Create user by admin

OpenIAM provides several ways in which new users can be created:

  • Administration interface
  • Self-service requests using workflow
  • Self-registration
  • Automated provisioning via integration with an authoritative source
  • OpenIAM API

This section focuses on creating users through the User manager in the OpenIAM Administration portal.

To create a new user follow the steps described below:

  • Login to the webconsole
  • Go to User Admin -> Create new User as shown below

Create new user menu

  • Selecting new the Create new user option will open the screen below. Select user type determines the type of user that you will be creating. OpenIAM allows you configure new types of users with custom attributes to better represent your environment. Examples of types of users can be Employees, Contractors, Vendors,etc. You can also define types for Service Accounts. The User types section describes how you can create custom types.

Select user type

  • Provide user information - The screen that follows the type selection is a form to provide user information. The default form is a Template view and can be customized to suit your needs. The Custom templates section describes how to create and manage these templates. Alternatively, you can switch to the Classic view which provides a broader set of fields to work from without having to modify the UI templates. Long term, you will want to customize the templates based on your needs.

The sections below describe how to use the Template View and Classic views.

Template view

The example below shows the default template. As mentioned above, it is unlikely that this template will serve your needs and you should customize it for your needs.

Template based create user form

If you continue with this template, follow the steps described below.

  • Provide the user's first and last names
  • Notification: Enable this checkbox to deliver the new user's credentials to their email address specified below. E-mail delivery will only work if the SMTP gateway has been configured and an email address has been provided for the logged in user. The E-mail templates section describes how you can customize e-mails to suite your needs.
  • Enter an email address by expanding the Emails sections and then click on the + sign. This will open a dialog to enter the email address as shown below.

Add email address

Complete the dialog box as described below:

  • Select the Email Type: OpenIAM allows for n email addresses to be associated with a user. Some default types include: Primary e-mail, work e-mail, home e-mail. The primary email address should be used if no other email addresses will be provided.
  • Enter the Email address : E-mail address of the user that is being created. In most deployments, email generation should be configured such that its is automatically generated during the provisioning process.
  • Enter a Description : This is an optional field which can be used to capture a descriptive value to help identify this email address
  • Is Active : This is a flag which can be used to disable the use of an email address. Unless you want to disable this address, ensure that this checkbox has been enabled.
  • Is Default : Flag which determine which address will serve as the default email address for this user. This email address will be used by the system for operations such as password resets and workflows. **At least one email address must have the Is Default flag enabled`
  • Is Published : Flag which determines if the email address should be published the OpenIAM directory.

Successfully completing the above steps will result in a user being created in OpenIAM as shown in the image below. If the template has been customized to allow for entitlements to be associated with this user, then downstream provisioning to integrated applications will also be triggered at this point.

Template user created

Attributes such as the OpenIAM identity will be generated automatically using the attribute policies.

Classic view

The classic view provides administrators with a broad set of attributes for creating users. This view was introduced into early versions of OpenIAM and hence referred to as a "Classic view". While this form provides many options, it may provide many fields which are not necessary during daily use. For this reason, it's recommended that templates be used in a production setting.

To create a user using the Classic view, follow the steps below.

Legacy create user form

The Classic view form is segregated into sections which are described below.

User Credentials

The Classic view allows Administrators to enter a predefined Login Id. This field is optional and if left blank, the system will generate a login Id (account) automatically.

Enter credentials

To specify a login Id, simply enter a unique Login Id in to the field shown above. The Login will be validated for uniqueness when the form has been submitted.

User Information

The user information section shown below provides fields to capture common user profile attributes.

Enter user information

The table below provides as a description of each attribute.

Attribute nameIs RequiredDescription
First NameYUser's first name.
Last nameYUser's last name
MiddleNUser's middle name or initial
NicknameNAlternate or preferred name for a user
Maiden NameNPerson's last name before getting married.
SuffixNSuffix to a person's last name. This include values such as JR, SR, etc.
GenderNUser's gender. Values include: Male, Female, or Declined to State
OpenIAM IDRead-only field which will be an immutable system generated ID used internally by OpenIAM to identify each user.
Date of BirthNDate of the User's birth.
Metadata typesYOpenIAM type used to classify a user. Metadata types can also be associated with custom attributes.

Access Rules

The access rules section is be used to associate both business and application level entitlements to a user. It is not required that entitlements be defined at the time of user creation. Entitlements can be added / modified after user creation.

User entitlements

You can select from entitlements from any of the three options described below.

OptionDescription
RoleTo select a business Role, select OpenIAM from theSelect managed system drop down. To select a technical role, select the application name from the same drop down. Next select the role name from the Type a role name drop down.
GroupFirst select the application to which the group belongs from the Select managed system drop down. Next select teh group name from the Type a group name drop down.
Clone a user's accessSelect the user whose rights you want clone.

E-mail Address

The E-mail Address is a required for user creation (if you need to dynamically generate the mailbox, then use a custom template). To set an email address, follow the steps below:

  • Select the type of email address that you are setting. Select Primary email if this is main email address which will be used for operations such as password resets, MFA, etc..

User email address

Address

Entering the user's address information is not required during user creation. However, if you are going to define the address, then populate the fields as described below.

User address

Attribute nameDescription
Address typeSelect the type of address: Select Primary location if this is the default address that should be used for the user. If multiple addresses will be provided, you can also select from Home Address, Office Address, or a custom type.
BuildingBuilding number of your business location
Address 1Street name. Two fields are provided to capture the street information.
Address 2Second street information field
CityName of the city, town, village, etc.
StateName of the state or province.
Postal codeZip code or postal code.
CountryName of country.
Is PublishedFlag indicating if this address should be published in the OpenIAM address book.

Phone

Entering the user's phone information is not required during user creation. However, if you are going to define the phone number, then populate the fields as described below.

User Phone information

Attribute nameRequiredDescription
Phone typeYSelect the type of Phone number that is being entered. Select Cell Phone (Primary phone) if this is the default phone number for the user. If multiple phone numbers will be provided, you can also select from Home phone, Office phone, or a custom type.
Country CodeYCountry code for the phone number. For this value should be 1 and not +1
Area CodeYArea code part of the number
Phone numberYPrimary part of the phone number.
ExtensionNExtension to the phone number. This is often used in office settings.
Is PublishedNFlag indicating if this phone number should be published in the OpenIAM address book.
Is for SMSNFlag indicating is this number can be used to send SMS messages. SMS messages are used for OTP based authentication, forgot password and self-registration.

Organization information

The organization information section provides fields to capture information related to a person's life in an organization. Entering the user's organization information is not required during user creation. However, if you are going to define the organization, then populate the fields as described below:

User Organization information

Attribute nameDescription
Functional TitleA person's job title. Often this value comes from the HR system and can be used to grant birthright access.
Job CodeA code representing a person position in the company. Often this value comes from the HR system and can be used to grant birthright access.
ClassificationClassification code or description to categorize an employee.
Employee IDUnique ID representing an employee. This value normally comes from the HR system
user TypeAttribute which can be used to categorize a user
Employee TypeAttribute which can use to categorize a user / employee. This can often include values such as employee, contractor, temp-worker, contingent worker,etc. This value should come from the HR system for employees.
Start dateDay a person starts their job at a company. This is often an important value as access should be enabled on this day.
Last DateA person's last day at the company. This is often an important value as access should be disabled on this day.

Organization Membership

The organization membership section allows you to define the organization units that a person belongs to.
The structure of your organization is defined under Adminstration -> System configuration. Based on this structure, as you select one organization unit, the next child organization selection box will be shown. In the image below a hierarchy with Organization -> Division -> Department objects is shown.

Organization unit membership information

Supervisor and user's assistants

The Supervisor section allows you to define a user's:

  • Immediate supervisor
  • Alternate contact
  • Certification delegate - Often Senior executives don't complete their own user access reviews. In these cases, the review can be completed by the delegate defined here.

User supervisor information

Attribute nameRequiredDescription
Supervisor TypeYSelect the type of supervisor. In most cases, you will only have a default / primary supervisor. In some cases, you will need to able to support a secondary supervisor; ie. employees can have a primary supervisor and a "dotted line" to a second supervisor.
SupervisorYEnter the name of the supervisor. The system will search for the user. Note, that a supervisor must exist in OpenIAM to enable this association.
Alternate contactNAlternate contact for the employee. This value can be used in workflows.
Start dateNDate this Supervisor -> Employee relationship started
End DateNDate this Supervisor -> Employee relationship ended.
Certification DelegateNPerson to whom access review privileges have been delegated.
Start DateNDate from which this delegate was assigned for access reviews.
End DateNDate after which this is delegate is no longer needed for access reviews.

Notifications

The notifications section allows you to select who should be notified after you have submitted your request for user creation.

User notifications

The table describes each option.

Notification optionDescription
Notify User of the credentials via e-mail. Requires an email addressTemporary credentials or activation link are sent to the user by email.
Notify Supervisor of the credentials for the new user via e-mail. Requires a supervisor to be selected.The user temporary credentials are sent to the immediate supervisor.
Delay user provisioning till start dateProvides the administrator with the option to delay the creation of the user till the start date