Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

And please allow me to post a trivial question...

Is it possible to call the suspendAccount(Account act) method in a workflow javascript??

Spoiler: the following does not work

var person = Entity.get();
var pdn = person.dn;

process.auditEvent("Requestee dn: " + pdn);

// get requestor's accounts
var accounts = (new AccountSearch()).searchByOwner(pdn);

if(accounts != null && accounts.length > 0)
    {
    process.auditEvent("Accounts found: " + accounts.length);
    for(i=0; i< accounts.length; i++)
    {
        var account = accounts[i];
        process.auditEvent("Suspending: " + account.dn);

        var accountObj = new Account(account.dn); // don't know if I really have to istantiate a new Account() object as I'm not sure about types returned from search.
        /* It fails!
        suspendAccount(accountObj);
        */
    }
}
else
{
    process.auditEvent("Accounts not found!");
}

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

A final word for today:

I've succeded in obtaining a 'raw' result using a loop (this is a custom operation called by a LCR, for testing purpose only):

where basically:

the scripts collects all accounts owned and writes a 'list of accounts' as relevant data

the loop reads the list, and puts the current account in another relevant data, which is given to suspendAccount block.

This work is surely to be refined, i.e. searching only for accounts with custom Ownership.

Of course a 'script only' piece would be nicer, as I should integrate this flow into the existing flow of 'suspendPerson'.

Anyone feel free to ask more details if needed.

Cheers

And please allow me to post a trivial question...

Is it possible to call the suspendAccount(Account act) method in a workflow javascript??

Spoiler: the following does not work

var person = Entity.get();
var pdn = person.dn;

process.auditEvent("Requestee dn: " + pdn);

// get requestor's accounts
var accounts = (new AccountSearch()).searchByOwner(pdn);

if(accounts != null && accounts.length > 0)
    {
    process.auditEvent("Accounts found: " + accounts.length);
    for(i=0; i< accounts.length; i++)
    {
        var account = accounts[i];
        process.auditEvent("Suspending: " + account.dn);

        var accountObj = new Account(account.dn); // don't know if I really have to istantiate a new Account() object as I'm not sure about types returned from search.
        /* It fails!
        suspendAccount(accountObj);
        */
    }
}
else
{
    process.auditEvent("Accounts not found!");
}

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

I have created this RFE for you : https://ibmsecurity.ideas.ibm.com/ideas/IGI-I-1258 

Please go in and vote/comment it and add your customer details so the Product Management can see it is coming from a real customer :-)

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Tue October 14, 2025 08:25 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

------------------------------
Andrea Gatto

Original Message:
Sent: Mon October 13, 2025 02:00 PM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Mon October 13, 2025 12:06 PM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 03:54 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 3:43:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 03:21 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

Original Message:
Sent: 10/10/2025 3:10:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 01:37 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 1:30:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 11:41 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 11:30 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

------------------------------
Andrea Gatto
------------------------------

"I have created this RFE for you"

Thank you very much! Voted!

"This of course is not the case if you call it from the person suspend... "

Rigth, waiting for the RFE to come to life, I'm evaluating wich could be the rigth spot to put the 'custom ownership' suspend logic, and the Person suspend op at the moment is the preferred.

Anyway I'm trying to reach the result both with loops (and it works) and via scripting (I feel it more 'compact & portable'), but I failed.

If you look at script in post #12 (called in a custom op for Persons) I'm trying to call "suspendAccount(accountObj);".

Sorry I can't remember now the exception I got, but, IF it is conceptually possible (call a wf extension in a script), I suspect I did some gross mistake...

Do you have some examples at hand?

At the moment I can't do anything but saying thank you very much again!

------------------------------
Andrea Gatto

Original Message:
Sent: Thu October 16, 2025 06:48 AM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

I have created this RFE for you : https://ibmsecurity.ideas.ibm.com/ideas/IGI-I-1258 

Please go in and vote/comment it and add your customer details so the Product Management can see it is coming from a real customer :-)

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Tue October 14, 2025 08:25 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

------------------------------
Andrea Gatto

Original Message:
Sent: Mon October 13, 2025 02:00 PM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Mon October 13, 2025 12:06 PM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 03:54 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 3:43:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 03:21 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

Original Message:
Sent: 10/10/2025 3:10:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 01:37 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 1:30:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 11:41 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 11:30 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

------------------------------
Andrea Gatto
------------------------------

I have never tried to call an extension directly from a script - that is not the way - if you want to do it from the script do it directly - but it is much better to use the loop method as this clearly shows what the workflow is doing... 

"I have created this RFE for you"

Thank you very much! Voted!

"This of course is not the case if you call it from the person suspend... "

Rigth, waiting for the RFE to come to life, I'm evaluating wich could be the rigth spot to put the 'custom ownership' suspend logic, and the Person suspend op at the moment is the preferred.

Anyway I'm trying to reach the result both with loops (and it works) and via scripting (I feel it more 'compact & portable'), but I failed.

If you look at script in post #12 (called in a custom op for Persons) I'm trying to call "suspendAccount(accountObj);".

Sorry I can't remember now the exception I got, but, IF it is conceptually possible (call a wf extension in a script), I suspect I did some gross mistake...

Do you have some examples at hand?

At the moment I can't do anything but saying thank you very much again!

------------------------------
Andrea Gatto

Original Message:
Sent: Thu October 16, 2025 06:48 AM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

I have created this RFE for you : https://ibmsecurity.ideas.ibm.com/ideas/IGI-I-1258 

Please go in and vote/comment it and add your customer details so the Product Management can see it is coming from a real customer :-)

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Tue October 14, 2025 08:25 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

------------------------------
Andrea Gatto

Original Message:
Sent: Mon October 13, 2025 02:00 PM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Mon October 13, 2025 12:06 PM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 03:54 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 3:43:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 03:21 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

Original Message:
Sent: 10/10/2025 3:10:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 01:37 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 1:30:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 11:41 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 11:30 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

------------------------------
Andrea Gatto
------------------------------

 "if you want to do it from the script do it directly"

Do you mean by setting property eraccountstatus to 1?

If correctly guessed, then I don't know how to persist the status (if not by using the 'modifyAccount' Extension, after the script execution).

I have never tried to call an extension directly from a script - that is not the way - if you want to do it from the script do it directly - but it is much better to use the loop method as this clearly shows what the workflow is doing... 

"I have created this RFE for you"

Thank you very much! Voted!

"This of course is not the case if you call it from the person suspend... "

Rigth, waiting for the RFE to come to life, I'm evaluating wich could be the rigth spot to put the 'custom ownership' suspend logic, and the Person suspend op at the moment is the preferred.

Anyway I'm trying to reach the result both with loops (and it works) and via scripting (I feel it more 'compact & portable'), but I failed.

If you look at script in post #12 (called in a custom op for Persons) I'm trying to call "suspendAccount(accountObj);".

Sorry I can't remember now the exception I got, but, IF it is conceptually possible (call a wf extension in a script), I suspect I did some gross mistake...

Do you have some examples at hand?

At the moment I can't do anything but saying thank you very much again!

------------------------------
Andrea Gatto

Original Message:
Sent: Thu October 16, 2025 06:48 AM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

I have created this RFE for you : https://ibmsecurity.ideas.ibm.com/ideas/IGI-I-1258 

Please go in and vote/comment it and add your customer details so the Product Management can see it is coming from a real customer :-)

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Tue October 14, 2025 08:25 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

------------------------------
Andrea Gatto

Original Message:
Sent: Mon October 13, 2025 02:00 PM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Mon October 13, 2025 12:06 PM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 03:54 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 3:43:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 03:21 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

Original Message:
Sent: 10/10/2025 3:10:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 01:37 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 1:30:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 11:41 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 11:30 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

------------------------------
Andrea Gatto
------------------------------

No - you should never just change the internal attributes - this may sometimes work but it is definitely not guaranteed.

What I meant if you do it in a script you can call the underlying APIs - that is basically the what the workflow extensions does - an extensions is basically a wrapper that makes it possible to input the data necessary from the workflow properties into the extension that then performs the low level APIs.

That said - the low level APIs (dataservices APIs) are coming in 2 versions - for the entities Entity level and what is called ObjectEntity level - they are basically to lowest level of the API of IVIG - and that is the foundation of the whole system. They are not fully documented as only some of these are supported for usage. On top of these there is business levl API called APPS API. That is basically a remote EJB/Corba RMI based api meaning this can be called remotely. The console UI is based on that API.

My recommendation is normally that you should call the operation workflow as the first choice in cases like this - if you want it to be more "atomic" (not going through the default e.g. suspend operation) the you call the extensions relevant. In situations where there is no extension to support what is needed then you can either create a JavaScript extension or workflow extension - or build script logic by exposing the APIs directly to the script engine (done in scriptframework.properties) - the latter reduces source code/compilation maintenance but comes with a risk that you open up for some security issues - so you need to understand the IVIG security model before you do that.

Take a look at the examples that is provided with IVIG - in the SW version they are available in the data directory - for CNT you need to get them - there is a command to move the examples from the container to the host - for VA you can download them from the VA UI.

HTH 

 "if you want to do it from the script do it directly"

Do you mean by setting property eraccountstatus to 1?

If correctly guessed, then I don't know how to persist the status (if not by using the 'modifyAccount' Extension, after the script execution).

I have never tried to call an extension directly from a script - that is not the way - if you want to do it from the script do it directly - but it is much better to use the loop method as this clearly shows what the workflow is doing... 

"I have created this RFE for you"

Thank you very much! Voted!

"This of course is not the case if you call it from the person suspend... "

Rigth, waiting for the RFE to come to life, I'm evaluating wich could be the rigth spot to put the 'custom ownership' suspend logic, and the Person suspend op at the moment is the preferred.

Anyway I'm trying to reach the result both with loops (and it works) and via scripting (I feel it more 'compact & portable'), but I failed.

If you look at script in post #12 (called in a custom op for Persons) I'm trying to call "suspendAccount(accountObj);".

Sorry I can't remember now the exception I got, but, IF it is conceptually possible (call a wf extension in a script), I suspect I did some gross mistake...

Do you have some examples at hand?

At the moment I can't do anything but saying thank you very much again!

------------------------------
Andrea Gatto

Original Message:
Sent: Thu October 16, 2025 06:48 AM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

I have created this RFE for you : https://ibmsecurity.ideas.ibm.com/ideas/IGI-I-1258 

Please go in and vote/comment it and add your customer details so the Product Management can see it is coming from a real customer :-)

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Tue October 14, 2025 08:25 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Oh, very nice, I didn't know of its existence...

 I'd greatly appreciate if you'd be so kind to post the new idea.

In the meanwhile, I'll try to have things done by working in the suspendPerson operation.

I'll keep you up to date, in case of positive outcomes.

Thank you so much!

Cheers

------------------------------
Andrea Gatto

Original Message:
Sent: Mon October 13, 2025 02:00 PM
From: Franz Wolfhagen
Subject: Suspending person and accounts (with different ownership types)

https://ibmsecurity.ideas.ibm.com/ is the site for enhancement requests...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Mon October 13, 2025 12:06 PM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

"...write an IDEAS for that..."

Sorry for my ignorance, I don't know what it is (maybe a process to request enhancement?)

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 03:54 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 3:43:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

By utilizing ownershiptypes you can multiple accounts on the same service with different policies. The use case could e.g. be having a standard AD account for your day to day work and a privileged AD account with elevated privileges only used when doing admin work.

This cannot work if both accounts have the individual ownershiptype as they would the be subject to the same policy.

In the above use case the 2 accounts are personal account and hence should follow the owner actions (suspend/restore/delete) - but as the default process is hardcoded then it has to be done e.g. using workflow programming.

From a model perspective it would have been more correct to guide this with attributes in the ownershiptype itself - but as the purpose at the implementation time was restricted to non-personal accounts this was not necessary for implementing the PIM functionality. Whether the full potential of ownershiptypes was understood at that point in time I doubt - but this is what it is and hence IDEAS with a good impact description is the way to make IBM aware of the potential :-)  

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 03:21 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

OK Franz.  I have a question, why is it necessary to suspend an account that isn't an individual account when a person is suspended? after all is not your account. It makes perfect sense to me that non-individual accounts can't be suspended when a person is suspended.I actually use that functionality a lot.

In any case, if you want to define a new type of ownership, you can also define the new type as individual.

Maybe I'm misunderstanding the problem.

Original Message:
Sent: 10/10/2025 3:10:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

That is not correct - that is the default behavior. 

What is needed to do what was expected is to call the account suspend for non-individual accounts in the Person suspend (and similarly in the Person Restore) workflow.

So basically the logic should be :

• Find all owned accounts
• Loop through the accounts - check ownershiptype - if not individual call suspend operation for account

Now - the real implementation is somewhat more complex as you need to store the properties and supply them in workflow loop - not that complex but it takes some work...

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 01:37 PM
From: Roberto Cristaldo
Subject: Suspending person and accounts (with different ownership types)

Original Message:
Sent: 10/10/2025 1:30:00 PM
From: Franz Wolfhagen
Subject: RE: Suspending person and accounts (with different ownership types)

Let me explain the historical logic behind that : 

The ownershiptypes was developed for ISPIM 1.0/ISIM 6 to support non-human, service and shared accounts. Hence when a Person that was owning these accounts where suspended the default use case to avoid operational issues was defined as exempting the ownershiptypes from suspend/restore.

I would suggest you write an IDEAS for that suspend/restore functionality - or I can do it for you (as I was the one that got the automatic provisioning in there and should have thought of this - sorry for that) - in that case please vote for it when I have done so and add your comments. 

Just let me know what you prefer here...

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs

Original Message:
Sent: Fri October 10, 2025 11:41 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

mmm, I've just found an almost negative answer in thi other post:

"Suspend and restore sponsored accounts of a certain ownership type alongside with person in ISIM"...

------------------------------
Andrea Gatto

Original Message:
Sent: Fri October 10, 2025 11:30 AM
From: Andrea Gatto
Subject: Suspending person and accounts (with different ownership types)

Hi everyone,

I've recently read a thread named "ISIM Question: Multiple account for a user on same service..." and it gave me directions for using different ownership types to create more accounts on the same service (thank you for that!). As I'm on ISIM v10.x, I could do it using an automatic entitlement in provisioning policy.

During tests, I've seen that suspending a person having:

itim acct

account1 on service1 (individual ownership)

account1 on service2 (individual ownership)

account1b on service2 (custom ownership)

leaves account1b still active.

I see in request's audit trail that the suspend operation (for account1b) has not been even called.

What am I missing, in your opinion?

------------------------------
Andrea Gatto
------------------------------