It's possible that a user may have more than one account in OpenIAM or in target systems. This is especially true in cases where a user has both a normal user account and an administrator account which has greater privileges. Another example would involve a grade school that wishes to link the accounts of students who are siblings to display a familial relationship. OpenIAM provides a UI where multiple user profiles can be linked together. In this way, it's possible to navigate between these accounts. In this relationship, one profile should be viewed as being the primary record -- usually this is the normal user/employee account.
By default, life cycle events such as terminations will apply to the related account as well. If the account is to be reassigned, then these rules can be developed.
Defining relationship types
A user can be a primary record that contains employee information or a related account. Relationships between primary and related accounts must be defined as one of metadata type, as shown below:
For example, user William Twist has his own AD account, but at the same time he can have other accounts on the domain controller as well. None of these secondary accounts have a match with HR data and will always be referenced to the main account. OpenIAM can represent these relationships in the following UI:
Conversely, user Twist_Admin will have a link to its primary account:
Handling of related accounts
Access certification of related accounts
In pivot view, reviewers can see the link to related accounts underneath the name of the user. When the link to related accounts is clicked, the reviewer will get details about the primary account which can aid in decision making as secondary accounts often have unrelated names making it difficult to match them with employee data. The significance of this view is that supervisors that are assigned to related accounts are often based on the supervisors assigned to primary accounts.
If the primary user changes his position within the company (transfer process), then OpenIAM has the ability to initiate a position change workflow. If the target user has a set of related accounts they must be reviewed as well. When a manager reviews the position change request, he will receive one request for the primary account and then one request per related account.