Accounts - working with objects on connected systems

Accounts are entities in CzechIdM that link the data in CzechIdM (Role, Identity, etc.) with the data in a connected system such as Group and User Accounts. In fact, there are 2 types of accounts:

  • AccAccount - Stores ID of an entity in CzechIdM that is linked to a connected system Object.
  • SysAccount - Stores ID of a connector object (representation of a real connected system Object).

Provided we have a MS Active directory connected to CzechIdM, SysAccount might store a GUID of GROUP. AccAccount can store a role name.

 SysAccount and AccAccount

SysAccount IDs are returned by a connector. So it depends on the connector we have chosen for connecting a system. Some connectors allow choosing an ID attribute, some do not. AccAccount IDs are chosen in CzechIdM Provisioning and Synchronization configuration for the connected system.

On a user detail tab panel, there is a tab called Accounts as you can see in the screenshot below. When you access this page, it will show all accounts on a connected system that CzechIdM has in its evidence.  User accounts

The same principle applies to the rest of the entities that the Account management supports. An identity account is specific in several ways:

Usually, linking objects to CzechIdM entities takes place during a data Synchronization or Provisioning when the CzechIdM system is deployed in the production environment. But it is a common situation that some data have to be corrected in an end system as well, e.g. LDAP. It may well be that the algorithm for object linking during synchronization does not work for all entities on the end system, or the individuals who entered some data manually before CzechIdM had been implemented may have made some mistakes. In either one of those cases, having the option in CzechIdM to link an object to an entity manually comes in handy.

To do so, open a detail of the system on which you want to link an identity to some object: Systems → System detail. Next, the first thing to do is to create a SysAccount and define its ID. In the example below, a manually created identity is being connected to its mirrored object in the HR system. Go to the Entities tab, there is a list of all SysAccounts.

 Entities list

In the next step, we create a new SysAccount object:

  • Connected system - Read only
  • Identifier in the system - here, the ID (e.g. login) of the object on the end system is to be typed in.
  • Entity type - Type of entity in CzechdIdM

 New entity

Once a SysAccount is created, we proceed to create an AccAccount. Go to the tab Accounts and click on the Add button.  Accounts list

An AccAccount has the following options:

  • System - Read only - name of the system for which we want to create an AccAcount
  • Account identifier - ID of the CzechIdM entity (e.g. login or employee number)
  • Linked entity in system - the linked SysAccount
  • Account type - usually personal (only a descriptive attribute now)

 New Account