical Accounts module in Identity Management (IdM) is designed to help manage accounts that are not tied to a specific user identity, but instead serve a technical or system purpose.

These accounts – often referred to as technical accounts – are used by systems, applications, or devices to communicate with other systems, access services, or perform automated tasks. For example, a projector or printer account accessing the network, or an integration scenario where Application A retrieves data from System B using a technical account.

Unlike regular user accounts, technical accounts:

The module allows administrators and guarantors to:

If a guarantor leaves the organization or is no longer responsible, the account must be reassigned to a new guarantor to maintain accountability and prevent orphaned accounts.

Version

Version Compatible with product Notes
1.0.0 13.0.0 First module implementation
1.0.1 13.0.4
1.1.0 13.0.6
1.1.1 13.0.6
1.1.2 13.0.11
2.0.0 14.0.0 Upgrade Java to 21
2.0.1 14.7.0 Fixes with compatibility
2.1.0 14.11.0 New evaluators

"Compatible with the product" means that this is the recommended product version

Documentation Structure

Supported operations on Technical Accounts in IdM

Operations that can be performed with technical accounts within IdM:

The technical account serves as the owner of the account in the target system. This allows you to manage it without having an identity which owns it.

A technical account can also have guarantors, either directly (an identity), or by role. A guarantor is a user who is responsible for managing the account, and making sure that correct attributes and roles are set for it. This also allows you to apply permissions and allow guarantors to only the technical accounts for which they are guarantors.

Lifecycle of technical account

A technical account can either be created by synchronization from a target system (if the account already exists), or a new account can be created via the wizard. Technical accounts can be managed via standard provisioning mapping but some attributes will require manual management.

Two processes ensure the state of technical account:

By default processes run every day at 0:30. You can change this scheduling behavior by configuring the scheduler in IdM.
The technical account state is also validated on every save.

Installation

This section describes the installation process of the Technical Accounts module, including its activation, required prerequisites, access rights configuration, and integration with target systems. It serves as a starting point for administrators when introducing the module into the IdM environment.

Configuration

Attributes in report
# list of attributes from account connector object added to technical account entity report
idm.sec.tech.account.report.connector.object.attributes=
If properties of the account on the system are defined and the system is unavailable during report generation, the attempt to retrieve attributes for each account will wait for the internal IdM timeout.
Role - Technical account guarantor
idm.sec.tech.role.guarantor=techAccountGuarantorRole
Role - System owner technical account role
idm.sec.tech.role.systemowner=techAccountSystemOwnerRole

Getting Started

In your connected system, chances are that you already have some technical accounts and want to start using the IdM to manage them. Follow this tutorial to synchronize these technical accounts in IdM.

Your first Steps

System configuration

Have a standard system supporting provisioning. Any system can be used (MS AD, database…). The only things that need to be configured are mapping and roles.

Create a provisioning mapping

Open the detail of the system and select Mapping. Click add new.

You can also copy an existing mapping and make the necessary change in the account type. This is especially useful if your mapping is complex but similar to the original mapping.

Create the mapping and select the entity type "Technical account". The account type selected must be "Technical".

After that, finish the mapping configuration as needed (and as usual). Since technical accounts are created via a wizard, you don't need to use scripts covering every potential scenario. During the creation process, users can manually set the values for the account.

Roles

If you want to use roles representing permissions in the target system (e. g., MS AD groups), you will have to create a separate set of roles. You can use standard synchronization for this. As of 13.0., however, during synchronization, these roles will not be assigned to the accounts.

Proceed with synchronization

In this step, you will create the technical account objects in the IdM using a standard synchronization. This is a relatively standard synchronization but you will have to make sure that identifiers are unique (which they should be in the target system anyway). Technical accounts themselves don't get many attributes which makes synchronization mapping easier. At the synchronization mapping detail, select your provisioning mapping as Connected mapping. The mapping should be created like this:

In the mapping configuration, you only need to fill the identificator of the technical account (typically the __NAME__ attribute).

Then, create a new synchronization and run it. New technical accounts will be created.

You can finish their configuration after they are synchronized. We recommend you at least set the guarantors for the accounts (since this information is unlikely to be available in the system, you probably cannot synchronize it).

Create a new technical account with a wizard

A technical account can either be created by synchronization from a target system (if the account already exists), or a new account can be created via the wizard. This allows you to configure the details of the technical accounts.

Navigate to System > Accounts, click the Add button. Select "Technical account" from the windows.

Select your system, user type (needs to be a provisioning mapping), and the guarantor.

Click Next. Now you can edit the attribute values for the accounts. If you have mapping configured, you will see the default values. Make sure that the UID (typically __NAME__) is unique. Any value you change will be managed manually and will not be changed based on the mapping.

Click Next. You can now review the attribute values for the account.

If you are happy with them, click Next again. The account will be created. You can exit the wizard now.

Types of Users

Using the Technical Accounts module, you can perform various tasks related to managing technical accounts. These tasks cover different aspects of technical account management and are typically divided among specific types of users.

Each user type is responsible for a defined set of tasks. Tasks are assigned based on user responsibilities and assigned permissions (see permissions/evaluators section).

By selecting a specific user type, you can learn more about:

This task structure, based on user types, ensures clear accountability, transparent processes, and simplifies the management of technical accounts within the organization.

Admin

Admin user type refers to a user who usually has the superAdminRole with the APP_ADMIN permission. This user can perform all operations and is not restricted by any permissions in IdM. Typically, this identity does not have an account in any connected system and is used only for technical access to IdM.

The Admin's tasks in the Technical Accounts module may include:

Technical Account Guarantor

Technical account guarantor user type is defined by permissions in specific roles assigned by the IdM administrator. Typically, the user has a role that includes permissions for managing technical accounts and their assigned roles. Common permissions (evaluators) include:

For a description of permissions, see the section below.

The user's tasks may include:

Own technical account" means a technical account where the user is set as the guarantor.

System Owner

The system owner is a user type who usually has permissions to configure and manage a system for which they are responsible. Their permissions typically include:

This user’s tasks may include:

Role Guarantor

A role guarantor is a user or a group of users who are responsible for a specific role or a set of roles in IdM. From a business perspective, this is usually a person responsible for managing access to certain permissions (e.g. in Active Directory) and ensuring that unauthorized users or accounts do not receive access they should not have.

In combination with the Technical Accounts module, the main responsibility of a role guarantor is to prevent technical accounts from receiving roles they should not have – for example, when a request is made by mistake. In such cases, the guarantor usually rejects the request.

The role guarantor's permissions are typically included in the default user role (userRole). This role usually allows the following actions:

In the context of the Technical Accounts module, the guarantor’s main role is to review and approve (or reject) role requests for technical accounts, and to monitor which accounts have these roles assigned.

Security

A security user is typically responsible for reviewing and validating role assignments for both users and technical accounts. In practice, this means that no user or account should have a role (permission) that does not match their job position or intended purpose. The security user can verify this using the recertification process (this is a paid module and not included in the default IdM installation).

⚠️Recertification feature for roles is currently not available for technical accounts. This process is only supported for standard users in IdM.

Typical permissions for this user type include:

Permissions (Evaluators)

More about permissions in IdM and working with evaluators can be founded in this section.

The following section describes how to configure permissions for the Technical Accounts module. All listed evaluators are available only after the module (idm-tech) is deployed. We recommend configuring them either in the main userRole or in specific roles related to the Technical Accounts module.

TechnicalAccountByGuaranteedRoleEvaluator

RoleRequestByTechnicalAccountGuarantorEvaluator

RoleRequestByTechnicalAccountGuarantorEvaluator

TechnicalAccountByGuarantorTransitiveEvaluator

Tutorials

Troubleshooting

FIXME zde doplnit běžný troubleshooting, aktuálně nedokážu vyhodnotit

The Troubleshooting section provides solutions to common issues that may arise when working with the Technical Accounts module. It helps identify errors, understand their causes, and suggests steps to resolve them.

Glossary

FIXME TODO doplnit

The Glossary section provides explanations of key terms used within the Technical Accounts module. It serves as a reference to help users understand the terminology, as well as the functions and roles associated with the module.