Yes we are using ownership types, but in ISIM 6.0.2 I don't see the option to automatically provision accounts with other ownership types than Individual.
We plan to migrate to ISIM10 later on but we need a way to create multiple accounts on the same service before that, without doing it manually in the GUI.
I'll explain our use case and planned setup briefly:
In addition to the Individual accounts that all our users has on the service, we have 4 other account types that the user should be able to request.
For each of the account types I have set up an ownership type, a role, a provisioning policy and a life cycle rule.
The user is added to the role when the new account is requested.
The life cycle rule filter on role members and triggers an operation that checks if the account already exists. If the account doesn't exist,
we fetch the account attributes set by the provisioning policy with AccountManager.getAccountParameters() with the ownership type specified and then create the account.
If the role is removed from the user the account gets deleted since it is no longer allowed.
It works, but of course it would be much nicer (and quicker) if everything could be handled by the provisioning policy..
Best regards
------------------------------
S W
------------------------------
Original Message:
Sent: Wed May 04, 2022 03:12 AM
From: Franz Wolfhagen
Subject: ISIM Question: Multiple account for a user on same service...
I am sorry I forgot that - but I have this setup in most of my test systems so I seldom think about anymore.
It would be nice if this was part of the out-of-the-box setup - but I will not expect our Product Management to support that :-)
Did you have a chance to look into using ownershiptypes ? That gives a policy based possibility to handle this that IMHO is much better...
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Tue May 03, 2022 08:42 AM
From: S W
Subject: ISIM Question: Multiple account for a user on same service...
Thanks Franz!
I also had to add 'isimsystem' (the ejbuser) as a user in ISIM with admin privileges for the authentication to work - I saw a post from you about this in another forum post. :)
Best regards,
------------------------------
S W
Original Message:
Sent: Thu April 21, 2022 02:53 AM
From: Franz Wolfhagen
Subject: ISIM Question: Multiple account for a user on same service...
The com.ibm.itim.webclient.util.ITIMPlatformContext is not a documented class - so you are excused :-)
We have had many discussion inside IBM on this topic - I have decided to use it as the risk of this changing is very little and if it would be changed I am pretty sure it would be to make it part of the public APIs.
If you look at the code sample I always start my script with as set ofimportPackage
statements - I do this for 2 reasons :
- To avoid having to use the full class name in all my script
- To show what classes are used - so that these can easily be setup in scriptframework.properties.
Here is my entry for the com.ibm.itim.webclient.util.ITIMPlatformContext class :
ITIM.java.access.util2=com.ibm.itim.webclient.util.*
I forgot one important piece of information : If you are on ISVG 10 IM you can auto-create multiple accounts using the ownershiptype functionality as it now allows you to also have automatic entitlements : https://www.ibm.com/docs/en/sig-and-i/10.0.0?topic=overview-whats-new-in-this-release
HTH
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Wed April 20, 2022 09:16 AM
From: W Frank
Subject: ISIM Question: Multiple account for a user on same service...
Hi,
We are trying to create multiple accounts for the same user on the same service with different ownership types. We are currently running ISIM 6 where automatic provisioning of accounts with other ownership types than individual is not available.
Using ISIM APIs through TDI I have managed to create accounts inspired by the code above from Franz.
However, I'm are struggling to do this from a workflow. In the code above, "ITIMPlatformContext.getInstance()" is used to get the platform.
Where can I find this method?
Any help with how to get platform from within a workflow would be much appreciated!
Best regards
------------------------------
Frank
Original Message:
Sent: Thu June 25, 2020 03:12 PM
From: Franz Wolfhagen
Subject: ISIM Question: Multiple account for a user on same service...
Here we go....
This is more or less how the workflow looks like (this is an early version - I also have a delete account loop) :with ownershiptype added as the third argument...
I have not sanitized the code for unsupported API calls - IIRC the loginhelper class is not public and there is a supported alternative - also be aware that I use reflection to instantiate static classes which requires you to remove the blocking in scriptFramework.properties (and beware - I believe the deny is added by applying a FP...)
HTH
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Thu June 25, 2020 02:43 PM
From: Sanjay Sutar
Subject: ISIM Question: Multiple account for a user on same service...
Thank You Franz for quick response.
I will look forward for your sample code.
------------------------------
Sanjay Sutar
Original Message:
Sent: Thu June 25, 2020 02:30 PM
From: Franz Wolfhagen
Subject: ISIM Question: Multiple account for a user on same service...
You are are on the right track here....
I would wich that the architects that implemented this for PIM 1.0 had had a little more ideas of what they was implementing - having had a "Automatic" on the provisioning policies for non-individual ownership would solve most of the problems here - if you could raise an RFE I believe that there may be chance to get it solved.
You can create the accounts WITH the policies using the JAVA APPS API - I have some sample code that I will dig up for you (and the community) I have used to create a number of accounts based on a person attribute (to map users with multiple employments needing a "sso" account) i.e. attribute values [1,2,4] would create account acc1, acc2, acc4 - these we all governed by the same policy - but the API can specify ownership types when creating a new account IIRC...
I will be back....
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Thu June 25, 2020 01:55 PM
From: Sanjay Sutar
Subject: ISIM Question: Multiple account for a user on same service...
Hi All,
I am implementing RBAC provisioning for different types of accounts for a user on same service apart from his/her individual account. So I am leveraging ownership type feature from ISIM here and have defined ownership types and their respective policies. So far it works fine as long as i need to provision one account per ownership type. So for instance if i have ownership type as Test then it works fine when i provision one Test account for user apart from his/her other account (individual and other ownership types). The situation gets complicated when i have to provision multiple account of same ownership type i.e. multiple Test account and that too with different set of permission. Inherently, this causes the same set of policies to be applied to all Test account which is not desired (but i know ISIM is working as designed here).
So I am thinking of maintaining some kind of map on Person profile which will tell me which role/permission apply to which specific Test account so that i can refer it in provisioning policy and selectively apply permission that are applicable to specific Test account.
Am on right path here or is there better way to handle this?
Thanks in advance.
------------------------------
Sanjay Sutar
------------------------------