Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

Account Management

, ,

The aim of account management is to create accounts in the IdM internal warehouse (AccAccount entity) in the same form in which they should be created (according to the IdM settings) on end systems. Account management therefore does not run provisioning as such but it is its indicator, in most cases.

Account management defines what an account should look like (according to IdM) on end systems

Basic account management

Basic account management is used for all entities that support provisioning. Identities utilise more complex account management, relying on roles assignments.

If an entity supports basic account management, then the method ProvisioningService.accountManagement is executed when the entity has been created/updated.

Provisioning ensures the following:

  1. Finds all systems with the provisioning mapping for this entity type.
  2. Generates the account identifier `uid` for this entity.
  3. For all found systems, checks whether or not an account with the same `uid` already exists. If so, then this method comes to an end.
  4. For all found systems, checks if the mapping includes the script 'Can an account be created?'. If this script is filled, it is executed. If the script returns `Boolean.FALSE`, then an account on this system is not created (this method comes to an end).
  5. Account on the system is created (AccAccount).
  6. A relation between the created account and the entity is created, too.
Basic account management does not provide delete of accounts for now. It only allows their creation.

Identity account management

Account management is carried out when triggered by events that impact accounts on the end system. These events may include:

  • creation/modification/deletion of an identity.
  • creating/modifying/deleting the assigned role to a given identity.
  • creating/modifying the definition of mapping the attributes for a role.
Identity account management uses the script 'Can an account be created?', too.

Forward identity account management

By default, if there is a contract that is valid in the future, and you assign a role to this contract (assigning a system), this assigned role is then discarded (not currently valid) during account management. That is, no accounts are created on end systems. This behavior constitutes the default and correct result.

In some cases, however, you need to create an account on an end system before a respective contract becomes valid (for example, when a new employee is expected to arrive). As a solution to this requirement, you can use forward identity account management.

This can be activated by ticking the checkbox 'Forward account management' on the detail of mapping system to a role. If checked, then an account on this system is created even though the assignment of this role to the user will not be valid until some time in the future.

Multiple accounts for one identity

In some cases, one user can have multiple accounts in one target system (think of testing or admin accounts). IdM can manage these as well. See this tutorial for more details.

Technical and service accounts

Some accounts are not owned by an identity but are managed as technical accounts. This class of accounts can be managed by the IdM with a separate module. See here for more details.

  • by doischert