Create user by admin
OpenIAM provides several ways in which new users can be created:
- Administration interface
- Self-service requests using workflow
- Automated provisioning via integration with an authoritative source
- OpenIAM API
This section focuses on creating users through the User manager in the OpenIAM Administration portal.
To create a new user follow the steps described below:
- Login to the webconsole
- Go to
User Admin -> Create new Useras shown below
- Selecting new the
Create new useroption will open the screen below.
Select user typedetermines the type of user that you will be creating. OpenIAM allows you configure new types of users with custom attributes to better represent your environment. Examples of types of users can be Employees, Contractors, Vendors,etc. You can also define types for Service Accounts. The User types section describes how you can create custom types.
- Provide user information - The screen that follows the type selection is a form to provide user information. The default form is a
Template viewand can be customized to suit your needs. The Custom templates section describes how to create and manage these templates. Alternatively, you can switch to the
Classic viewwhich provides a broader set of fields to work from without having to modify the UI templates. Long term, you will want to customize the templates based on your needs.
The sections below describe how to use the Template View and Classic views.
The example below shows the default template. As mentioned above, it is unlikely that this template will serve your needs and you should customize it for your needs.
If you continue with this template, follow the steps described below.
- Provide the user's first and last names
- Notification: Enable this checkbox to deliver the new user's credentials to their email address specified below. E-mail delivery will only work if the SMTP gateway has been configured and an email address has been provided for the logged in user. The E-mail templates section describes how you can customize e-mails to suite your needs.
- Enter an email address by expanding the
Emailssections and then click on the
+sign. This will open a dialog to enter the email address as shown below.
Complete the dialog box as described below:
- Select the
Email Type: OpenIAM allows for
nemail addresses to be associated with a user. Some default types include: Primary e-mail, work e-mail, home e-mail. The primary email address should be used if no other email addresses will be provided.
- Enter the
Email address: E-mail address of the user that is being created. In most deployments, email generation should be configured such that its is automatically generated during the provisioning process.
- Enter a
Description: This is an optional field which can be used to capture a descriptive value to help identify this email address
Is Active: This is a flag which can be used to disable the use of an email address. Unless you want to disable this address, ensure that this checkbox has been enabled.
Is Default: Flag which determine which address will serve as the default email address for this user. This email address will be used by the system for operations such as password resets and workflows. **At least one email address must have the Is Default flag enabled`
Is Published: Flag which determines if the email address should be published the OpenIAM directory.
Successfully completing the above steps will result in a user being created in OpenIAM as shown in the image below. If the template has been customized to allow for entitlements to be associated with this user, then downstream provisioning to integrated applications will also be triggered at this point.
Attributes such as the OpenIAM identity will be generated automatically using the attribute policies.
The classic view provides administrators with a broad set of attributes for creating users. This view was introduced into early versions of OpenIAM and hence referred to as a "Classic view". While this form provides many options, it may provide many fields which are not necessary during daily use. For this reason, it's recommended that templates be used in a production setting.
To create a user using the Classic view, follow the steps below.
The Classic view form is segregated into sections which are described below.
The Classic view allows Administrators to enter a predefined
Login Id. This field is optional and if left blank, the system will generate a login Id (account) automatically.
To specify a login Id, simply enter a unique
Login Id in to the field shown above. The Login will be validated for uniqueness when the form has been submitted.
The user information section shown below provides fields to capture common user profile attributes.
The table below provides as a description of each attribute.
|Attribute name||Is Required||Description|
|First Name||Y||User's first name.|
|Last name||Y||User's last name|
|Middle||N||User's middle name or initial|
|Nickname||N||Alternate or preferred name for a user|
|Maiden Name||N||Person's last name before getting married.|
|Suffix||N||Suffix to a person's last name. This include values such as JR, SR, etc.|
|Gender||N||User's gender. Values include: Male, Female, or Declined to State|
|OpenIAM ID||Read-only field which will be an immutable system generated ID used internally by OpenIAM to identify each user.|
|Date of Birth||N||Date of the User's birth.|
|Metadata types||Y||OpenIAM type used to classify a user. Metadata types can also be associated with custom attributes.|
The access rules section is be used to associate both business and application level entitlements to a user. It is not required that entitlements be defined at the time of user creation. Entitlements can be added / modified after user creation.
You can select from entitlements from any of the three options described below.
|Role||To select a business Role, select |
|Group||First select the application to which the group belongs from the |
|Clone a user's access||Select the user whose rights you want clone.|
The E-mail Address is a required for user creation (if you need to dynamically generate the mailbox, then use a custom template). To set an email address, follow the steps below:
- Select the type of email address that you are setting. Select
Primary emailif this is main email address which will be used for operations such as password resets, MFA, etc..
Entering the user's address information is not required during user creation. However, if you are going to define the address, then populate the fields as described below.
|Address type||Select the type of address: Select |
|Building||Building number of your business location|
|Address 1||Street name. Two fields are provided to capture the street information.|
|Address 2||Second street information field|
|City||Name of the city, town, village, etc.|
|State||Name of the state or province.|
|Postal code||Zip code or postal code.|
|Country||Name of country.|
|Is Published||Flag indicating if this address should be published in the OpenIAM address book.|
Entering the user's phone information is not required during user creation. However, if you are going to define the phone number, then populate the fields as described below.
|Phone type||Y||Select the type of Phone number that is being entered. Select |
|Country Code||Y||Country code for the phone number. For this value should be |
|Area Code||Y||Area code part of the number|
|Phone number||Y||Primary part of the phone number.|
|Extension||N||Extension to the phone number. This is often used in office settings.|
|Is Published||N||Flag indicating if this phone number should be published in the OpenIAM address book.|
|Is for SMS||N||Flag indicating is this number can be used to send SMS messages. SMS messages are used for OTP based authentication, forgot password and self-registration.|
The organization information section provides fields to capture information related to a person's life in an organization. Entering the user's organization information is not required during user creation. However, if you are going to define the organization, then populate the fields as described below:
|Functional Title||A person's job title. Often this value comes from the HR system and can be used to grant birthright access.|
|Job Code||A code representing a person position in the company. Often this value comes from the HR system and can be used to grant birthright access.|
|Classification||Classification code or description to categorize an employee.|
|Employee ID||Unique ID representing an employee. This value normally comes from the HR system|
|user Type||Attribute which can be used to categorize a user|
|Employee Type||Attribute which can use to categorize a user / employee. This can often include values such as employee, contractor, temp-worker, contingent worker,etc. This value should come from the HR system for employees.|
|Start date||Day a person starts their job at a company. This is often an important value as access should be enabled on this day.|
|Last Date||A person's last day at the company. This is often an important value as access should be disabled on this day.|
The organization membership section allows you to define the organization units that a person belongs to.
The structure of your organization is defined under
Adminstration -> System configuration. Based on this structure, as you select one organization unit, the next child organization selection box will be shown. In the image below a hierarchy with Organization -> Division -> Department objects is shown.
Supervisor and user's assistants
The Supervisor section allows you to define a user's:
- Immediate supervisor
- Alternate contact
- Certification delegate - Often Senior executives don't complete their own user access reviews. In these cases, the review can be completed by the delegate defined here.
|Supervisor Type||Y||Select the type of supervisor. In most cases, you will only have a default / primary supervisor. In some cases, you will need to able to support a secondary supervisor; ie. employees can have a primary supervisor and a "dotted line" to a second supervisor.|
|Supervisor||Y||Enter the name of the supervisor. The system will search for the user. Note, that a supervisor must exist in OpenIAM to enable this association.|
|Alternate contact||N||Alternate contact for the employee. This value can be used in workflows.|
|Start date||N||Date this Supervisor -> Employee relationship started|
|End Date||N||Date this Supervisor -> Employee relationship ended.|
|Certification Delegate||N||Person to whom access review privileges have been delegated.|
|Start Date||N||Date from which this delegate was assigned for access reviews.|
|End Date||N||Date after which this is delegate is no longer needed for access reviews.|
The notifications section allows you to select who should be notified after you have submitted your request for user creation.
The table describes each option.
|Notify User of the credentials via e-mail. Requires an email address||Temporary credentials or activation link are sent to the user by email.|
|Notify Supervisor of the credentials for the new user via e-mail. Requires a supervisor to be selected.||The user temporary credentials are sent to the immediate supervisor.|
|Delay user provisioning till start date||Provides the administrator with the option to delay the creation of the user till the start date|