7.5:dev:account-management

Account Management

We have a provisioning mapping system and a primary attribute (marks as Is identifier). In this attribute, we will have a transformation into the system, the output of which will be the username with the postfix @idm.eu.

  • Assign a role to this system to, for example, user john-doe.
  • An internal account (AccAccount) will be created in IDM, where the value of this account (UID) will be john-doe@idm.eu.
  • After an internal account is created, provisioning will be made on the end system. This creates a new account john-doe@idm.eu on the end system.
  • If there is a change in the way the IDM of the account ID is being created. For example, the script will change so that postfix will be new @czechidm.eu, then john-doe@czechidm.eu will be returned during the provisioning from the primary attribute. This new value will also be stored in your account ID (AccAccount.uid).

 

Some systems ( LDAP ) can generate own the primary account ID . If the system returns a different identifier than the one in the IDM account (AccAccoutn.uid), then this value is stored in SysSystemEntity.uid . When communicating with the system, this identifier ! is always used
If the output from primary attribute is null, then the SysSystemEntity.uid as account ID (UID) is automatically used.

Name of account is in IDM stored in the entity AccAccount (field UID). This name is an internal account name and is particularly important when account management is executed but provisioning has not yet. At this point, the account name is the only account identifier. After a end system is called (provisioning), SysSystemEntity is created (updating) and contains the account identifier returned by the system. This identifier may be different from the one stored in AccAccount.uid , and it always takes precedence over communication with the end system.

If the name of account generated by IDM is changed (during the Account management), then it will be updated.

During synchronization from the end system to IDM, an internal IDM account (AccAccount) is also created. In this case, an attribute identified as an identifier is used to generate the account name. A transformation from the system is called for this.

If the account name in AccAccount.uid differs from the generated one during synchronization, it will update it.