Hi David,
How do you identify automatically if a specific account is a technical account? Based on which business rules you determine which corporate users are owners for each technical account?
If all the above logic can be automated, I suggest the following manage your requirements:
1. I would create a relational database endpoint with at minimum the following tables:
- technical accounts - contains technical account ID, endpoint type, endpoint name, other needed information
- Owners - contains userID of the IM corporate user at minimum
- Relationships - a membership table with many to many relationship. here I would insert technicalAccountID in one column and OwnerID in another column
2. I would acquire the above database as a JDBC endpoint with connector xPress and would provision it from Identity Manager
3. Every time a technical account is explored from a target system and created in IM user store (assuming you can determine automatically when an account is technical and who the owner should be), I would trigger identity policies / policy xpress policies to provision this technical account to the above JDBC endpoint's technical accounts table, then automatically resolved owners would be inserted into Owners table and the relationship between the owners and technical accounts into Relationships table.
This way you can manage multiple owners per technical account, you can remove / update owners, when a corporate user (owner) is terminated in IM, you can check via policy xpress if he owns any accounts and do something (which could be set the technical account owner to the leaver's managerID or set the owner to null in the database relationships table and at the same time disable the technical account on the target system.
I hope this makes sense and you'd find it helpful.
KR
Russi