How many account for the same Target System may have a person ?

The critical word in the sentence is "assign".

In 6.x it was not possible OOTB to assign more than one account resource to a person.  That's because the OOTB templates, etc, looked at data that needed to be unique in a particular target system.  (CentralAccount to SAMAccountName, for example.)  So for accounts that are created by Identity Manager, only one.  In 7.X  and later we extended the OOTB features to support the idea of a user account and an administrative account, so two OOTB.

Now, you always have the option of manually (or via a script, whatever) assign as many accounts as you like to a person.  Or, in more precise technical terms, you can have more than one ADSAccount (for example) with the same value for UID_Person.

Finally, if you want to create more than one account you can always do this, but it will involve using different manage levels and customizing your templates.

Hi all,

Thank you for your help.

Best regards

Ermes

Hi all,

Is it possible assign to the Accounts, the "Full Managed" managed level authomatically, from the synchronization for the accounts linked to person without assign an Account definition ?

Thank you very much and best regards

Ermes

No.  "Full Managed" implies that there is an account definition.

Maybe if you could share some details on what you are trying to achieve, we could offer some suggestions

No.  "Full Managed" implies that there is an account definition.

Maybe if you could share some details on what you are trying to achieve, we could offer some suggestions

Hi George,

here en example:

I have all employee loaded on IDM.

I connected AD and I done an Initial Load of the AD Accounts.

The AD accounts are linked to the person via PersonnelNumber but they are not defined as "Full Managed".

I would like that any change on Person like street, phone number  etc, are authomatically update on AD.

This example is also valid for all Target system.

Thank you and best regards

Ermes

Again, the documentation is helpful in your case. Same link as before:

Assigning Employees Automatically to Existing User Accounts

• Case 11: One Identity Manager can automatically assign employees to user accounts in the "Unlinked" state. If the target system is assigned an account definition, this account definition is automatically assigned to the employees. The state "Linked configured: Unmanaged" or "Linked configured: Full managed" is attained depending on the manage level in use. Automatic employee assignment can follow on from adding or updating user accounts through synchronization or through manually adding a user account. For more information, see Automatic Assignment of Employees to User Accounts.

The automatic assignment of employees to user accounts is described here https://support.oneidentity.com/technical-documents/identity-manager/8.0.1/target-system-base-module-administration-guide/4#TOPIC-917162

It also explains how to assign an account definition to already linked accounts. You just need to replace Custom target systems | <target system> | User accounts with Active Directory | User accounts when you try to follow the instructions.

NOTE: Following synchronization, employees are automatically created for user accounts in the default installation. If there are no account definitions for the target system at the time of synchronization, user accounts are linked to employees. However, account definitions are not assigned. The user accounts are, therefore, in a "Linked" state.

To select user accounts through account definitions

1. Create an account definition.
2. Assign an account definition to the target system.
3. Assign the account definition and manage level to the user accounts in a "linked" state.
   1. Select the category Custom target systems | <target system> | User accounts | Linked but not configured | <target system>.
   2. Select the task Assign account definition to linked accounts.

The following screenshot shows this function for Active Directory.

Hi all,

I try to assign to the same person 2 UNSAccountB of the same Target System.

I need to assign the same account definition to have the same information for both account (only accountname is different) but I receive the error message:

Object (DynamicCRM/JAN FLORIAN_1 (Dynamic CRM)) could not be saved!
Error during execution of 'OnSaving' in logic module 'TSB.Customizer.TSBAccountDefLogic'.
This employee already has user account 'DynamicCRM/JAN FLORIAN (Dynamic CRM)' with this account definition.

I can create another Account Definition for the second account, but there is not a limit of the number of account for the same person that this Target System and I should have a lot of account definition. In any case the user must choise one not just used.

There is a way to disable the the logic module TSB.Customizer.TSBAccountDefLogic' for this Custom Target System ?

Thank you very much and best regards

Ermes

ermes.crico said:

There is a way to disable the the logic module TSB.Customizer.TSBAccountDefLogic' for this Custom Target System ?

They didn't put it in there to be difficult, Ermes.  It's there to prevent misconfiguration.

If you have two accounts with the same manage level, and they are both fully managed, using the same account definition, and something gets updated, say the account name...what should happen?  How does the system know which one to update?

I George,

I understand .... In my case I need to update some fields and not the AccountName.

If the account is linked to the person and not defined with the account definition, I can update the data UNSAccountB data in any case ?

I do some checks,

Thank you very much

Ermes

The account definitions tell the system what to do with linked and configured accounts in case the linked person is deactivated or deleted and so on.

If you just want to control some properties, also for linked accounts (not configured) you just need to customize the value templates for the properties where the data flow should happen regardless if the account is linked only.