|
| |
| Sun Java[TM] System Identity Manager 7.0 Deployment Overview | |
Appendix C
Assigning Multiple Accounts per User to a ResourceIdentity Manager provides the ability to assign and manage multiple accounts assigned to a single user on a resource. It does this by allowing a purpose or function to be assigned to an account. This is referred to as the type of account within Identity Manager.
To use account types, you must first configure the account types for the resource before assigning them to users.
Why Assign Multiple Accounts Per User per Resource?
In some situations, an Identity Manager user may require more than one account on a resource. A user can have several different job functions related to the resource - for instance, he can be both a user and administrator of the resource. Best practice suggests using separate accounts for each function. That way, if one account is compromised, the access granted by the other accounts is still secure.
Configuring Types of Accounts
For a resource to support multiple accounts per user on a resource, the resource must define the possible types of accounts. To define a type of account, you must know the following information:
- The name of the account type. This uniquely identifies the type on this resource and will be used to identify it throughout Identity Manager.
- How to generate accountId for this type. Because accountIds must be distinct, different types of accounts must generate different accountIds for a given user. Use Identity rules to specify this mapping. Similar to the identity template for a resource, Identity Manager uses account IDs during provisioning to generate an accountId (if needed). Sample identity rules are provided in sample/identityRules.xml.
For information on configuring and managing account types, see the online help associated with the Resources page.
Note
You must create at least one Identity rule in Identity Manager to enable management of types of accounts.
Assigning Types of Accounts
Once you have defined account types, you can assign them to a resource. Identity Manager treats each assignment of an account type as a separate account. As a result, each distinct assignment in a role can have different attributes set.
Similar to the single account per resource case, all assignments of a specific type create only one account, regardless of the number of assignments.
Although you can assign users to any number of different types of accounts on a resource, each user can be assigned one account of a given type on a resource. The exception to this rule is the built-in "default" type. Users can have any number of accounts of default type on a resource. It is not recommended that you do this however, as this leads to ambiguity when referencing accounts in forms and views.
Removing Account Types
You cannot remove an account type until it is no longer referenced by other objects within Identity Manager. You cannot rename an account type.
Multiple Accounts per User and Reconciliation
Correlation logic can indicate a resource account’s type. During reconciliation, the automatic link must know about account type because no form is used to perform this action.
When reconciliation performs a LINK response for a resource account, it typically assigns the account to the user as the default account type. However, on a resource that is configured for multiple accounts per user, this may not always be appropriate. Specifically, discovered accounts can belong to a specific account type and should be linked to the user as such. To assign the appropriate account type, reconciliation must be informed of the account type to use. Identity Manager accomplishes by returning this information as part of the result of the correlation rule.
A CorrelationPlan extends the result of a correlation rule to allow the account type to be identified. Therefore, a correlation rule must return a CorrelationPlan object if the account is of a specific account type. However, a CorrelationPlan can also be used for standard resources as well. Unless specifically set, a CorrelationPlan indicates the default account type.
Refer to sample/reconRules.xml and the Javadoc for examples and details on using a CorrelationPlan as the result of a correlation rule.
Account Types and User-Oriented Views
When you assign an account type to a user, Identity Manager makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:
- Use a value of null to indicate an account of the default type. Reference an accounts of the default type by resource name for example, accounts[corp-ad]
- Use a type-qualified name instead of the resource name to reference an account of a specific type. The type-qualified resource name takes this form:
<resource name>|<type of account>