My TIM version is 5.1 fixpack11 and my customer need to create the same id for selected services at first initiate time.
Every AD servcies profile has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"
Every AIX services profile also has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"
What is the best way to do this in TIM 5.1?
This topic has been locked.
15 replies Latest Post - 2012-10-17T18:05:33Z by dgowda
Pinned topic Create the same account id in multiple services
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-10-17T18:05:33Z at 2012-10-17T18:05:33Z by dgowda
Re: Create the same account id in multiple services2012-10-11T01:58:17Z in response to yn2000Let me explain more detail
There are over 500 servers which are Windows、AIX
We need to create 3 default account id and its groups when we add these servers as services in TIM.
Regarding to manuals, there are some ways to do this , for examples,
1. writing scripts in the provisioning policy
2. default values in provisioning policy
However, the ways in above are not the best way to archive this purpose.
Re: Create the same account id in multiple services2012-10-11T03:36:25Z in response to yn2000Oh, I forgot to say....
1. These 3 default account id only to be created once in the services.
2. All of 3 account id belongs to one Person in the organization.
Actually, i had tried to set the default values in the provisioning and it was not what i want because default values is for everytime when create account. Writing script is also the same situation.
That why I asked -" Is there the best way ?"
Re: Create the same account id in multiple services2012-10-11T04:21:16Z in response to SimonYZYehHello Simon,
I don't think that this is something you should try to do with ITIM.
Because those accounts are created only in initial stage, I would use a script on those servers, maybe with powershell on Windows servers, to create these local admin accounts. I'm not an expert on scripting but would imagine you could run one script againts all of your Windows servers, not sure about AIX though.
Then in ITIM run reconciliation on those services and adopt those accounts to that one Person.
Re: Create the same account id in multiple services2012-10-11T05:48:39Z in response to hydelHi, Jukka
Yes, Your recommendation maybe a good hint for me.
Because there are too many servers to setup and different OS level, customer ask me why we can NOT use ITIM ?
As you know, customer always think it very simple...
Re: Create the same account id in multiple services2012-10-11T12:57:18Z in response to SimonYZYeh"...customer ask me why we can NOT use ITIM ?" The answer is... "Because it is NOT the best way."
TIM superior in the situation where the user has a role and based on the role some users get some accounts in some AIX machines, while some other users in other role do not. Your customer is NOT in this situation.
Anyway, back to my answer... you can put the script in the Person add Operational Workflow, which at the end, simplify your Provisioning Policy script.
SystemAdmin 110000D4XK9855 PostsACCEPTED ANSWER
Re: Create the same account id in multiple services2012-10-11T13:23:15Z in response to yn2000The best way is IMHO to use ITIM.
But I am not sure I understand your task correctly - so let me try to rephrase what I believe you are trying to do....
You have some servers (Windows/AIX) that needs administrative local users.
You have these servers defined as windows local / posix services in ITIM (or you are going to do so).
Now - to create an account on a service automatically involves 2 things:
1.identity policies - this is where you define the naming of you accounts - the default identity policy will use the preferred userid on the person entity
2.Automatic provisioning policy entitlement - this is best triggered using a role (dynamic/static).
When the actual provisioning is performed your creation will be performed using the "add" operation - so any post processing (e.g. mail with password to owner) can be performed.
The challenge is that ITIM has a rather strange way defining the provisioning policy entitlement - basically you cannot use the "service profile" entitlement if you are having special cases because these will be overridden by and service specific policies - so you will need to create a provisioning policy for any service anyhow... (this can be done using API).
Re: Create the same account id in multiple services2012-10-11T14:21:58Z in response to SystemAdminIn my understanding the goal here was first to create 3 local accounts, not one, to those 500 different servers. That's why I succested scripting. Forgot to mention about TDI, which perhaps would be better solution to carry out this initial task.
SystemAdmin 110000D4XK9855 PostsACCEPTED ANSWER
Re: Create the same account id in multiple services2012-10-11T14:48:24Z in response to hydelYes - you are right - IF you only need to create the accounts...
in IdM the M is for Management - in most cases it means that something happens AFTER creation as well :-)
There will be password changes - may the target is to use these as Priviliged Accounts - i.e if you want to use the ISIM 6.0 PIM functionality you can do this only of the accounts are managed by ISIM.
No doubt that you can do most things more efficiently isolated - the reason I normally recommend IdM is to care of the whole picture (which I should have stated...)
Re: Create the same account id in multiple services2012-10-11T15:35:01Z in response to SystemAdminRight you are, I only ment that this one specific task would perhaps best be done outside ITIM. Afterwards ITIM would be used to provision and manage user accounts on those servers.
Many ways to skin the cat I suppose :)
jmdennis 1100005CEY52 PostsACCEPTED ANSWER
Re: Create the same account id in multiple services2012-10-15T15:29:33Z in response to SimonYZYehI have to agree with Franz and yn2000 that this should be done via ITIM and more importantly, a clear solution needs to be designed and reviewed before you implement it.
Having said that, one alternative is to create a provisioning policy with automatic entitlements (Windows and AIX) to create your required IDs automatically. The entitlements should be the service profiles for AIX and Windows so that ALL new services would be covered when they were created. The provisioning policy membership would be a Role whose sole member would be the single person who owns all the accounts.
If the services that require the IDs already exist, creating this type of policy could adversely affect your performance while ITIM attempts to "catch up" with the provisioning.
Since you would be using Service profiles, ALL new services created under the same profile would be affected - you would not be able to exclude any.
Regarding the practice of having one person own hundreds/thousands of accounts - IMHO this is a BAD idea. It can result in nightmares when the person leaves the organization. What I believe to be best practices is to create "System Entities" (not human beings) to own the accounts. On the system entity you establish a human custodian or owner of the entity (you can do this by extending the custom person schema). Then, if the owner/custodian leaves, you simply have to change an attribute instead of the ownership of numerous accounts. This type of approach really needs to be brought up in the early discussions and planning for your IdM deployment, in order to get buy-in from the security Gods; otherwise, it may be an uphill battle.
Re: Create the same account id in multiple services2012-10-16T05:04:33Z in response to jmdennisHi, jdennis
I know that we can create ID automatically via provision policy once any service(HOST) to be added.
Maybe some sample code is very helpful to me.
Thanks those who help me and advices.
dgowda 2700052VM442 PostsACCEPTED ANSWER
Re: Create the same account id in multiple services2012-10-17T18:05:33Z in response to SimonYZYehThe first suggestion from yn is what you need to follow. You should create a custom attribute on the person object (call it erdefaultlogin or something like that) and set the value to the desired value during person creation. In the provisioning policies, just get the value for eruid from the person entity (sample code below):
var userid= subject.getProperty('erdefaultlogin');
if ((userid!= null) && (userid.length > 0))
As for the group memberships, just add the groups you want the user to be part of in the provisioning policy.