Modules - Technical Accounts

The Technical Accounts module is used to create, manage, and automate technical accounts within the system. It allows you to create technical accounts, set permanent passwords, and automatically populate key attributes based on predefined rules.

A technical account is a special type of account not used by regular users. Instead, it's designed to enable one system or machine to communicate with another - for example, to transfer data between systems. A typical use case is an integration scenario where Application A retrieves data from System B using a technical account.

Importantly, a technical account does not have its own identity in the IdM system. Instead, it is always assigned a guarantor - a person or a role responsible for the account. If the guarantor leaves the organization or no longer wishes to manage the account, the technical account must be reassigned to a new guarantor to ensure continued management.

This module helps ensure the secure and transparent management of technical accounts within the organization, including their lifecycle, ownership, and transferability.

In Identity Management (IdM) terminology, the technical account refers to an account on the end system that is not directly linked to a specific identity (user) in IdM. It is not automatically associated with a regular user – in the system, the user may only act as the guarantor of this account (see below).

A technical account may be, for example:

• a service account used by a system or application (e.g., an account for a projector or printer to access the network),

• an administrative account of a regular user, which is separated from their standard user account for security reasons.

• Supported operations on Technical Accounts in IdM - This section provides an overview of all operations that can be performed with technical accounts within IdM

• Installation – Describes the installation process and basic configuration of the Technical Accounts module.

• Getting Started – Includes the initial steps required for the user to start working with the module.

• Types of Users - Provides a brief overview of the different user roles involved in working with the Technical Accounts module. It outlines each role’s responsibilities, permissions, and how they interact with technical accounts within the system.

• Tasks – Includes specific workflows (tutorials) on how to perform various actions in the module – for example, how to identify an account’s guarantor, how to assign or remove a role from a technical account, or how to gain access to a subordinate’s account.

• Troubleshooting – Helps address the most common issues users may encounter when working with the module.

• Glossary – A glossary of terms used in the documentation and within the module itself.

Operations that can be performed with technical accounts within IdM:

• CREATE of a technical account in the target system via a wizard in IdM.

• UPDATE of managed attributes (e.g., description, extended attributes, etc.) and their propagation to the end system.

• MEMBERSHIP on the target system for the given technical account, controlled through IdM.

• Approving of role request in IdM for the technical account – the process may be subject to approval, for example by the role guarantor, etc.

• CHANGE PASSWORD of the technical account.

• Assig guarantor in the IdM to the technical account – the guarantor then gains the authorization to perform the listed operations.

• Report of all managed technical accounts in IdM in .xls (Excel) format.

This section describes the installation process of the Technical Accounts module, including its activation, required prerequisites, access rights configuration, and integration with target systems. It serves as a starting point for administrators when introducing the module into the IdM environment.

Je zde nějaká konfigurace??

In your connected system, chances are that you already have some technical accounts and want to start using the IdM to manage them. Follow this tutorial to synchronize these technical accounts in IdM.

Have a standard system supporting provisioning. Any system can be used (MS AD, database…). The only things that need to be configured are mapping and roles.

Open the detail of the system and select Mapping. Click add new.

Create the mapping and select the entity type "Technical account". The account type selected must be "Technical".

After that, finish the mapping configuration as needed (and as usual). Since technical accounts are created via a wizard, you don't need to use scripts covering every potential scenario. During the creation process, users can manually set the values for the account.

If you want to use roles representing permissions in the target system (e. g., MS AD groups), you will have to create a separate set of roles. You can use standard synchronization for this. As of 13.0., however, during synchronization, these roles will not be assigned to the accounts.

In this step, you will create the technical account objects in the IdM using a standard synchronization. This is a relatively standard synchronization but you will have to make sure that identifiers are unique (which they should be in the target system anyway). Technical accounts themselves don't get many attributes which makes synchronization mapping easier. At the synchronization mapping detail, select your provisioning mapping as Connected mapping. The mapping should be created like this:

In the mapping configuration, you only need to fill the identificator of the technical account (typically the __NAME__ attribute).

Then, create a new synchronization and run it. New technical accounts will be created.

You can finish their configuration after they are synchronized. We recommend you at least set the guarantors for the accounts (since this information is unlikely to be available in the system, you probably cannot synchronize it).

Technical accounts can only be created with a wizard. This allows you to configure the details of the technical accounts.

Navigate to System > Accounts, click the Add button. Select "Technical account" from the windows.

TODO zde chybí obrázky, nevím které tam byly je nutné je najít na Dokuwiki není

Select your system, user type (needs to be a provisioning mapping), and the guarantor.

Click Next. Now you can edit the attribute values for the accounts. If you have mapping configured, you will see the default values. Make sure that the UID (typically __NAME__) is unique. Any value you change will be managed manually and will not be changed based on the mapping.

Click Next. You can now review the attribute values for the account.

If you are happy with them, click Next again. The account will be created. You can exit the wizard now.

Using the Technical Accounts module, you can perform various tasks related to managing technical accounts. These tasks cover different aspects of technical account management and are typically divided among specific types of users.

Each user type is responsible for a defined set of tasks. Tasks are assigned based on user responsibilities and assigned permissions (see permissions/evaluators section).

By selecting a specific user type, you can learn more about:

* the role’s function within the Technical Accounts module

* the tasks assigned to that role

* how those tasks are carried out in practice

This role-based task structure ensures clear accountability, process transparency, and simplifies the management of technical accounts within the organization.

• Admin
• Technical Account Guarantor
• System Owner
• Role Guarantor
• Security

The following section describes how to configure permissions for the Technical Accounts module. All listed evaluators are available only after the module (idm-tech) is deployed. We recommend configuring them either in the main userRole or in specific roles related to the Technical Accounts module.

• TechnicalAccountByGuaranteedRoleEvaluator

An evaluator that defines the relationship between a role guarantor and a technical account. Its use allows the role guarantor to view technical accounts that have been assigned the role they are responsible for.

• RoleRequestByTechnicalAccountGuarantorEvaluator

An evaluator that defines the relationship between a technical account guarantor and role requests for the technical account they guarantee. Its use allows the technical account guarantor to view role requests for the technical account they are responsible for.

• RoleRequestByTechnicalAccountGuarantorEvaluator

An evaluator that defines the relationship between a user I have access to (such as my subordinate), who is also a guarantor of technical accounts, and the role requests for those technical accounts. Its use allows, for example, a manager to view role requests for technical accounts that are guaranteed by their subordinate.

• TechnicalAccountByGuarantorTransitiveEvaluator

A transitive evaluator that defines the relationship between a technical account and its guarantor. Its use allows, for example, a manager to view technical accounts that are guaranteed by their subordinate.

• Check Role Assignment on Contract
• Check Role Assignment on Target System Account
• Find Systems Linked to a Technical Account
• Find the Owner of a Technical Account
• Add System Account Attributes to Technical Account Report
• Check Technical Accounts Assigned to a Role You Guarantee
• How a Role Guarantor Adds Their Guaranteed Role to Technical Accounts
• How a Role Guarantor Can Remove the Role They Guarantee from a Technical Account
• Viewing Role Requests for a Guaranteed Technical Account as Its Guarantor
• How a Role Guarantor Obtains Access to View Technical Accounts with Their Guaranteed Role
• How to Gain Rights to View Role Requests for a Technical Account You Guarantee
• How a Manager Gains Access to View a Subordinate’s Account
• How a Manager Can Get Permission to View Technical Accounts Guaranteed by Their Subordinate
• How to View Role Requests for Technical Accounts Guaranteed by Your Subordinate

The Troubleshooting section provides solutions to common issues that may arise when working with the Technical Accounts module. It helps identify errors, understand their causes, and suggests steps to resolve them.

The Glossary section provides explanations of key terms used within the Technical Accounts module. It serves as a reference to help users understand the terminology, as well as the functions and roles associated with the module.