Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:accounts [2020/02/17 11:04] michalp |
tutorial:adm:accounts [2021/01/05 18:02] apeterova Unlink account |
||
---|---|---|---|
Line 47: | Line 47: | ||
{{ : | {{ : | ||
+ | |||
+ | |||
+ | FIXME To link the account to the entity in IdM (typically an identity), an additional step is needed - add a link to the account (for source systems), or assign some role to the identity (for managed systems). | ||
===== Manually delete accounts on system with account protection | ===== Manually delete accounts on system with account protection | ||
- | if you need to immediately remove account on connected system, where account protection is on, or if you want to force delete user with all accounts: | + | If you need to immediately remove account on connected system, where account protection is on, or if you want to force delete user with all accounts: |
**1) Go to user contracts a set it's validity to past.** | **1) Go to user contracts a set it's validity to past.** | ||
- | {{ : | + | {{ : |
- | **2) Go to user accounts, and there you will see account in protection, so edit account and set procection | + | This will remove **all accounts** of the user. If you want to remove only one selected account of the user from some system (e.g. AD), then remove all roles that are assigned to the user for this system (e.g. all AD groups and the main AD role) instead of inactivating the whole contract of the user. |
- | {{ : | + | |
+ | **2) Go to user profile -> Accounts, and there you will see account in protection, so edit account and set protection | ||
+ | {{ : | ||
**3) Go to Settings -> Task scheduler -> Scheduled task and run AccountProtectionExpirationTaskExecutor** | **3) Go to Settings -> Task scheduler -> Scheduled task and run AccountProtectionExpirationTaskExecutor** | ||
* The account on system will be deleted when the task is over. | * The account on system will be deleted when the task is over. | ||
+ | |||
+ | ===== Manually unlink account from the identity and IdM without deleting it ===== | ||
+ | |||
+ | You can use this tutorial e.g. in the following situations: | ||
+ | * an account is linked to a wrong identity, so you want to unlink it (so it can be managed by IdM without any specific identity owner, or linked to some different identity) | ||
+ | * an account is linked to an identity, but you don't want to manage this account by IdM at all. At the same time, you don't want to delete it from the connected system (e.g. some technical account on MS AD) | ||
+ | |||
+ | **1) Go to user profile -> Accounts -> Links to accounts. Select the account that you want to unlink and click on the magnifying glass.** | ||
+ | {{ : | ||
+ | |||
+ | **2) Uncheck the checkbox "Owns account" | ||
+ | {{ : | ||
+ | |||
+ | **3) Remove the link to the account from the identity.** | ||
+ | |||
+ | Before that, make sure that the checkbox "Owns account" | ||
+ | {{ : | ||
+ | |||
+ | **STOP here**, if you still want to manage this account by IdM. This depends on the type of the account. Usually, it's recommended to manage accounts of all common users by IdM. Depending on your IdM implementation strategy, technical, privileged or testing accounts may not be in the scope of IdM. If you don't want to manage the account by IdM, continue with the next step. | ||
+ | |||
+ | **4) List accounts managed in IdM on the connected system (Systems -> e.g. MS AD -> Accounts) and filter the account by its identifier.** | ||
+ | {{ : | ||
+ | |||
+ | **5) Remove the link to the system account - open the account and clear the value in the select box for Entity (system)** | ||
+ | {{ : | ||
+ | |||
+ | **6) Remove the account object from IdM**. | ||
+ | |||
+ | Before that, make sure that the value in " | ||
+ | {{ : | ||
+ | |||
+ | Finally, you can make sure that the object still exists on the connected system. You can find it on the tab **Entities** of the connected system and open its detail. You could delete this entity (" |