It is possible to specify the manage level for an Account Definition for handling Active Directory user accounts (ADSAccounts). The user account’s manage level determines the scope of the properties that a user account inherits from an Employee. This means that an Employee can have several user accounts in an Active Directory domain, e.g.:
- A Default user account that inherits all properties from the Employee
- An Administrative user account that is associated to an Employee but should not inherit the properties from the Employee.
- A Service account that contains the home directory and the profile directory of the Employee but cannot inherit further properties.
Identity Manager supplies a configuration for manage levels:
• Unmanaged: User accounts with a manage level of “Unmanaged” are associated with an Employee but do not inherit properties further properties. When a new user account is created and assigned to an Employee, the Employee’s properties are initially transferred. If the Employee’s properties are changed at a later date, the changes are not passed on to the user account.
• Full managed: User accounts with a manage level of “Full managed” inherit specific properties from the assigned Employee.
Note: The manage levels, “Unmanaged” and “Full managed”, are taken into account in column templates. Define manage levels depending on the requirements. Then extend templates to include the methods for the additional manage levels.