Topic
  • 15 replies
  • Latest Post - ‏2012-10-17T18:05:33Z by dgowda
SimonYZYeh
SimonYZYeh
7 Posts

Pinned topic Create the same account id in multiple services

‏2012-10-09T09:05:29Z |
My TIM version is 5.1 fixpack11 and my customer need to create the same id for selected services at first initiate time.
For example:
Every AD servcies profile has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"
Every AIX services profile also has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"

What is the best way to do this in TIM 5.1?
Updated on 2012-10-17T18:05:33Z at 2012-10-17T18:05:33Z by dgowda
  • yn2000
    yn2000
    1086 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-09T14:57:11Z  
    I cannot claim 'the best way', but the easiest way is to define the 'Account ID' during the creation of the Person entity.
    Rgds. YN.
  • SimonYZYeh
    SimonYZYeh
    7 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T01:58:17Z  
    • yn2000
    • ‏2012-10-09T14:57:11Z
    I cannot claim 'the best way', but the easiest way is to define the 'Account ID' during the creation of the Person entity.
    Rgds. YN.
    Let me explain more detail
    There are over 500 servers which are Windows、AIX

    We need to create 3 default account id and its groups when we add these servers as services in TIM.
    Regarding to manuals, there are some ways to do this , for examples,
    1. writing scripts in the provisioning policy
    2. default values in provisioning policy
    ...etc

    However, the ways in above are not the best way to archive this purpose.

    Any recommend?
  • SimonYZYeh
    SimonYZYeh
    7 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T03:36:25Z  
    • yn2000
    • ‏2012-10-09T14:57:11Z
    I cannot claim 'the best way', but the easiest way is to define the 'Account ID' during the creation of the Person entity.
    Rgds. YN.
    Oh, I forgot to say....
    1. These 3 default account id only to be created once in the services.
    2. All of 3 account id belongs to one Person in the organization.

    Actually, i had tried to set the default values in the provisioning and it was not what i want because default values is for everytime when create account. Writing script is also the same situation.

    That why I asked -" Is there the best way ?"
  • hydel
    hydel
    16 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T04:21:16Z  
    Oh, I forgot to say....
    1. These 3 default account id only to be created once in the services.
    2. All of 3 account id belongs to one Person in the organization.

    Actually, i had tried to set the default values in the provisioning and it was not what i want because default values is for everytime when create account. Writing script is also the same situation.

    That why I asked -" Is there the best way ?"
    Hello Simon,

    I don't think that this is something you should try to do with ITIM.

    Because those accounts are created only in initial stage, I would use a script on those servers, maybe with powershell on Windows servers, to create these local admin accounts. I'm not an expert on scripting but would imagine you could run one script againts all of your Windows servers, not sure about AIX though.
    Then in ITIM run reconciliation on those services and adopt those accounts to that one Person.

    Regards Jukka
  • SimonYZYeh
    SimonYZYeh
    7 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T05:48:39Z  
    • hydel
    • ‏2012-10-11T04:21:16Z
    Hello Simon,

    I don't think that this is something you should try to do with ITIM.

    Because those accounts are created only in initial stage, I would use a script on those servers, maybe with powershell on Windows servers, to create these local admin accounts. I'm not an expert on scripting but would imagine you could run one script againts all of your Windows servers, not sure about AIX though.
    Then in ITIM run reconciliation on those services and adopt those accounts to that one Person.

    Regards Jukka
    Hi, Jukka

    Yes, Your recommendation maybe a good hint for me.
    Because there are too many servers to setup and different OS level, customer ask me why we can NOT use ITIM ?

    As you know, customer always think it very simple...
  • yn2000
    yn2000
    1086 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T12:57:18Z  
    Hi, Jukka

    Yes, Your recommendation maybe a good hint for me.
    Because there are too many servers to setup and different OS level, customer ask me why we can NOT use ITIM ?

    As you know, customer always think it very simple...
    "...customer ask me why we can NOT use ITIM ?" The answer is... "Because it is NOT the best way."
    TIM superior in the situation where the user has a role and based on the role some users get some accounts in some AIX machines, while some other users in other role do not. Your customer is NOT in this situation.
    Anyway, back to my answer... you can put the script in the Person add Operational Workflow, which at the end, simplify your Provisioning Policy script.
    Rgds. YN.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T13:23:15Z  
    • yn2000
    • ‏2012-10-11T12:57:18Z
    "...customer ask me why we can NOT use ITIM ?" The answer is... "Because it is NOT the best way."
    TIM superior in the situation where the user has a role and based on the role some users get some accounts in some AIX machines, while some other users in other role do not. Your customer is NOT in this situation.
    Anyway, back to my answer... you can put the script in the Person add Operational Workflow, which at the end, simplify your Provisioning Policy script.
    Rgds. YN.
    The best way is IMHO to use ITIM.

    But I am not sure I understand your task correctly - so let me try to rephrase what I believe you are trying to do....

    You have some servers (Windows/AIX) that needs administrative local users.
    You have these servers defined as windows local / posix services in ITIM (or you are going to do so).

    Now - to create an account on a service automatically involves 2 things:

    1.identity policies - this is where you define the naming of you accounts - the default identity policy will use the preferred userid on the person entity
    2.Automatic provisioning policy entitlement - this is best triggered using a role (dynamic/static).

    When the actual provisioning is performed your creation will be performed using the "add" operation - so any post processing (e.g. mail with password to owner) can be performed.

    The challenge is that ITIM has a rather strange way defining the provisioning policy entitlement - basically you cannot use the "service profile" entitlement if you are having special cases because these will be overridden by and service specific policies - so you will need to create a provisioning policy for any service anyhow... (this can be done using API).

    HTH

    Regards
    Franz Wolfhagen
  • hydel
    hydel
    16 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T14:21:58Z  
    The best way is IMHO to use ITIM.

    But I am not sure I understand your task correctly - so let me try to rephrase what I believe you are trying to do....

    You have some servers (Windows/AIX) that needs administrative local users.
    You have these servers defined as windows local / posix services in ITIM (or you are going to do so).

    Now - to create an account on a service automatically involves 2 things:

    1.identity policies - this is where you define the naming of you accounts - the default identity policy will use the preferred userid on the person entity
    2.Automatic provisioning policy entitlement - this is best triggered using a role (dynamic/static).

    When the actual provisioning is performed your creation will be performed using the "add" operation - so any post processing (e.g. mail with password to owner) can be performed.

    The challenge is that ITIM has a rather strange way defining the provisioning policy entitlement - basically you cannot use the "service profile" entitlement if you are having special cases because these will be overridden by and service specific policies - so you will need to create a provisioning policy for any service anyhow... (this can be done using API).

    HTH

    Regards
    Franz Wolfhagen
    In my understanding the goal here was first to create 3 local accounts, not one, to those 500 different servers. That's why I succested scripting. Forgot to mention about TDI, which perhaps would be better solution to carry out this initial task.

    Regards,
    Jukka
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T14:48:24Z  
    • hydel
    • ‏2012-10-11T14:21:58Z
    In my understanding the goal here was first to create 3 local accounts, not one, to those 500 different servers. That's why I succested scripting. Forgot to mention about TDI, which perhaps would be better solution to carry out this initial task.

    Regards,
    Jukka
    Yes - you are right - IF you only need to create the accounts...

    in IdM the M is for Management - in most cases it means that something happens AFTER creation as well :-)

    There will be password changes - may the target is to use these as Priviliged Accounts - i.e if you want to use the ISIM 6.0 PIM functionality you can do this only of the accounts are managed by ISIM.

    No doubt that you can do most things more efficiently isolated - the reason I normally recommend IdM is to care of the whole picture (which I should have stated...)

    regards
    Franz Wolfhagen
  • hydel
    hydel
    16 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-11T15:35:01Z  
    Yes - you are right - IF you only need to create the accounts...

    in IdM the M is for Management - in most cases it means that something happens AFTER creation as well :-)

    There will be password changes - may the target is to use these as Priviliged Accounts - i.e if you want to use the ISIM 6.0 PIM functionality you can do this only of the accounts are managed by ISIM.

    No doubt that you can do most things more efficiently isolated - the reason I normally recommend IdM is to care of the whole picture (which I should have stated...)

    regards
    Franz Wolfhagen
    Right you are, I only ment that this one specific task would perhaps best be done outside ITIM. Afterwards ITIM would be used to provision and manage user accounts on those servers.
    Many ways to skin the cat I suppose :)

    Regards
    Jukka
  • SimonYZYeh
    SimonYZYeh
    7 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-15T06:48:19Z  
    I'm still not very clear how to do ...
    Anyone could provide more detail ?
    Thank You very much
  • yn2000
    yn2000
    1086 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-15T14:46:24Z  
    I'm still not very clear how to do ...
    Anyone could provide more detail ?
    Thank You very much
    Design question always draws many ways to skin the cat.
    So, which avenue that you have chosen to get the detail?
    Rgds. YN.
  • jmdennis
    jmdennis
    52 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-15T15:29:33Z  
    I'm still not very clear how to do ...
    Anyone could provide more detail ?
    Thank You very much
    I have to agree with Franz and yn2000 that this should be done via ITIM and more importantly, a clear solution needs to be designed and reviewed before you implement it.

    Having said that, one alternative is to create a provisioning policy with automatic entitlements (Windows and AIX) to create your required IDs automatically. The entitlements should be the service profiles for AIX and Windows so that ALL new services would be covered when they were created. The provisioning policy membership would be a Role whose sole member would be the single person who owns all the accounts.

    Considerations -

    If the services that require the IDs already exist, creating this type of policy could adversely affect your performance while ITIM attempts to "catch up" with the provisioning.

    Since you would be using Service profiles, ALL new services created under the same profile would be affected - you would not be able to exclude any.

    Regarding the practice of having one person own hundreds/thousands of accounts - IMHO this is a BAD idea. It can result in nightmares when the person leaves the organization. What I believe to be best practices is to create "System Entities" (not human beings) to own the accounts. On the system entity you establish a human custodian or owner of the entity (you can do this by extending the custom person schema). Then, if the owner/custodian leaves, you simply have to change an attribute instead of the ownership of numerous accounts. This type of approach really needs to be brought up in the early discussions and planning for your IdM deployment, in order to get buy-in from the security Gods; otherwise, it may be an uphill battle.

    jdennis
  • SimonYZYeh
    SimonYZYeh
    7 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-16T05:04:33Z  
    • jmdennis
    • ‏2012-10-15T15:29:33Z
    I have to agree with Franz and yn2000 that this should be done via ITIM and more importantly, a clear solution needs to be designed and reviewed before you implement it.

    Having said that, one alternative is to create a provisioning policy with automatic entitlements (Windows and AIX) to create your required IDs automatically. The entitlements should be the service profiles for AIX and Windows so that ALL new services would be covered when they were created. The provisioning policy membership would be a Role whose sole member would be the single person who owns all the accounts.

    Considerations -

    If the services that require the IDs already exist, creating this type of policy could adversely affect your performance while ITIM attempts to "catch up" with the provisioning.

    Since you would be using Service profiles, ALL new services created under the same profile would be affected - you would not be able to exclude any.

    Regarding the practice of having one person own hundreds/thousands of accounts - IMHO this is a BAD idea. It can result in nightmares when the person leaves the organization. What I believe to be best practices is to create "System Entities" (not human beings) to own the accounts. On the system entity you establish a human custodian or owner of the entity (you can do this by extending the custom person schema). Then, if the owner/custodian leaves, you simply have to change an attribute instead of the ownership of numerous accounts. This type of approach really needs to be brought up in the early discussions and planning for your IdM deployment, in order to get buy-in from the security Gods; otherwise, it may be an uphill battle.

    jdennis
    Hi, jdennis

    I know that we can create ID automatically via provision policy once any service(HOST) to be added.
    But...how can I set eruid and ergroup for 3 accounts at one time in the JavaScript ? Evenmore, there is 1 account will belongs to 4 groups in the OS.

    Maybe some sample code is very helpful to me.
    Thanks those who help me and advices.
  • dgowda
    dgowda
    42 Posts

    Re: Create the same account id in multiple services

    ‏2012-10-17T18:05:33Z  
    Hi, jdennis

    I know that we can create ID automatically via provision policy once any service(HOST) to be added.
    But...how can I set eruid and ergroup for 3 accounts at one time in the JavaScript ? Evenmore, there is 1 account will belongs to 4 groups in the OS.

    Maybe some sample code is very helpful to me.
    Thanks those who help me and advices.
    The first suggestion from yn is what you need to follow. You should create a custom attribute on the person object (call it erdefaultlogin or something like that) and set the value to the desired value during person creation. In the provisioning policies, just get the value for eruid from the person entity (sample code below):

    var userid= subject.getProperty('erdefaultlogin');
    if ((userid!= null) && (userid.length > 0))
    userid= userid[0];
    else
    userid= '';
    return userid;

    As for the group memberships, just add the groups you want the user to be part of in the provisioning policy.