Accounts - create multiple personal accounts

In some cases, a single user may have multiple accounts on a system. These accounts may be used for different purposes or to provide access to different features or resources. However, it is important to note that only one of these accounts can be designated as the main account. All other accounts should be classified as "personal other accounts".

To use multiple accounts, a special configuration of the connected system is necessary. This configuration allows managing different types of accounts individually.

It is important to carefully manage multiple accounts to avoid confusion and ensure that the correct account is used for each task. Proper configuration and usage of multiple accounts can provide greater flexibility and access to a wider range of resources and features.

Have a standard system for provisioning. Any system can be used (MS AD, database, a virtual system…). In this example, I'm using a simple virtual system created by the wizard. The only things that need to be configured are mapping and roles.

Open the detail of the system and select Mapping. Click add new.

Create the mapping and select your entity type as needed. The account type selected must be "Personal other account".

After that, finish the mapping configuration as needed (and as usual). Since personal other accounts are created via a wizard, you don't need to use scripts covering every potential scenario. During the creation process, users can manually set the values for the account.

Then, create a new login role for this mapping. Go to Roles, click Add and write a suitable name and code for the role. Then, go to Systems, click Add, and select your system and the mapping you've just created. Leave the default option Automatically create accounts set to true.

If you want to use roles representing permissions in the target system (e. g., MS AD groups), you will have to create a separate set of roles. You can use standard synchronization for this. As of 13.0., however, during synchronization, these roles will not be assigned to the accounts.

If users already have multiple accounts in the target system, you can create them in the IdM using a standard pairing synchronization. This is a relatively standard synchronization but you will have to make sure that identifiers are unique (which they should be in the target system anyway) and that you can get the usernames for the owners of the system somehow. At the synchronization mapping detail, select your provisioning mapping as Connected mapping. Then, use the username as a correlation attribute in the synchronization detail and select assigning your role in the Specific settings tab.

While personal other accounts can be created by assigning a login role, this is usually quite problematic because you cannot influence the UID with which the account will be created apart from writing a script. This is often not sufficient.

A better alternative is using a wizard which will allow you to set details of the account.

Navigate to System > Accounts, click the Add button. Select "Other personal account" from the windows.

Select your system, user type (mapping), and the account owner.

Click Next. Now you can edit the attribute values for the accounts. If you have mapping configured, you will see the default values. Make sure that the UID (typically __NAME__) is unique. Any value you change will be managed manually and will not be changed based on the mapping.

Click Next. You can now review the attribute values for the account.

If you are happy with them, click Next again. The account will be created. You can exit the wizard now.