Accounts - working with objects on connected systems
Types of Accounts
Accounts are entities in CzechIdM that link the data in CzechIdM (Role, Identity, etc.) with the data in a connected system such as Group and User Accounts. In fact, there are 2 types of accounts:
- AccAccount - Stores ID of an entity in CzechIdM that is linked to a connected system Object.
- SysAccount - Stores ID of a connector object (representation of a real connected system Object).
Provided we have a MS Active directory connected to CzechIdM, SysAccount might store a GUID of GROUP. AccAccount can store a role name.
Listing Accounts for Identity, Role and TreeNode
On a user detail tab panel, there is a tab called Accounts as you can see in the screenshot below. When you access this page, it will show all accounts on a connected system that CzechIdM has in its evidence.
The same principle applies to the rest of the entities that the Account management supports. An identity account is specific in several ways:
- Supports the so called protected state of accounts
- Can be assigned by a role.
- Can be manually linked to objects in a connected system.
Linking object to CzechIdM entity manually
Usually, linking objects to CzechIdM entities takes place during a data Synchronization or Provisioning when the CzechIdM system is deployed in the production environment. But it is a common situation that some data have to be corrected in an end system as well, e.g. LDAP. It may well be that the algorithm for object linking during synchronization does not work for all entities on the end system, or the individuals who entered some data manually before CzechIdM had been implemented may have made some mistakes. In either one of those cases, having the option in CzechIdM to link an object to an entity manually comes in handy.
To do so, open a detail of the system on which you want to link an identity to some object: Systems → System detail. Next, the first thing to do is to create a SysAccount and define its ID. In the example below, a manually created identity is being connected to its mirrored object in the HR system. Go to the Entities tab, there is a list of all SysAccounts.
In the next step, we create a new SysAccount object:
- Connected system - Read only
- Identifier in the system - here, the ID (e.g. login) of the object on the end system is to be typed in.
- Entity type - Type of entity in CzechdIdM
Once a SysAccount is created, we proceed to create an AccAccount. Go to the tab Accounts and click on the Add button.
An AccAccount has the following options:
- System - Read only - name of the system for which we want to create an AccAcount
- Account identifier - ID of the CzechIdM entity (e.g. login or employee number)
- Linked entity in system - the linked SysAccount
- Account type - usually personal (only a descriptive attribute now)
Manually delete accounts on system with account protection
if you need to immediately remove account on connected system, where account protection is on, or if you want to force delete user with all accounts:
1) Go to user contracts a set it's validity to past.
2) Go to user profile → Accounts, and there you will see account in protection, so edit account and set procection validity to past
3) Go to Settings → Task scheduler → Scheduled task and run AccountProtectionExpirationTaskExecutor
- The account on system will be deleted when the task is over.