Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
tutorial:adm:accounts [2018/12/27 11:45]
kotisovam [Listing Accounts for Identity, Role and TreeNode]
tutorial:adm:accounts [2020/02/24 14:01]
michalp
Line 1: Line 1:
 +====== Accounts - working with objects on connected systems ======
  
 +===== Types of Accounts =====
 +Accounts are entities in CzechIdM that link the data in CzechIdM (Role, Identity, etc.) with the data in a connected system such as Group and User Accounts. In fact, there are 2 types of accounts:
 +  * **AccAccount** - Stores ID of an entity in CzechIdM that is linked to a connected system Object.
 +  * **SysAccount** - Stores ID of a connector object (representation of a real connected system Object).
 +
 +Provided we have a MS Active directory connected to CzechIdM, SysAccount might store a GUID of GROUP. AccAccount can store a role name.
 +
 +{{ :tutorial:sysaccount.png | SysAccount and AccAccount}}
 +
 +<note important>SysAccount IDs are returned by a connector. So it depends on the connector we have chosen for connecting a system. Some connectors allow choosing an ID attribute, some do not. AccAccount IDs are chosen in CzechIdM Provisioning and Synchronization configuration for the connected system.</note>
 +
 +===== Listing Accounts for Identity, Role and TreeNode  =====
 +
 +On a user detail tab panel, there is a tab called **Accounts** as you can see in the screenshot below. When you access this page, it will show all accounts on a connected system that CzechIdM has in its evidence.
 +{{ :devel:adm:identity-accounts.png?800 | User accounts}}
 +
 +The same principle applies to the rest of the entities that the Account management supports. An identity account is specific in several ways:
 +  * Supports  the so called [[devel:documentation:accounts#protected_state_of_accounts| protected state of accounts]]
 +  * Can be assigned by a role.
 +  * Can be manually linked to objects in a connected system.
 +
 +===== Linking object to CzechIdM entity manually =====
 +
 +Usually, linking objects to CzechIdM entities takes place during a data Synchronization or Provisioning when the CzechIdM system is deployed in the production environment. But it is a common situation that some data have to be corrected in an end system as well, e.g. LDAP. It may well be that the algorithm for object linking during synchronization does not work for all entities on the end system, or the individuals who entered some data manually before CzechIdM had been implemented may have made some mistakes. In either one of those cases, having the option in CzechIdM to link an object to an entity manually comes in handy.
 +
 +To do so, open a detail of the system on which you want to link an identity to some object: **Systems -> System detail**. Next, the first thing to do is to create a SysAccount and define its ID. In the example below, a manually created identity is being connected to its mirrored object in the HR system. Go to the **Entities** tab, there is a list of all SysAccounts.
 +
 +{{ :tutorial:entities_in_system.png | Entities list}}
 +
 +In the next step, we create a new SysAccount object:
 +  * Connected system - Read only
 +  * Identifier in the system - here, the ID (e.g. login) of the object on the end system is to be typed in.
 +  * Entity type - Type of entity in CzechdIdM
 +
 +{{ :tutorial:new_entity.png | New entity}}
 +
 +Once a SysAccount is created, we proceed to create an AccAccount. Go to the tab **Accounts** and click on the Add button.
 +{{ :tutorial:accounts_list.png | Accounts list}}
 +
 +An AccAccount has the following options:
 +  * **System** - Read only - name of the system for which we want to create an AccAcount
 +  * **Account identifier** - ID of the CzechIdM entity (e.g. login or employee number) 
 +  * **Linked entity in system** - the linked SysAccount
 +  * **Account type** - usually personal (only a descriptive attribute now)
 +
 +{{ :tutorial:new_accaccount.png | New Account}}
 +
 +===== Manually delete accounts on system with account protection  =====
 +
 +if you need to immediately remove account on connected system, where account protection is on, or if you want to force delete user with all accounts:
 +
 +**1) Go to user contracts a set it's validity to past.**
 +{{ :tutorial:adm:delete_user_with_account_1.png?800 |}}
 +
 +**2) Go to user profile -> Accounts, and there you will see account in protection, so edit account and set procection validity to past **
 +{{ :tutorial:adm:delete_user_with_account_2.png?800 |}}
 +
 +**3) Go to Settings -> Task scheduler -> Scheduled task and run AccountProtectionExpirationTaskExecutor**
 +  * The account on system will be deleted when the task is over.
  • by doischert