Privileged user accounts
Privileged user accounts are used to provide employees with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).
NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.
To create privileged users through account definitions
-
Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.
-
If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.
-
Specify the effect of temporarily or permanently disabling or deleting, or the security risk of an employee on its user accounts and group memberships for each manage level.
-
Create a formatting rule for the IT operating data.
You use the mapping rule to define which rules are used to map IT operating data for user accounts and which default values are used if no IT operating data can be determined through a person's primary roles.
The type of IT operating data required depends on the target system. The following settings are recommended for privileged user accounts:
-
In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.
-
You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.
-
To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount column with a default value of 0 and set the Always use default value option.
-
Enter the effective IT operating data for the target system.
Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.
-
Assign the account definition directly to employees who work with privileged user accounts.
When the account definition is assigned to an employee, a new user account is created through the inheritance mechanism and subsequent processing.
TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, specify how the login names are formatted in the template.
Related topics
Specifying deferred deletion for Notes user accounts
You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.
You have the following options for configuring deferred deletion.
-
Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.
In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the NDOUser table.
-
Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.
To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the NDOUser table.
Example:
Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.
If Not $IsPrivilegedAccount:Bool$ Then
End If
For detailed information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.
Managing memberships in Notes groups
In Notes, user accounts can be grouped into Notes groups. Notes groups regulate access to resources in Domino.
In One Identity Manager, you can assign Notes groups directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request Notes groups through the Web Portal. To do this, Notes groups are provided in the IT Shop.
Detailed information about this topic
Assigning Notes groups to Notes user accounts
In One Identity Manager, Notes groups can be assigned directly or indirectly to Notes user accounts.
In the case of indirect assignment, employees and Notes groups are arranged in hierarchical roles. The number of groups assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If you add an employee to roles and that employee owns a Notes user account, the user account is added to the Notes group.
Furthermore, Notes groups can be requested through the Web Portal. To do this, add employees to a shop as customers. All Notes groups are assigned to this shop can be requested by the customers. Requested groups are assigned to the employees after approval is granted.
You can use system roles to group Notes groups together and assign them to employees as a package. You can create system roles that contain only Notes groups. You can also group any number of company resources into a system role.
To react quickly to special requests, you can assign Notes groups directly to Notes user accounts.
For detailed information see the following guides:
Basic principles for assigning and inheriting company resources |
One Identity Manager Identity Management Base Module Administration Guide
One Identity Manager Business Roles Administration Guide |
Assigning company resources through IT Shop requests |
One Identity Manager IT Shop Administration Guide |
System roles |
One Identity Manager System Roles Administration Guide |
Detailed information about this topic