Best way to manage multiple admin accounts for a person

Hi,

Just so I understand, the accounts already exist for the Person record, IE the ADSAccounts exist?  But you would like to manage each using a unique account definition?

Could you provide some more information on what the business reason/usage might be?

Do you want one ADSAccount managed, while another is not?

An account definition will not create a new account if there is one already assigned, this is by design.  But you can assign multiple accounts to one Person record.  Also, it's possible to define multiple manage levels, other than the defaults.

Trevor

So many admin accounts were setup prior to us onboarding 1ID. For these users with prior admin level ADSAccounts, we'd like them to link up properly with a unique account def for the account type. 

However, we'd also like to apply these account defs to new users / Persons so that the associated admin account would get created. 

I believe we'd want them all to be managed (my understanding is this is what allows 1ID to create the new accounts). 

So many admin accounts were setup prior to us onboarding 1ID. For these users with prior admin level ADSAccounts, we'd like them to link up properly with a unique account def for the account type. 

However, we'd also like to apply these account defs to new users / Persons so that the associated admin account would get created. 

I believe we'd want them all to be managed (my understanding is this is what allows 1ID to create the new accounts). 

Take a look at the following regarding Manage levels, this might help:

https://support.oneidentity.com/identity-manager/kb/148806/understanding-manage-levels

An account definition can be used to create accounts, and you can also use it to define IT properties, such as group membership, etc.

There is more on this here:

https://support.oneidentity.com/technical-documents/identity-manager/8.2/administration-guide-for-connecting-to-active-directory/11#TOPIC-1715112

As it says, "One Identity Manager supplies a default configuration for the Unmanaged and Full managed manage levels. You can define other manage levels depending on your requirements."

So you could define additional manage levels, depending on the type of account being used and how you'd like things to behave.

However, if you apply an account def to an Employee it will create only one ADSAccount (if we're only considering ADSAccounts).  Any additional account definitions assigned to the Employee will not create a new ADSAccount, because the logic exists to prevent this.

You can assign a different ADSAccount to an Employee, assign a specific account def and manage level, and this would work.  However, with regards to automating this, there would be some work required.  The process ADS_PersonHasTSBAccountDef_Autocreate_ADSAccount/Contact will check for an existing account, and not create another.  You could look into changing this.

Trevor

"However, if you apply an account def to an Employee it will create only one ADSAccount (if we're only considering ADSAccounts).  Any additional account definitions assigned to the Employee will not create a new ADSAccount, because the logic exists to prevent this."

Ahh so maybe this is what I'm running in to. So based on my understanding of what you described, 1ID only expects a single ADSAccount per Person? Which may be why existing persons with multiple admin ADSaccounts link up, but assigning a new account def to a new employee fails to create it as it already sees one? Ill poke around that process to see how it's working. 

Yes, exactly.  The logic is such that only one account is assigned, as we wouldn't want the system to create duplicate accounts.

Trevor

So not exactly familiar with how much help you're able to provide, but looking this over can you confirm if these would be the required changes?

I see the "Check account exists" and "Check for linked account" process steps and think that by modifying those two, I could accomplish what I want. Does that sound right or does it require more modification to that process?

That's where I would start, yes.

Hi zpe , where you able to modify everything to work with multiple ADS Accounts? Do you know what has to be changed in order to create admin accounts? And also, where you able to add only admin specific groups to such accounts?