Colleagues, customer has requirements on managing technical accounts in CA Identity Manager (creation, assignment to one or multiple users, deactivation if last user is unassigned, etc.) We discussed their current approach of having those accounts linked to [default user], but as they have thousands of such accounts, this does not help them much, as it is quite a mess. What the customer would like to achieve is to detect, manage, assign and remove of orphan (mainly technical/system) accounts across endpoints connected to CA IM to have a clear view of them with easy reporting and audits.
Based on my investigation and internal discussion it seems we could propose to use the correlation rules (see Create Correlation Rules - CA Identity Manager - 14.1 - CA Technologies Documentation), but as I did not work with those yet, I am not sure if this would be the way.
Does anyone of you have experience with this, either with correlation rules and their usage for account assignments, or by any other means in CA Identity Manager?
Can you please tell me a little bit more about the goal you're trying to achieve with this? Do you want all of your technical accounts to be under a single global user who is not your [default user]? If so, you can use correlation rules to do this if all of the endpoint accounts have something in common, such as the same last name or the same UID. Your environment already users correlation rules to bind endpoint accounts to their global users when you perform an E&C, you'd just need to add an additional rule to accommodate these technical accounts.
Did you also want to remove all of the service accounts from under your [default user]? If so, you can actually delete [default user] entirely (do NOT select delete with accounts, this will delete the accounts as well) and it will unbind all of the accounts allowing them to be re-correlated to new users.
The requirement of the customer is to manage the lifecycle management of few thousands technical accounts the way, that:
- they are detected at the endpoints and imported to CA IM
- each technical account is assigned to one or multiple users (admins) based on some rules / workflows
- if the last user (admin) is unassigned from the particular technical account, the account is deactivated (but not deleted)
- the technical accounts and assigned users can be listed / reported on request
- no technical accounts shall stay under [default user] prefereably
So the use-case is not for CA PAM for access management to technical accounts (this will be in the future), but the real lifecycle mamagement.
Is this something CA IM can manage without much customizations?
How do you identify automatically if a specific account is a technical account? Based on which business rules you determine which corporate users are owners for each technical account?
If all the above logic can be automated, I suggest the following manage your requirements:
1. I would create a relational database endpoint with at minimum the following tables:
- technical accounts - contains technical account ID, endpoint type, endpoint name, other needed information
- Owners - contains userID of the IM corporate user at minimum
- Relationships - a membership table with many to many relationship. here I would insert technicalAccountID in one column and OwnerID in another column
2. I would acquire the above database as a JDBC endpoint with connector xPress and would provision it from Identity Manager
3. Every time a technical account is explored from a target system and created in IM user store (assuming you can determine automatically when an account is technical and who the owner should be), I would trigger identity policies / policy xpress policies to provision this technical account to the above JDBC endpoint's technical accounts table, then automatically resolved owners would be inserted into Owners table and the relationship between the owners and technical accounts into Relationships table.
This way you can manage multiple owners per technical account, you can remove / update owners, when a corporate user (owner) is terminated in IM, you can check via policy xpress if he owns any accounts and do something (which could be set the technical account owner to the leaver's managerID or set the owner to null in the database relationships table and at the same time disable the technical account on the target system.
I hope this makes sense and you'd find it helpful.
Yes, this makes sense, thank you! I will propose this to the partner and to the customer.