Related accounts
Overview
A user may have more than one account in OpenIAM or a target system. An example of this would an Administrator that has a normal user account and an Admin account. Each has its own distinct set of privileges, but both accounts are related to the same user profile.
In the admin portal, under user administration, OpenIAM provides an interface to link related profiles. In this way, it's possible to navigate between these two accounts. While developing the relationship between profiles, we can define which profile is the primary record. By default, user life cycle events, such as terminations, will apply to both the primary and related profiles. Rules can be implemented to re-assign these accounts to another user.
The related accounts functionality can also be used to link together familial relationships.
Defining relationships
A user can have multiple records representing their profile. Of these, one record should be the primary. For example, if we are looking employees with admin accounts then the employee record can be the primary.
The allowed relationship types are defined at metadata types, which are shown in the example below.
When defining a relationship between two profiles, we need to select the metadata type to represent the relationship.
For example user, William Twist has an Active Directory account, but at the same time on the domain controller he can have other accounts as well. None of these side accounts have a match the HR data and all of them will always be referenced to the main account.
OpenIAM can represent these relations in following UI:
We can navigate between these accounts. For example, we can go backwards since the user Twist_Admin will have a link to its primary account:
Related account management
Access certification of related accounts
If a related account is part of an access certification campaign then the reviewer will see the pictogram on the pivot view as show in the example below.
By clicking on the pictogram, the reviewer will get details about the primary account, and this can help the reviewer to make a decision; Often related accounts may not user friendly names and matching them to the employee data can be difficult.
Often a manager is involved in the user access review. In this case, the functionality of related accounts can help because supervisors are assigned to related accounts based on the supervisors relationship to the primary account. In this way, the supervisor can perform a user access review of the related accounts belonging to their subordinates.
User lifecycle
If the primary user changes their position in the company ( transfer process ), then OpenIAM has the ability a initiate position change workflow.
If target user has a set of related accounts, then they must be reviewed as well. In this case when manager performs a review of access as part of a position change request, they will receive one request for primary account and a separate request for the related account.