Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?