Related accounts
Overview
A user may have more than one account in OpenIAM or in a target system. An example of this would be an administrator that has a regular user account and an admin account. Each has its own distinct set of privileges, but both accounts are related to the same user profile.
The User Administration
feature provides an interface to link related accounts. While developing the relationship between accounts, we can define which account is the primary record. By default, user life cycle events such as terminations will apply to the primary and related accounts. Rules can be implemented to reassign these accounts to another user.
The related accounts functionality can also be used to link familial relationships together.
Defining relationships
A user can have multiple records representing their profile. Of these, one record should be the primary. For example, if we are looking at employees with admin accounts, the employee record can be the primary.
When defining a relationship between two accounts, we need to select the metadata type to represent the relationship:
For example, the user William Twist has an Active Directory account, but he also has accounts on the domain controller. None of these other accounts match the HR data and all of them will always be referenced to the main AD account.
OpenIAM represents these relationships as shown in the screenshot below:
We can navigate from the admin account to the primary account as they are linked together:
Related account management
Access certification of related accounts
If a related account is part of an access certification campaign, the reviewer will see the pictogram in the pivot view as shown in the example below:
By clicking on the pictogram, the reviewer will get details about the primary account which can help him/her make a decision. Often, related accounts may not have user-friendly names and matching them to the employee data can be difficult.
During a user access review, supervisors will be able to view the primary and related accounts of their subordinates.
User lifecycle
OpenIAM can initiate a position change workflow if the primary user has a change in job function. If the target user has a set of related accounts, then they must be reviewed as well. In this case, when a manager performs a review of access as part of a position change request, he/she will receive one request for a primary account and a separate request for the related account.