Topic
15 replies Latest Post - ‏2012-10-17T18:05:33Z by dgowda
SimonYZYeh
SimonYZYeh
7 Posts
ACCEPTED ANSWER

Pinned topic Create the same account id in multiple services

‏2012-10-09T09:05:29Z |
My TIM version is 5.1 fixpack11 and my customer need to create the same id for selected services at first initiate time.
For example:
Every AD servcies profile has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"
Every AIX services profile also has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"

What is the best way to do this in TIM 5.1?
Updated on 2012-10-17T18:05:33Z at 2012-10-17T18:05:33Z by dgowda
  • yn2000
    yn2000
    1026 Posts
    ACCEPTED ANSWER

    Re: Create the same account id in multiple services

    ‏2012-10-09T14:57:11Z  in response to SimonYZYeh
    I cannot claim 'the best way', but the easiest way is to define the 'Account ID' during the creation of the Person entity.
    Rgds. YN.
    • SimonYZYeh
      SimonYZYeh
      7 Posts
      ACCEPTED ANSWER

      Re: Create the same account id in multiple services

      ‏2012-10-11T01:58:17Z  in response to yn2000
      Let me explain more detail
      There are over 500 servers which are Windows、AIX

      We need to create 3 default account id and its groups when we add these servers as services in TIM.
      Regarding to manuals, there are some ways to do this , for examples,
      1. writing scripts in the provisioning policy
      2. default values in provisioning policy
      ...etc

      However, the ways in above are not the best way to archive this purpose.

      Any recommend?
    • SimonYZYeh
      SimonYZYeh
      7 Posts
      ACCEPTED ANSWER

      Re: Create the same account id in multiple services

      ‏2012-10-11T03:36:25Z  in response to yn2000
      Oh, I forgot to say....
      1. These 3 default account id only to be created once in the services.
      2. All of 3 account id belongs to one Person in the organization.

      Actually, i had tried to set the default values in the provisioning and it was not what i want because default values is for everytime when create account. Writing script is also the same situation.

      That why I asked -" Is there the best way ?"
      • hydel
        hydel
        16 Posts
        ACCEPTED ANSWER

        Re: Create the same account id in multiple services

        ‏2012-10-11T04:21:16Z  in response to SimonYZYeh
        Hello Simon,

        I don't think that this is something you should try to do with ITIM.

        Because those accounts are created only in initial stage, I would use a script on those servers, maybe with powershell on Windows servers, to create these local admin accounts. I'm not an expert on scripting but would imagine you could run one script againts all of your Windows servers, not sure about AIX though.
        Then in ITIM run reconciliation on those services and adopt those accounts to that one Person.

        Regards Jukka
        • SimonYZYeh
          SimonYZYeh
          7 Posts
          ACCEPTED ANSWER

          Re: Create the same account id in multiple services

          ‏2012-10-11T05:48:39Z  in response to hydel
          Hi, Jukka

          Yes, Your recommendation maybe a good hint for me.
          Because there are too many servers to setup and different OS level, customer ask me why we can NOT use ITIM ?

          As you know, customer always think it very simple...
          • yn2000
            yn2000
            1026 Posts
            ACCEPTED ANSWER

            Re: Create the same account id in multiple services

            ‏2012-10-11T12:57:18Z  in response to SimonYZYeh
            "...customer ask me why we can NOT use ITIM ?" The answer is... "Because it is NOT the best way."
            TIM superior in the situation where the user has a role and based on the role some users get some accounts in some AIX machines, while some other users in other role do not. Your customer is NOT in this situation.
            Anyway, back to my answer... you can put the script in the Person add Operational Workflow, which at the end, simplify your Provisioning Policy script.
            Rgds. YN.
            • SystemAdmin
              SystemAdmin
              9855 Posts
              ACCEPTED ANSWER

              Re: Create the same account id in multiple services

              ‏2012-10-11T13:23:15Z  in response to yn2000
              The best way is IMHO to use ITIM.

              But I am not sure I understand your task correctly - so let me try to rephrase what I believe you are trying to do....

              You have some servers (Windows/AIX) that needs administrative local users.
              You have these servers defined as windows local / posix services in ITIM (or you are going to do so).

              Now - to create an account on a service automatically involves 2 things:

              1.identity policies - this is where you define the naming of you accounts - the default identity policy will use the preferred userid on the person entity
              2.Automatic provisioning policy entitlement - this is best triggered using a role (dynamic/static).

              When the actual provisioning is performed your creation will be performed using the "add" operation - so any post processing (e.g. mail with password to owner) can be performed.

              The challenge is that ITIM has a rather strange way defining the provisioning policy entitlement - basically you cannot use the "service profile" entitlement if you are having special cases because these will be overridden by and service specific policies - so you will need to create a provisioning policy for any service anyhow... (this can be done using API).

              HTH

              Regards
              Franz Wolfhagen
              • hydel
                hydel
                16 Posts
                ACCEPTED ANSWER

                Re: Create the same account id in multiple services

                ‏2012-10-11T14:21:58Z  in response to SystemAdmin
                In my understanding the goal here was first to create 3 local accounts, not one, to those 500 different servers. That's why I succested scripting. Forgot to mention about TDI, which perhaps would be better solution to carry out this initial task.

                Regards,
                Jukka
                • SystemAdmin
                  SystemAdmin
                  9855 Posts
                  ACCEPTED ANSWER

                  Re: Create the same account id in multiple services

                  ‏2012-10-11T14:48:24Z  in response to hydel
                  Yes - you are right - IF you only need to create the accounts...

                  in IdM the M is for Management - in most cases it means that something happens AFTER creation as well :-)

                  There will be password changes - may the target is to use these as Priviliged Accounts - i.e if you want to use the ISIM 6.0 PIM functionality you can do this only of the accounts are managed by ISIM.

                  No doubt that you can do most things more efficiently isolated - the reason I normally recommend IdM is to care of the whole picture (which I should have stated...)

                  regards
                  Franz Wolfhagen
                  • hydel
                    hydel
                    16 Posts
                    ACCEPTED ANSWER

                    Re: Create the same account id in multiple services

                    ‏2012-10-11T15:35:01Z  in response to SystemAdmin
                    Right you are, I only ment that this one specific task would perhaps best be done outside ITIM. Afterwards ITIM would be used to provision and manage user accounts on those servers.
                    Many ways to skin the cat I suppose :)

                    Regards
                    Jukka
  • SimonYZYeh
    SimonYZYeh
    7 Posts
    ACCEPTED ANSWER

    Re: Create the same account id in multiple services

    ‏2012-10-15T06:48:19Z  in response to SimonYZYeh
    I'm still not very clear how to do ...
    Anyone could provide more detail ?
    Thank You very much
    • yn2000
      yn2000
      1026 Posts
      ACCEPTED ANSWER

      Re: Create the same account id in multiple services

      ‏2012-10-15T14:46:24Z  in response to SimonYZYeh
      Design question always draws many ways to skin the cat.
      So, which avenue that you have chosen to get the detail?
      Rgds. YN.
    • jmdennis
      jmdennis
      52 Posts
      ACCEPTED ANSWER

      Re: Create the same account id in multiple services

      ‏2012-10-15T15:29:33Z  in response to SimonYZYeh
      I have to agree with Franz and yn2000 that this should be done via ITIM and more importantly, a clear solution needs to be designed and reviewed before you implement it.

      Having said that, one alternative is to create a provisioning policy with automatic entitlements (Windows and AIX) to create your required IDs automatically. The entitlements should be the service profiles for AIX and Windows so that ALL new services would be covered when they were created. The provisioning policy membership would be a Role whose sole member would be the single person who owns all the accounts.

      Considerations -

      If the services that require the IDs already exist, creating this type of policy could adversely affect your performance while ITIM attempts to "catch up" with the provisioning.

      Since you would be using Service profiles, ALL new services created under the same profile would be affected - you would not be able to exclude any.

      Regarding the practice of having one person own hundreds/thousands of accounts - IMHO this is a BAD idea. It can result in nightmares when the person leaves the organization. What I believe to be best practices is to create "System Entities" (not human beings) to own the accounts. On the system entity you establish a human custodian or owner of the entity (you can do this by extending the custom person schema). Then, if the owner/custodian leaves, you simply have to change an attribute instead of the ownership of numerous accounts. This type of approach really needs to be brought up in the early discussions and planning for your IdM deployment, in order to get buy-in from the security Gods; otherwise, it may be an uphill battle.

      jdennis
      • SimonYZYeh
        SimonYZYeh
        7 Posts
        ACCEPTED ANSWER

        Re: Create the same account id in multiple services

        ‏2012-10-16T05:04:33Z  in response to jmdennis
        Hi, jdennis

        I know that we can create ID automatically via provision policy once any service(HOST) to be added.
        But...how can I set eruid and ergroup for 3 accounts at one time in the JavaScript ? Evenmore, there is 1 account will belongs to 4 groups in the OS.

        Maybe some sample code is very helpful to me.
        Thanks those who help me and advices.
        • dgowda
          dgowda
          42 Posts
          ACCEPTED ANSWER

          Re: Create the same account id in multiple services

          ‏2012-10-17T18:05:33Z  in response to SimonYZYeh
          The first suggestion from yn is what you need to follow. You should create a custom attribute on the person object (call it erdefaultlogin or something like that) and set the value to the desired value during person creation. In the provisioning policies, just get the value for eruid from the person entity (sample code below):

          var userid= subject.getProperty('erdefaultlogin');
          if ((userid!= null) && (userid.length > 0))
          userid= userid[0];
          else
          userid= '';
          return userid;

          As for the group memberships, just add the groups you want the user to be part of in the provisioning policy.