Disabling Automatic Linking of New Resources and Users (Sun Identity Manager Deployment Reference)

Sun Identity Manager Deployment Reference

Disabling Automatic Linking of New Resources and Users

Identity Manager provides a way to control the linking of existing accounts when new resources are assigned to a user.

When you assign a new resource to a user, and an account with the assigned ID already exists on the resource, Identity Manager by default automatically links that account to the Identity Manager user and proceeds with provisioning. Alternatively, you can disable this automatic linking and enter an alternative account ID when creating a new account for the user.

There are two ways to control how new accounts are linked to user:

Enabling manual linking of this information in the user form
Preventing automatic linking during provisioning

Enabling Manual Linking in the User Form

To enable manual linking, you must

Include a property definition in each user form similar to the following

<Form>
   <Properties>
      <Property name=’InteractiveLinking’ value=’true’/>
   </Properties>
   ...
</Form>

Add a field reference anywhere in the form. For example,
```
<FieldRef name=’DiscoveredAccountFields’/>
```
To reference this field, you must have the following Include statement in your user form. Typically, this Include is present in all user forms.
```
<Include>
   <ObjectRef type=’UserForm’ name=’User Library’/>
</Include>
```

With these form changes in place, Identity Manager checks for existing accounts each time the form is refreshed, and before it is saved. If Identity Manager discovers an existing account, it displays warning messages at the top of the form, and inserts new fields for each discovered account. These new fields include a checkbox that can be used to manually indicate that the account should be linked.

In addition, Identity Manager generates a field for each attribute in the resource’s Identity template. With this field, you can specify a different identity for the account. Identity Manager fetches the attribute for the existing accounts and includes it in the view.

You can display these attributes using the MissingFields reference or with your own custom fields. You must either supply an alternative identity for an account that does not exist, or check the option to allow the existing account to be linked before the form can be saved.

Preventing Automatic Linking during Provisioning

When performing non-interactive provisioning from a workflow, you can also control whether Identity Manager performs automatic account linking. Passing the NoLinking view option to the checkinView call prevents automatic linking. You can specify this option in several ways:

Pass it as an argument to the WorkflowServices method as follows:

<Action application=’com.waveset.provision.WorkflowServices’>
   <Argument name=’op’ value=’checkinView’/>
   <Argument name=’view’ value=’$(user)’/>
   <Argument name=’NoLinking’ value=’true’/>
</Action>

Setting the option as attributes in the view. In this case, name the view attribute viewOptions.NoLinking. You can then set it in a workflow with XPRESS logic like this:
```
<set name=’user.viewOptions.NoLinking’>
  <s>true</s>
</set>
```