Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
devel:documentation:accounts:dev:account-management [2018/07/26 10:11] svandav [Basic account management] |
devel:documentation:accounts:dev:account-management [2019/03/26 12:33] svandav |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Account management (ACM) ====== | ||
+ | {{tag> account management uid identity ACM}} | ||
+ | |||
+ | |||
+ | The aim of the account management is to create accounts in the IdM internal warehouse (AccAccount entity) in such a form in which they should be created (according to the IdM settings) on end systems. | ||
+ | The account management therefore does not do the provisioning itself but it is its indicator in most cases. | ||
+ | |||
+ | <note tip>The account management defines how the account should look like (according to IdM) on end systems</ | ||
+ | ===== Basic account management ===== | ||
+ | The **basic** account management is using for all entities supports the **provisioning**. Identity have more complex account management using the **roles** assignments. | ||
+ | |||
+ | If the entity supports basic account management, then is executed method **ProvisioningService.accountManagement** after it is created/ | ||
+ | |||
+ | Method **ProvisioningService.accountManagement** ensure: | ||
+ | - Finds all systems with the provisioning mapping for this entity type. | ||
+ | - Generats account identifier `uid` for this entity. | ||
+ | - For all found systems check if account with same `uid` already exists. If yes, then this method ends. | ||
+ | - For all found systems check if his mapping has the script '**Can be account created? | ||
+ | - Account on the system is created (AccAccount). | ||
+ | - Relation between created account and entity are created too. | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ==== Script - Can be account created? ==== | ||
+ | * This script can be defined on the system provisioning mapping. | ||
+ | * Is executed before any IdM account (AccAccount) is created (for identity type are executed too). | ||
+ | * Ensure if will be some IdM account on the system created. | ||
+ | * This script returns `Boolean.TRUE` (for create the account) or `Boolean.FALSE` (for not create the account). | ||
+ | |||
+ | === Script example - role catalogue=== | ||
+ | We will now show how we can use the script. | ||
+ | Situation: | ||
+ | * We have system configured for provisioning IdM role (IdmRole) to the target system. | ||
+ | * Now we want to allow create accounts only for role wich are in the specific role catalogue. | ||
+ | |||
+ | Solution: | ||
+ | - We need to know how check if is role in the specific catalogue. For this we can use script **Is role in the catalogue? | ||
+ | - Fill out the script in the system mapping. You can use insert script button. Result scirpt should looks something like this: | ||
+ | |||
+ | return scriptEvaluator.evaluate( | ||
+ | scriptEvaluator.newBuilder() | ||
+ | .setScriptCode(' | ||
+ | .addParameter(' | ||
+ | .addParameter(' | ||
+ | .addParameter(' | ||
+ | |||
+ | | ||
+ | Where: | ||
+ | * ' | ||
+ | * ' | ||
+ | |||
+ | <note tip>Only for role which will be in the catalogue with code ' | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ===== Identity account management ===== | ||
+ | The account management is run depending on the event that can have an impact on the change of the account on the end system: | ||
+ | * The event of the creation/ | ||
+ | * The event for creating/ | ||
+ | * The event for creating/ | ||
+ | |||
+ | The identity account management is ensured by the service [[https:// | ||
+ | * boolean **resolveIdentityAccounts**(IdmIdentityDto identity) - will evaluate the account for this identity depending on the roles that are currently assigned to it. Returns true if it is requested to do provisioning. | ||
+ | * **deleteIdentityAccount**(IdmIdentityRoleDto identityRole) - will delete the accounts created within the assignment of this role. | ||
+ | * String **generateUID**(AbstractDto dto, SysRoleSystem roleSystem) - will generate a UID for the identity and the system. If there are overloaded attributes for UID, they are used, if not, the default attribute for UID is used. | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | ==== Forward identity account management ==== | ||
+ | |||
+ | **By default**, if we have a contract that is valid in the future, and I assign a role to this contract (assigning a system), this assigned role will be discarded (not currently valid) during account management. That is, no accounts will be created on the end systems. This behavior is the default and the correct one. | ||
+ | |||
+ | In some cases, however, we need to create an account on the end system before the given contract is valid (for example when a new employee enters). As a solution to this requirement **forward identity account management** was created. | ||
+ | |||
+ | < | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ===== Example of account life cycle ===== | ||
+ | |||
+ | We have a provisioning mapping system and a primary attribute (marks as **Is identifier**). In this attribute, we will have a transformation into the system, the output of which will be the **username** with the postfix **@idm.eu**. | ||
+ | |||
+ | - Assign a role to this system to, for example, user **john-doe**. | ||
+ | - An internal account (AccAccount) will be created in IDM, where the value of this account (UID) will be **john-doe@idm.eu**. | ||
+ | - After an internal account is created, provisioning will be made on the end system. This creates a new account **john-doe@idm.eu** on the end system. | ||
+ | - If there is a change in the way the IDM of the account ID is being created. For example, the script will change so that postfix will be new **@czechidm.eu**, | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | |||
+ | <note tip> If the output from primary attribute is **null**, then the ** SysSystemEntity.uid ** as account ID (UID) is automatically used. </ | ||
+ | |||
+ | =====Name of account in IDM===== | ||
+ | Name of account is in IDM stored in the entity **AccAccount** (field **UID**). | ||
+ | This name is an internal account name and is particularly important when account management is executed but provisioning has not yet. At this point, the account name is the only account identifier. | ||
+ | After a end system is called (provisioning), | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | During synchronization from the end system to IDM, an internal IDM account (AccAccount) is also created. In this case, an attribute identified as an identifier is used to generate the account name. A transformation from the system is called for this. | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | =====Incremental account management and provisioning===== | ||
+ | {{tag> | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | For optimization reasons, **incremental account management** has been implemented. This allows assign or modify roles to the identity so that the necessary calculations are performed **only for the assigned/ | ||
+ | |||
+ | **Incremental provisioning** is closely related to incremental account management. This ensures that **provisioning is made only for the accounts touched**. This means that if a user has multiple different accounts (**A**, **B**) and an additional role is assigned (that assigns the same **A** account), then account management and provisioning is performed only for **A** (not **B**). | ||
+ | |||
+ | < | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | |||
+ | |||