Modules - Technical Accounts

The Technical Accounts module is used to create, manage, and automate technical accounts within the system. It allows you to create technical accounts, set permanent passwords, and automatically populate key attributes based on predefined rules.

A technical account is a special type of account not used by regular users. Instead, it's designed to enable one system or machine to communicate with another - for example, to transfer data between systems. A typical use case is an integration scenario where Application A retrieves data from System B using a technical account.

Importantly, a technical account does not have its own identity in the IdM system. Instead, it is always assigned a guarantor - a person or a role responsible for the account. If the guarantor leaves the organization or no longer wishes to manage the account, the technical account must be reassigned to a new guarantor to ensure continued management.

This module helps ensure the secure and transparent management of technical accounts within the organization, including their lifecycle, ownership, and transferability.

Installation – Describes the installation process and basic configuration of the Technical Accounts module.

Getting Started – Includes the initial steps required for the user to start working with the module.

Maintenance – Describes the maintenance of technical accounts, including their removal, modifications, and the transfer of guarantor responsibility.

Types of Users - Provides a brief overview of the different user roles involved in working with the Technical Accounts module. It outlines each role’s responsibilities, permissions, and how they interact with technical accounts within the system.

Tasks – Includes specific workflows (tutorials) on how to perform various actions in the module – for example, how to identify an account’s guarantor, how to assign or remove a role from a technical account, or how to gain access to a subordinate’s account.

Troubleshooting – Helps address the most common issues users may encounter when working with the module.

Glossary – A glossary of terms used in the documentation and within the module itself.

This section describes the installation process of the Technical Accounts module, including its activation, required prerequisites, access rights configuration, and integration with target systems. It serves as a starting point for administrators when introducing the module into the IdM environment.

In your connected system, chances are that you already have some technical accounts and want to start using the IdM to manage them. Follow this tutorial to synchronize these technical accounts in IdM.

System configuration

Have a standard system supporting provisioning. Any system can be used (MS AD, database…). The only things that need to be configured are mapping and roles.

Create a provisioning mapping

Open the detail of the system and select Mapping. Click add new.

Create the mapping and select the entity type "Technical account". The account type selected must be "Technical".

After that, finish the mapping configuration as needed (and as usual). Since technical accounts are created via a wizard, you don't need to use scripts covering every potential scenario. During the creation process, users can manually set the values for the account.

Roles

If you want to use roles representing permissions in the target system (e. g., MS AD groups), you will have to create a separate set of roles. You can use standard synchronization for this. As of 13.0., however, during synchronization, these roles will not be assigned to the accounts.

Proceed with synchronization

In this step, you will create the technical account objects in the IdM using a standard synchronization. This is a relatively standard synchronization but you will have to make sure that identifiers are unique (which they should be in the target system anyway). Technical accounts themselves don't get many attributes which makes synchronization mapping easier. At the synchronization mapping detail, select your provisioning mapping as Connected mapping. The mapping should be created like this:

In the mapping configuration, you only need to fill the identificator of the technical account (typically the __NAME__ attribute).

Then, create a new synchronization and run it. New technical accounts will be created.

You can finish their configuration after they are synchronized. We recommend you at least set the guarantors for the accounts (since this information is unlikely to be available in the system, you probably cannot synchronize it).

Create a new technical account with a wizard

Technical accounts can only be created with a wizard. This allows you to configure the details of the technical accounts.

Navigate to System > Accounts, click the Add button. Select "Technical account" from the windows.

Select your system, user type (needs to be a provisioning mapping), and the guarantor.

Click Next. Now you can edit the attribute values for the accounts. If you have mapping configured, you will see the default values. Make sure that the UID (typically __NAME__) is unique. Any value you change will be managed manually and will not be changed based on the mapping.

Click Next. You can now review the attribute values for the account.

If you are happy with them, click Next again. The account will be created. You can exit the wizard now.

The Maintenance section describes routine tasks related to the upkeep of technical accounts. This includes updating account information, transferring the account to a different guarantor, deactivating or removing the account, and other actions necessary for managing the account throughout its lifecycle.

Using the Technical Accounts module, you can perform various tasks related to managing technical accounts. These tasks cover different aspects of working with technical accounts and are typically divided among specific roles.

Each role in the system is responsible for a defined set of tasks. Tasks are assigned to roles based on their permissions and areas of responsibility.

By clicking on a given role, you can learn more about:

* the role’s function within the Technical Accounts module

* the tasks assigned to that role

* how those tasks are carried out in practice

This role-based task structure ensures clear accountability, process transparency, and simplifies the management of technical accounts within the organization.

• Admin
• Technical Account Guarantor
• System Owner
• Role Guarantor
• Security

• TechnicalAccountByGuaranteedRoleEvaluator

An evaluator that defines the relationship between a role guarantor and a technical account. Its use allows the role guarantor to view technical accounts that have been assigned the role they are responsible for.

• RoleRequestByTechnicalAccountGuarantorEvaluator

An evaluator that defines the relationship between a technical account guarantor and role requests for the technical account they guarantee. Its use allows the technical account guarantor to view role requests for the technical account they are responsible for.

• RoleRequestByTechnicalAccountGuarantorEvaluator

An evaluator that defines the relationship between a user I have access to (such as my subordinate), who is also a guarantor of technical accounts, and the role requests for those technical accounts. Its use allows, for example, a manager to view role requests for technical accounts that are guaranteed by their subordinate.

• TechnicalAccountByGuarantorTransitiveEvaluator

A transitive evaluator that defines the relationship between a technical account and its guarantor. Its use allows, for example, a manager to view technical accounts that are guaranteed by their subordinate.

• Check Role Assignment on Contract
• Check Role Assignment on Target System Account
• Find Systems Linked to a Technical Account
• Find the Owner of a Technical Account
• Add System Account Attributes to Technical Account Report
• Check Technical Accounts Assigned to a Role You Guarantee
• How a Role Guarantor Adds Their Guaranteed Role to Technical Accounts
• How a Role Guarantor Can Remove the Role They Guarantee from a Technical Account
• Viewing Role Requests for a Guaranteed Technical Account as Its Guarantor
• How a Role Guarantor Obtains Access to View Technical Accounts with Their Guaranteed Role
• How to Gain Rights to View Role Requests for a Technical Account You Guarantee
• How a Manager Gains Access to View a Subordinate’s Account
• How a Manager Can Get Permission to View Technical Accounts Guaranteed by Their Subordinate
• How to View Role Requests for Technical Accounts Guaranteed by Your Subordinate

The Troubleshooting section provides solutions to common issues that may arise when working with the Technical Accounts module. It helps identify errors, understand their causes, and suggests steps to resolve them.

The Glossary section provides explanations of key terms used within the Technical Accounts module. It serves as a reference to help users understand the terminology, as well as the functions and roles associated with the module.