Create user by admin

OpenIAM provides several ways in which new users can be created:

  • Administration interface
  • Self-service requests using workflow
  • Self-registration
  • Automated provisioning via integration with an authoritative source
  • OpenIAM API

This section focuses on the first option which uses the OpenIAM Administration portal.

To create a new user follow the steps described below:

  • Login to the webconsole
  • Go to User Admin -> Create new User as shown below

Create new user menu

  • Select user type - OpenIAM allows you create new types of users to represent your environment. Examples of types of users can be Employees, Contractors, Vendors,etc. You can also define types for Service Accounts. Each type can have associated with in n custom attributes. The User types section describes how you can create custom types.

Select user type

  • Provide user information - The screen that follows the type selection is a form to provide user information. The default form is a Template view and can be customized to suit your needs. The Custom templates section describes how to create and manage these templates. Alternatively, you can switch to the Classic view which provides a broader set of fields to work from without having to modify the UI templates.

Details about each are described below.

Template view

The example below shows the default template. Its unlikely that this template will serve your needs. It should be customized once your requirements for user type definition is clear.

Template based create user form

If you continue with this template, follow the steps described below.

  • Provide the user's first and last names
  • Notification: Enable this checkbox to deliver the new user's credentials to their email address specified below. E-mail delivery will only work if the SMTP gateway has been configured and an email address has been provided. The E-mail templates section describes how you can customize e-mails to suite your needs.
  • Enter an email address by expanding the Emails sections and then click on the + sign. This will open a dialog to enter the email address as shown below.

Add email address

Complete the dialog box as described below:

  • Select the Email Type: OpenIAM allows for n email addresses to be associated with a user. Some default types include: Primary e-mail, work e-mail, home e-mail. The primary email address should be used if no other email addresses will be provided.
  • Enter the Email address : E-mail address of the user that is being created
  • Enter a Description : This is a optional field which can be used to capture any a descriptive value to help identify this email address
  • Is Active : This is flag which can be used to disable the use of email address. Unless you want to disable this address, ensure that this checkbox has been enabled.
  • Is Default : Flag which determine which address will serve as the default email address for this user. This email address will be used by the system for operations such as password resets and workflows. **At least one email address must have the Is Default flag enabled`
  • Is Published : Flag which determines if the email address should be published the OpenIAM directory.

Successfully completing the above steps will result in a user being created in OpenIAM as shown in the image below. If the template has been customized to allow for entitlements to be associated with this user, then downstream provisioning to integrated applications will also be triggered at this point.

Template user created

Attributes such as the OpenIAM identity will be generated automatically using the attribute policies.

Classic view

The classic view provides administrators with a broad set of attributes for creating users. This view was introduced into early versions of OpenIAM and hence referred to as a "Classic view". While this form provides many options, it may provide many fields which are not necessary during daily use. For this reason, it's recommended that templates be used in a production setting.

To create a user using the Classic view, follow the steps below.

Legacy create user form

The Classic view form is segregated into sections which are described below.

User Credentials

The Classic view allows Administrators to enter a predefined Login Id. This field is optional and if left blank, then the system will generate an identity / login Id automatically.

Enter credentials

To specify a login Id, simply enter a unique Login Id in to the field shown above. The Login will be validate for uniqueness when the form has been submitted.

User Information

The user information section shown below provides common user profile attributes.

Enter user information

The table below provides as a description of each attribute.

Attribute nameIs RequiredDescription
First NameYUser's first name.
Last nameYUser's last name
MiddleNUser's middle name or initial
NicknameNAlternate or preferred name for a user
Maiden NameNPerson's last name before getting married.
SuffixNSuffix to a person's last name. This include values such as JR, SR, etc.
GenderNUser's gender. Values include: Male, Female, or Declined to State
OpenIAM IDRead-only field which will be an immutable system generated ID used internally by OpenIAM to identify each user.
Date of BirthNDate of the User's birth.
Metadata typesYOpenIAM type used to classify a user. Metadata types can also be associated with custom attributes.

Access Rules

The access rules section is be used to associate both business and application level entitlements to a user. Its not required that entitlements be defined at the time of user creation. Entitlements can be added / modified after user creation.

User entitlements

You have three options here:

  • Add a business or technical (application) role
    • To select a technical role, first select the application name from the Select a managed system drop down. In the second dropdown, type in the role name.
    • To select a business role, leave the Select a managed system blank and start typing in the role name in the second dropdown.
  • Add a group
  • Clone another user's access

E-mail Address

The E-mail Address is a required for user creation. To set an email address, follow the steps below:

  • Select the type of email address that you are setting. Select Primary email if this is main email address which will be used for operations such as password resets, MFA, etc..

User email address

Address

Entering the user's address information is not required during user creation. However, if you are going to define the address, then populate the fields as described below.

User address

Attribute nameDescription
Address typeSelect the type of address: Select Primary location if this is the default address that should be used for the user. If multiple addresses will be provided, you can also select from Home Address, Office Address, or a custom type.
BuildingBuilding number of your business location
Address 1Street name. Two fields are provided to capture the street information.
Address 2Second street information field
CityName of the city, town, village, etc.
StateName of the state or province.
Postal codeZip code or postal code.
CountryName of country.
Is PublishedFlag indicating if this address should be published in the OpenIAM address book.

Phone

Entering the user's phone information is not required during user creation. However, if you are going to define the phone number, then populate the fields as described below.

User Phone information

Attribute nameRequiredDescription
Phone typeYSelect the type of Phone number that is being entered. Select Cell Phone (Primary phone) if this is the default phone number for the user. If multiple phone numbers will be provided, you can also select from Home phone, Office phone, or a custom type.
Country CodeYCountry code for the phone number. For this value should be 1 and not +1
Area CodeYArea code part of the number
Phone numberYPrimary part of the phone number.
ExtensionNExtension to the phone number. This is often used in office settings.
Is PublishedNFlag indicating if this phone number should be published in the OpenIAM address book.
Is for SMSNFlag indicating is this number can be used to send SMS messages. SMS messages are used for OTP based authentication, forgot password and self-registration.

Organization information

The organization information section provides fields to capture information related to a person's life in an organization. Entering the user's organization information is not required during user creation. However, if you are going to define the organization, then populate the fields as described below:

User Organization information

Attribute nameDescription
Functional TitleA person's job title. Often this value comes from the HR system and can be used to grant birthright access.
Job CodeA code representing a person position in the company. Often this value comes from the HR system and can be used to grant birthright access.
ClassificationClassification code or description to categorize an employee.
Employee IDUnique ID representing an employee. This value normally comes from the HR system
user TypeAttribute which can be used to categorize a user
Employee TypeAttribute which can use to categorize a user / employee. This can often include values such as employee, contractor, temp-worker, contingent worker,etc. This value should come from the HR system for employees.
Start dateDay a person starts their job at a company. This is often an important value as access should be enabled on this day.
Last DateA person's last day at the company. This is often an important value as access should be disabled on this day.

Organization Membership

The organization membership section allows you to define your organization memberships.
The structure of your organization is defined under Adminstration -> System configuration. Based on this structure, as you select one organization unit, next child organization selection box will be shown. In the image below a hierarchy with Organization -> Division -> Department objects is shown.

Organization unit membership information

Supervisor and user's assistants

The Supervisor section allows you to define a user's:

  • Immediate supervisor
  • Alternate contact
  • Certification delegate - Often Senior executives don't complete their own user access reviews. In these cases, the review can be completed by the delegate defined here.

User supervisor information

Attribute nameRequiredDescription
Supervisor TypeYSelect the type of supervisor. In most cases, you will only have a default / primary supervisor. In some cases, you will need to able to support a secondary supervisor; ie. employees can have a primary supervisor and a "dotted line" to a second supervisor.
SupervisorYEnter the name of the supervisor. The system will search for the user. Note, that a supervisor must exist in OpenIAM to enable this association.
Alternate contactNAlternate contact for the employee. This value can be used in workflows.
Start dateNDate this Supervisor -> Employee relationship started
End DateNDate this Supervisor -> Employee relationship ended.
Certification DelegateNPerson to whom access review privileges have been delegated.
Start DateNDate from which this delegate was assigned for access reviews.
End DateNDate after which this is delegate is no longer needed for access reviews.

Notifications

The notifications section allows you to select who should be notified after you have submitted your request for user creation.

User notifications

The table describes each option.

Notification optionDescription
Notify User of the credentials via e-mail. Requires an email addressWill send the temporary credentials to the user by email
Notify Supervisor of the credentials for the new user via e-mail. Requires a supervisor to be selectedSend's the user temporary credentials to the immediate supervisor.
Delay user provisioning till start dateProvides the administrator with the option to delay the creation of the user till the start date