Sun Identity Manager 8.1 Business Administrator's Guide

Creating Multiple Resource Accounts for a User

Identity Manager provides the ability to assign multiple resource accounts to a single user. It does this by allowing multiple resource account types or types of accounts to be defined for each resource. Resource account types should be created as needed to match each functional account type on the resource. For example, AIX SuperUser or AIX BusinessAdmin.

Why Assign Multiple Accounts per User per Resource?

In some situations, an Identity Manager user may require more than one account on a resource. A user can have several different job functions related to the resource. For example, the user can be both a user and administrator of the resource. Best practice suggests using separate accounts for each function. That way, if one account is compromised, the access granted by the other accounts is still secure.

Configuring Types of Accounts

For a resource to support multiple accounts for a single user, the resource account types must first be defined in Identity Manager. To define resource account types for a resource, use the Resource Wizard. For information, see Managing the Resources List.

You must enable and configure resource account types before assigning them to users.

Assigning Types of Accounts

Once you have defined account types, you can assign them to a resource. Identity Manager treats each assignment of an account type as a separate account. As a result, each distinct assignment in a role can have different attributes set.

Similar to the single account per resource case, all assignments of a specific type create only one account, regardless of the number of assignments.

Although you can assign users to any number of different types of accounts on a resource, each user can be assigned one account of a given type on a resource. The exception to this rule is the built-in “default” type. Users can have any number of accounts of default type on a resource. It is not recommended that you do this however, as this leads to ambiguity when referencing accounts in forms and views.