Managing an account lifecycle

Account lifecycle is a process that is part of Identity Governance in which user accounts on the target are managed from IBM® Security Verify. You can configure provisioning and deprovisioning of user accounts.

Before you begin

  • You must have administrative permission to complete this task.
  • Set up the basic information for the application instance in the General tab. See Setting the basic application details.
  • Complete the application account lifecycle configuration instructions that are provided.

About this task

If supported for your application, you can configure a policy for the application for account provisioning. For a list of applications, see Applications that support provisioning.

Procedure

  1. Select the options for provisioning and deprovisioning accounts.
    1. Choose from the following options for provisioning an account.
      Enabled
      Creates an account when the entitlement is assigned to a user. This setting is the default setting.
      Disabled
      The account is created outside of Verify.
    2. Choose from the following options for deprovisioning an account.
      Enabled
      An account is deprovisioned when the entitlement is removed from a user. If this option is selected, the grace period option is activated.
      Disabled
      The account is deprovisioned outside of Verify. If this option is selected, grace period and deprovision action are deactivated.
      Note: The type of application, and the provisioning and deprovisioning settings determine what options are displayed for the application.
    3. If your application supports password synchronization, select the account password action.
      See Applications that support password synchronization.
      Sync user's Cloud Directory password
      This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
      Generate password
      This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
      None
      This option provisions the account without a password.
    4. Select the checkbox to specify whether to send an email notification to the user when the account is provisioned.
    5. Select the grace period.
      The deprovisioning of an account can be scheduled to be performed after a specified grace period. This option is configurable if deprovisioning is enabled and the deprovisioning action is configured to delete the account. Select the number of days that the account can be maintained in a suspended state after its entitlement is removed. The default setting is 30 days.
    6. Select the deprovision action.
      This option is configurable for enabled deprovisioning action to either suspend or delete the account. If deprovisioning is disabled, the deprovisioning action is deactivated.
  2. Optional: Select an application profile.
    If you want to create a profile, click Create new application profile to start the profile wizard. See Managing application profiles.
  3. Configure API authentication.
    The fields that are displayed depend on the application that you are configuring the account lifecycle for. The information for these fields can be obtained by following the account lifecycle configuration instructions that are provided.
    1. Complete the configuration instructions that are provided for the application.
    2. Provide the authentication information for the fields from the configuration procedure.
    3. Click Test Connection to verify whether a connection to the target endpoint can be established with the configured credentials.
  4. In Attribute Mappings, assign a corresponding Verify user attribute for each of the application attributes.
    Map the attributes based on the application requirements. Attribute mapping controls how the application consumes the user attributes from Verify. The attributes are populated with whatever values are held by the mapped Verify user attribute. To create a custom rule for attribute mapping, see Creating a custom rule for attribute mapping.
    1. Select the Verify attribute from the menu.
    2. Optional: Select a transform for the value.
      You can choose to transform the value with any of the built-in transformations that are provided in the Transformation menu. The default setting is None, which means that the value is passed unchanged. With scripting support, you can create a custom transform to transform the Verify attribute value and set it to the Target attribute. See Creating a custom rule for attribute mapping.
    3. Select the Target attribute from the attribute menu.
    4. Optional: If the application supports the feature, select the Keep value updated check boxes for the attributes that you want to be updated when changes occur in IBM Security Verify.
      Attribute value changes to the user's profile automatically overwrite the corresponding attribute values in the target application. For certain attribute values like user_name that cannot be changed, the check box is inactive.
    Note:
    • Whenever a user is disabled or enabled in Verify, Verify suspends or restores the account on the target application.
    • When a custom rule is specified for attribute mapping, a built-in transformation cannot be applied to it.
    • Map the same target and Verify attributes in the reverse attribute map.
    • These attribute mappings are used for account provisioning and account synchronization on the target application.
  5. Click Save.
    If you did not test the connection previously, you are prompted to do so, or to save you information with the provisioning policies disabled.