Chat now with support
Chat with Support

Identity Manager 8.1.5 - Target System Base Module Administration Guide

Examples for implementing several account definitions within a target system type

If several target systems are managed using account definitions in a target system type, a separate account definition must be set up for each target system. When the employee is assigned both account definitions, subsequent script and process handling ensure that the employee obtains the user accounts in both target systems.

Example 1

There are two domains in an Active Directory environment. The employees can only have a user account in one of the domains. The department operational data is used to determine whether the user account is created in domain A or domain B.

Create an account definition A for domain A and an account definition B for domain B and assign them the Full managed manage level. This manage level uses the One Identity Manager default templates to determine the IT operating data. In the IT operating data formatting rule, specify the "department" property for both account definitions for finding the valid IT operating data.

If the employee belongs to department A, they receive (for example by dynamic assignment) the account definition A and as a result, a user account in domain A. If the employee belongs to department B, they are assigned the account definition B and they receive a user account in domain B.

Figure 3: Creating user accounts based on account definitions

Example 2

There are two domains in an Active Directory environment. The employees can have a user account in both of the domains. The user account in domain A is allocated IT operating data through the employee’s department. The user account in domain B is allocated IT operating data through the employee’s primary business role.

Create an account definition A for domain A and an account definition B for domain B and assign them the Full managed manage level. The Full managed manage level uses One Identity Manager default templates to determine the IT operating data. Specify the property "department" for account definition A in the IT operating data formatting rule for finding the valid IT operating data. Specify the property "business role" for account definition B in the IT operating data formatting rule for finding the valid IT operating data.

Figure 4: Creating user accounts based on account definitions

Automatic assignment of employees to user accounts

Automatic employee assignment is used to:

  • Assign existing employees to user accounts

  • Create employee master data based on existing user accounts

Through synchronization user accounts are initially loaded from the target system into One Identity Manager. Automatic assignment of user accounts to existing employees can take place by subsequently modifying scripts and processes. If necessary, new employees can be created based on existing user accounts to which they are then assigned. However, this is not the One Identity Manager default method. You can also use this procedure to create employee data from existing target system user accounts during synchronization.

If you run this procedure during working hours, automatic assignment of employees to user accounts takes place from that moment onwards. If you disable the procedure again later, the changes only affect user accounts added or updated after this point in time. Existing employee assignment to user accounts remain intact.

The criterion for automatically assigning employees to user accounts can be customized to meet the company’s needs. Employees can be directly assigned to existing user accounts as required, based on a suggestion list.

Run the following tasks to assign employees automatically.

  • In the Designer, set the configuration parameter for automatic assignment of employees to user accounts and select the required mode.

  • Define search criteria for the employee assignment.

  • If managed user accounts should arise through automatic employee assignment (Linked configured state), assign an account definition to the target system. Ensure that the manage level to be used is entered as the default manage level.

    If no account definition is provided in the target system, the user accounts are only linked to the employee (Linked state). This is the case on initial synchronization, for example.

Related topics

Configuring automatic employee assignment

In the One Identity Manager default installation, the automatic assignment of employees to user accounts is controlled by configuration parameters and therefore globally effective for a target system type. A distinction is made here between the synchronization and the default methods.

NOTE:

The following applies for synchronization:

  • Automatic employee assignment takes effect if user accounts are added or updated.

The following applies outside synchronization:

  • Automatic employee assignment takes effect if user accounts are added.
NOTE: The configuration parameters are included in the One Identity Manager modules and are available once the modules are installed.

Configuration parameters for automatic employee assignment:

  • TargetSystem | <Target system type> | PersonAutoDefault

  • TargetSystem | <Target system type> | PersonAutoFullSync

Each configuration parameter has one of the permitted modes:

  • NO: There is no automatic assignment of a person to the user account. This is the default value that is also displayed when the configuration parameter is not active.

  • SEARCH: If no employee is assigned to the user account, the system searches for the appropriate employee based on defined criteria and assigns the employees found to the user account. If an employee is not found, no new employee is added.

  • CREATE: If no employee is assigned to the user account, a new employee is always created, some properties are initialized, and the employee is assigned to the user account.

    NOTE: This mode is not available for all target system types.

  • SEARCH AND CREATE: If no employee is assigned to the user account, the system searches for the appropriate employee based on defined criteria and assigns the employees found to the user account. If no employee is found, a new one is added, some of the properties are initialized, and the employee is assigned to the user account.

    NOTE: This mode is not available for all target system types.

If a user account is linked to an employee through the current mode, the user account is given, through an internal process, the default manage level of the account definition entered in the user account's target system. You can change this manage level later.

NOTE:

Following a synchronization, employees are automatically created for the user accounts in the default installation. If an account definition for the target system is not yet known at the time of synchronization, user accounts are linked with employees. However, account definitions are not assigned. The user accounts are therefore in a Linked state.

To manage the user accounts using account definitions, assign an account definition and a manage level to these user accounts.

To select user accounts through account definitions

  1. Create an account definition.
  2. Assign an account definition to the target system.
  3. Assign a user account in the Linked state to the account definition. The account definition's default manage level is applied to the user account.
    1. In the Manager, select the Custom target systems | <target system> | User accounts | Linked but not configured | <target system> category.
    2. Select the Assign account definition to linked accounts task.

    3. In the Account definition menu, select the account definition.

    4. Select the user accounts that contain the account definition.

    5. Save the changes.

In the target-system-dependent Insert/Update processes of the One Identity Manager default installation, the configuration parameters are evaluated and the execution mode is determined. The names of the corresponding process steps are Search and Create Person for Account and Search and Create Person for Account (Fullsync). Process steps can be used as templates to put into effect the automatic employee assignment in different areas of a target system, such as, the separate domains of an Active Directory environment.

Editing search criteria for automatic employee assignment

The criteria for employee assignments are defined for the target system. In this case, you specify which user account properties must match the employee’s properties such that the employee can be assigned to the user account. You can limit search criteria further by using format definitions. The search criterion is written in XML notation to the Search criteria for automatic employee assignment column (AccountToPersonMatchingRule) in the target system table.

Search criteria are evaluated when employees are automatically assigned to user accounts. Furthermore, you can create a suggestion list for assignments of employees to user accounts based on the search criteria and make the assignment directly.

NOTE: When the employees are assigned to user accounts on the basis of search criteria, user accounts are given the default manage level of the account definition entered in the user account's target system. You can customize user account properties depending on how the behavior of the manage level is defined.

It is not recommended to make assignments to administrative user accounts based on search criteria. Use Change master data to assign employees to administrative user accounts for the respective user account.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating