Accounts are entities in CzechIdM that link the data in CzechIdM (Role, Identity, etc.) with the data in a connected system such as Group and User Accounts. In fact, there are 2 types of accounts:
Provided we have a MS Active directory connected to CzechIdM, SysAccount might store a GUID of GROUP. AccAccount can store a role name.
On a user detail tab panel, there is a tab called Accounts as you can see in the screenshot below. When you access this page, it will show all accounts on a connected system that CzechIdM has in its evidence.
The same principle applies to the rest of the entities that the Account management supports. An identity account is specific in several ways:
Usually, linking objects to CzechIdM entities takes place during a data Synchronization or Provisioning when the CzechIdM system is deployed in the production environment. But it is a common situation that some data have to be corrected in an end system as well, e.g. LDAP. It may well be that the algorithm for object linking during synchronization does not work for all entities on the end system, or the individuals who entered some data manually before CzechIdM had been implemented may have made some mistakes. In either one of those cases, having the option in CzechIdM to link an object to an entity manually comes in handy.
To do so, open a detail of the system on which you want to link an identity to some object: Systems → System detail. Next, the first thing to do is to create a SysAccount and define its ID. In the example below, a manually created identity is being connected to its mirrored object in the HR system. Go to the Entities tab, there is a list of all SysAccounts.
In the next step, we create a new SysAccount object:
Once a SysAccount is created, we proceed to create an AccAccount. Go to the tab Accounts and click on the Add button.
An AccAccount has the following options:
if you need to immediately remove account on connected system, where account protection is on, or if you want to force delete user with all accounts:
1) Go to user contracts a set it's validity to past.
2) Go to user profile → Accounts, and there you will see account in protection, so edit account and set procection validity to past
3) Go to Settings → Task scheduler → Scheduled task and run AccountProtectionExpirationTaskExecutor