IGA Account Management
IGA Account Management
This use case outlines account management scenarios for an IGA solution, focusing on administrative users.
Account management is a critical aspect of administration, particularly when user accounts are created, updated, or removed from directories. In account management, the IGA admin defines the corresponding settings for each user type, as specified in work period management. This means that work period management outlines the actions to be taken when information is received by the IGA solution, while account management specifies what type of information is provisioned to the directories.
In account management, the IGA admin can define settings such as the ones listed below (for the whole list, read the “Account Management Settings” chapter):
- General and directory information - which directory these settings are for.
- Birth rights - which access rights (entitlement or business roles) are granted when a new user account is created for the first time.
- Email settings - what attributes from user's work period(s) are used when email address is generated for the user.
- Password settings - allowed and denied characters, password length and where the first time password is delivered.
- Validation and reminder settings - how long the account can be active, when manager receives renewal request, and reminder in cases request is not answered.
- Account settings - what attributes from user's work period(s) are used for generating directory related attributes.
- Communication - how and who are informed about new user creation, user information and departing user information updates.
- Departing user settings - when end date occurs, when account is disabled, when access rights are removed.
Use Case Descriptions
Use Case Description
This use case allows the IGA admin to easily define and modify account management settings (IGA set account information) for creating, updating, or removing accounts in directories. This use case requires that the work period management settings are configured, and that personal and employment information for users is received from the source system(s).
| Description | |
| Overview | This use case describes how IGA admin can define and change account management settings, which are used for creating, updating and removing accounts from the directory/directories. |
| Operators |
|
| Prerequisites |
|
| Result | IGA admin has defined or changed account management rules. |
| Create new settings |
|
| Update existing settings |
|
| Inactive existing settings |
|
Account Management Settings
IGA admin can change account management settings from IGA set account information data card, and settings are depended on the directory in question (for example, AD requires OU-path).
Work period management settings are described in user lifecycle management article.
User with one work period and one account
- Create IGA set account information data card, where user type and directory information are matching with IGA work period data card settings, where amount of work periods is set to "one" and one directory is selected.
- Create as many IGA set account data cards as there are different user types, who need different type of account attributes.
User with one (1) work period and several accounts
- Create IGA set account information data card, where user type and directory information are matching with IGA work period data card settings, where amount of work periods is set to "one" and several directories are selected.
-
Create IGA set account information data cards according to:
- To how many directories accounts are created per user.
- How many accounts, with different settings are created per user.
User with several work periods & one (1) account
- Create IGA set account information data card, where user type and directory information are matching with IGA work period data card settings, where amount of work periods is set to "multiple" and one directory is selected.
- Create as many IGA set account data cards as there are different user types who need different type of account attributes or if different work periods need to have different type of directory accounts.
User with several work periods and several accounts
-
Create IGA set account information data cards according to:
- To how many directories accounts are created per user.
- How many accounts, with different settings are created per user.
User with one work period and one account (for access right management)
- There is no need to do any settings for account management, in case user lifecycle management use cases are not implemented, and only access right management use cases are used.
Primary account calculation
Primary account is calculated automatically (calculation in person data card), and it is needed for different reasons. For example:
- Information from the primary account is showed in users person data card.
- Users login to Self-Service and to IGA solution, using primary account related to the users person data card.
IGA solution contains pre-defined primary account calculation:
- If user has one account, it is always calculated as primary.
-
If user has two (2) or more accounts:
- Primary account is first created account, based on creation date.
- If creation dates are the same, primary account is the one missing expiration date.
- If expiration date exists in both, primary is the one valid for longer.
-
If primary account cannot be calculated automatically, IGA admin can define primary account for the user, from users account data card.
- Remove primary account information first, from the existing primary account and after that update primary information to correct account data card.
- IGA admin instructions can be found from user lifecycle management article, under IGA admin use cases chapter.
Available settings
| Class name | Attribute | Description | Value(s) | Directory |
| General and directory information | Status | Is the rule in use or not, Active or Inactive, default is Active. | Active, inactive | All |
| Name | Give a name for the setting. | All | ||
| Description | Optional description of the account settings. | All | ||
| Target System | Target system for the account provisioning from the list. |
AD Entra ID (Azure AD) OpenLDAP IBM LDAP HR system Jira Manual target system OpenLDAP |
All | |
| User type | User type for the new account from the list. User type indicates attribute from the users, which is used for defining which users with that attribute are created based on these rules and settings. |
Employee External admin user External consultant External project manager Guest Internal Other Privileged Trainee |
All | |
| Language rule |
How to convert umlauts for the directory attributes. Default is International rule. International rule means ü = u, ä = a, ö = o, German rule means ü = ue, ä = ae, ö = oe, |
All | ||
| Birth rights | Entitlements | Which entitlements the account gets automatically when created. Provisioning type needs to be automatic for these entitlements. | List of active entitlements | All |
| Business roles | Which business roles the account gets automatically when created. Provisioning type needs to be automatic to all IGA Entitlements and sub-roles added to the business role. | List of active business roles | All | |
| Email settings | Email rule | Contains ready options for which attributes are used when users email address is created. |
first name.last name last name.spoken name spoken name.last name |
All |
| Email domain | Which domain the account gets automatically when created. An email domain is the part of an email address that comes after the “@” symbol. | All | ||
|
Is there email prefix? |
Select “yes”, if prefix is added to the email address. | Yes No |
All | |
| Email prefix |
Type here the prefix, which is added to users email address, before name. example: Ext-name.name@example.com |
All | ||
|
Is there email suffix? |
Select “yes” if suffix is added to the email address. | Yes No |
All | |
| Email suffix |
Type here the suffix, which is added to users email address, after name. example: name.name.suffix@example.com |
All | ||
| Account settings | Account type | Select account type- |
Normal account Privilege account Physical account Other Service account |
All |
|
Users with same name rule |
Character used in the email address for users with same name. | First letter of middle name Sequential number Standard value |
All | |
| Define standard value | Type here the standard value if “standard value” if selected in “users with same name rule” field. | All | ||
|
Manual interruption when same name |
In cases, where users have same first and last name, IGA admin can decide if email address is automatically generated with extra character, or is the workflow stopped, for admin to fulfill the email address information to the related IGA admin task. | Check box | All | |
| Common Name (CN) / DN rule | Contains ready options for which attributes are used when CN is created. |
First name Last Name Last Name First name Last Name Spoken name Spoken name Last Name |
AD, OpenLDAP | |
| Add prefix for CN | Choose “yes”, if prefix is needed for CN | AD, OpenLDAP | ||
| Common name (CN) prefix | Displayed if there is value in “add prefix for CN”, select prefix from the list. | Company name Title |
AD, OpenLDAP | |
| Display Name (dn) rule | Contains ready options for which attributes are used when dn is created. |
First name Last name Last Name First name Last Name Spoken name |
All | |
| Add prefix for dn | Choose "Yes", if prefix is needed for dn. | All | ||
| Display Name (dn) prefix | Displayed if there is value in “add prefix for dn”, select prefix from the list. | Company name Title |
All | |
| Distinguished Name (DN) rule | Contains ready options for which attributes are used when DN is created. |
First name + Last Name Last Name + First name Last Name + Spoken name Spoken name + Last Name |
AD, OpenLDAP | |
| Add prefix for DN | Choose “Yes” if prefix is needed for DN. | AD, OpenLDAP | ||
| Distinguished Name (DN) prefix | Displayed if there is value in “add prefix for dn”, select prefix from the list. | Company name Title |
AD, OpenLDAP | |
| UPN rule | Contains ready options for which attributes are used when UPN is created: |
First name + Last Name Last Name + First name Last Name + Spoken name Spoken name + Last Name |
All | |
| Add prefix for UPN | Choose Yes if prefix is needed. | All | ||
| UPN prefix | Displayed if there is value in “add prefix for dn”, select prefix from the list. | Company name Title |
All | |
| SamAccount rule | Contains ready options for which attributes are used when SamAccountName is created. |
First name + Last Name Random (letters) Random (numbers) Random (numbers&letters) Spoken name + Last Name |
AD | |
| SamAccount length | Number for the length when random letter, numbers or both are in use. | AD | ||
| Add prefix for SAM | Choose “Yes” if prefix is needed for SAM. | AD | ||
| SamAccount prefix | Displayed if there is value in “add prefix for SAM”, select prefix from the list. | Company name Title |
AD | |
| Add suffix for SAM | Choose “Yes”, if suffix is needed for SAM. | AD | ||
| SamAccount suffix | Displayed if there is value in “add suffix for SAM”, select prefix from the list. | Company name Title |
AD | |
| OU for users | In which OU user will be created/moved when created or updated. | AD, OpenLDAP | ||
| Review before provisioning to directory | Select “Yes”, if IGA Service Request needs to be manually reviewed before provisioning to directory/directories. | All | ||
| Password Settings | Password length | Number for the password length. A strong password is at least 12 characters long but 14 or more is better. | All | |
| Special characters that are allowed for password | List of allowed special characters for the password. | The list contains common characters, like for example #, $, &, \, etc. | All | |
| Characters that are denied in password |
IGA admin can add any character to be denied from the password, recommendation is to deny at least 0, 1, o, O, L, l, i, I. In case same character is allowed and denied, it will be denied. |
All | ||
| First time password receiver | Receiver for the first time password. |
Email to the user's email (requires that email address is in IGA solution and email settings are configured) Manager None, password is not delivered Text message to the users phone number (requires that phone numbers are in IGA solution and Customer has own SMS gateway service) |
All | |
| Settings for departing user | Set as disabled | Number of how many days after end day account is disabled. | All | |
| Remove access rights | Number of how many days after end day access right related to account are removed. | All | ||
| Remove manual access rights | Number of how many days after end day manual access rights are removed. | All | ||
| Move to disabled OU | Number of how many days after end day account is moved to disabled OU. | AD, OpenLDAP | ||
| OU for disabled user | In which OU user will be moved when disabled. | AD, OpenLDAP | ||
| Restore account's access rights if returns | If user returns after access rights are removed and the departing user process is still ongoing, previous access rights will be restored if this is set to be “Yes”. | All | ||
| Validation | Maximum validation |
Maximum validation (days) for how long the account is active, before IGA solution disables it (no matter what is end date for users work period), if there is none validation added, users account will be active for time being. This setting is commonly used for external type of users. |
All | |
| Send renewal reminder | How many days ahead renewal request is send to Self-Service for manager approval. IGA solution automatically suggests new validation based on the IGA Set Account Information data card's maximum validation days. Manager can only approve or decline suggested validation. | All | ||
| Send second reminder | How many days ahead second renewal reminder is send to Manager (email notification). | All | ||
| Email licenses removed after | Email license removal after (days), when employment end date occurs, when email related entitlements are removed. | All | ||
| Email license group(s) | Which are the email license groups that are removed when user is departing. | List of entitlements | All | |
| Communication | Email content for each receiver | There can be different type of email templates, which are used when information about new user creation is received. |
Basic: Information without sensitive data (Customer needs to define email content) Secure: Information with sensitive data (Customer needs to define email content) |
All |
| User information send | How many days ahead information is send for all receivers, when new account is created or departing user information is received. If there is none days added, information is send when start or end date occurs. | All | ||
| User creation information receiver | Contains ready options for email receivers. |
Team Email address(es) |
All | |
| User creation information receiver team |
Select correct team for receiving ticket about new user creation. |
List of teams in Efecte | All | |
| User creation information receiver emails | Email addresses where information about the new user creation is send. | All | ||
| Departing user information receiver |
There can be different type of email templates, which are used when information about departing user is received.
If none is selected, email is not sent. |
Team Email address(es) |
AllAll | |
| Departing user information receiver emails | Email addresses where information about departing user is send. | All | ||
| Departing user information receiver team | Select correct team for receiving ticket about departing user. | List of teams in Efecte | All | |
| User update information receiver |
There can be different type of email templates, which are used when information about user changes is received.
If none is selected, email is not sent. |
Team Email address(es) |
All | |
| User update information receiver team | Select correct team for receiving ticket about departing user. | List of teams in Efecte | All | |
| User update information emails | Email addresses where information about user update is send. | All |
Delivery Instructions
Configuration Instructions
IGA set account data cards are used for workflow to validate settings related to directory account creation/updates. Therefore, configuration is not needed unless changes are made to the actual settings.
Follow up account management settings chapter for creating new settings for different user types.
Relations to other use cases,
Create new users (on-boarding)
Update user information
Update departing user information
Self-Service: create new users, update user information, update departing user information
System- and Approval-testing Instructions
This use case is tested as part of user lifecycle management, when users are created, updated or departing user process is started, which means that use same test users, but at the end of the processes validate from directory/directories that users is created/updated correctly and they can login to Self-Service.
-
Test user creation/update according user lifecycle management or Self-Service: create/update user information/update departing user information use cases.
- When new user is created, allocate Self-Service access for the user.
-
Login to customers directory/directories:
-
Validate that new user account is created correctly:
- Account attributes are generated according to settings in IGA set account management data card.
- Generated attributes are provisioned to correct account attributes in the directory.
- Account is activated according to work period start date, if start date is in the past, account is active immediately.
- Birth rights are granted according to IGA set account information settings.
- In case the directory is using OU-structure, validate that user is created to correct OU-path.
- Communication is made according to IGA set account information settings.
- Validate also email content.
- Validate that user information is updated correctly:
- If users personal information (of the users names) is changed.
- Validate that account attributes, which are based on of the users name attributes, are re-generated correctly, according to settings in IGA set account information data card.
- If users employment information is changed:
- Validate that account attributes related to users work period information is updated correctly.
- Generated attributes are provisioned to correct account attributes in the directory.
- In case the directory is using OU-structure, validate that user is moved to correct OU-path.
- Communication is made according to IGA set account management settings.
- Validate also email content.
- If users personal information (of the users names) is changed.
- Validate that departing user information is updated correctly:
- Employment date is updated to directory/directories.
- Account(s) are disabled according to IGA set account information data card.
- In case the directory is using OU-structure, validate that user is moved to correct OU-path.
- Communication is made according to IGA set account management settings:
- Validate also email content.
-
Validate that new user account is created correctly:
- Login to Self-Service with the user, who has Self-Service access:
- Validate that user can login to Self-Service.
- Validate according to manage IGA solution users use case, that user has access only to those services defined in the use case.
Table of Contents