Monday, December 7, 2009

OIM Service Account vs Normal Account

OIM Service Account vs Normal Account

1. Service Account

Service Account Alert
Service Account Changed
Service Account Moved

2. Normal Account

We can configure trigger for normal account, so that resource profile
shall be changed upon OIM profile changed.

Code Decoded
USR_PASSWORD - Change User Password

We add "Change User Password" as a process task name to process definition,
once USR_PASSWORD is changed in OIM Account, the process task:
Change User Password shalled be triggerd to run!

3. Differences:
the trigger: Lookup.USR_PROCESS_TRIGGERS has no effects to Service Account!
the Service Account Event won't be triggered for normal account.

4. More Explain on Service Account Event:
Service Account Alert - Triggered when target service account's Owner's OIM
account is disabled or deleted.

Service Account Changed - Triggered when service account Changed,
e.g. From Regular Account To Service Account, or From Service Account To Regular

Service Account Moved - Triggered when service account's owner is changed.

5. Use Service Account Event to Update Target Resource ProfileThis is an example:
a). We defined process task "Change Description" in service account provisioning process. This task changes the process data "Description"

b). We defined process task "Change Group Owner ID", This Task changes the process
data "Group Owner ID".

c). We configured "Service Account Alert" in that process.

d). we set "Tasks to Generate" of "Change Description" and "Change Group Owner ID"
for response "true" of process task : "Service Account Alert", so that the tasks that
we defined in step a and b will be triggered once "Sercie Account Alert" task is
completed, meaning right after service account ownership is tranfered.

e). then we disable User OIM account, the "Service Account Alert" task will be
triggered, after that "Change Description" and "Change Group Owner ID" runs after
because the owner has been changed.

No comments:

Post a Comment