Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
411 views

Associate multiple AD accounts to an IDV/eDirectory group


Hello

We use IDV (eDirectory) to store user identities with a single identity
for each user. A user may have multiple accounts in AD, i.e. standard
and privileged accounts. in addition, a user may be the admin of an
application with several system and service accounts. All these accounts
must be linked to/associated with the user's identity in the IDV.
Alternatively, we could create an eDirectory Group per application with
nested groups for different accounts (if there are different admins per
application) and associate the System and Service accounts to the nested
Groups. Owners will be added to the relevant Group so that all accounts
have an owner. When the owner of a System or Service account departs
then this should prevent the associated System and Service accounts from
being disabled and we can then add a new owner to that particular
Group.
This scenario would also apply to application accounts where a user can
have multiple accounts in one application.
Is this possible? How can it be done?
Thanks
Lunga


--
newlunga
------------------------------------------------------------------------
newlunga's Profile: https://forums.netiq.com/member.php?userid=11761
View this thread: https://forums.netiq.com/showthread.php?t=55710

Labels (1)
0 Likes
1 Reply
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Associate multiple AD accounts to an IDV/eDirectory group

On 04/13/2016 07:16 AM, newlunga wrote:
>
> Hello
>
> We use IDV (eDirectory) to store user identities with a single identity
> for each user. A user may have multiple accounts in AD, i.e. standard
> and privileged accounts. in addition, a user may be the admin of an
> application with several system and service accounts. All these accounts
> must be linked to/associated with the user's identity in the IDV.
> Alternatively, we could create an eDirectory Group per application with
> nested groups for different accounts (if there are different admins per


I do not understand the need for nested groups here, but okay.

> application) and associate the System and Service accounts to the nested
> Groups. Owners will be added to the relevant Group so that all accounts
> have an owner. When the owner of a System or Service account departs
> then this should prevent the associated System and Service accounts from
> being disabled and we can then add a new owner to that particular
> Group.


I do not fully grasp the concept here; perhaps you can describe the flow
of events, and its interaction, when you re-post in the IDM forum.

> This scenario would also apply to application accounts where a user can
> have multiple accounts in one application.
> Is this possible? How can it be done?


Having multiple associations per account per application is possible, but
it's not the norm so it'll take a bit of customization. This entire issue
should be re-posted in the IDM engine/drivers forum where the topic will
be more-relevant as the eDirectory bits are simple, but the IDM bits are
less-trivial.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.