Previous Topic: Create Authentication MethodsNext Topic: Create an Application

Single Sign-On ServiceSSO Getting Started GuideSSO Using Advanced Authentication and Provisioning for a Sensitive ApplicationCreating Roles to Assign Accounts

Creating Roles to Assign Accounts

As an administrator, you can configure CA CloudMinder to automatically create a user account in a software resource. For example, you can configure the system to automatically create user accounts in Salesforce.com for employees who need access to this resource. Such a resource is named an endpoint.

Note: The following instructions assume that an administrator has already created and configured the endpoint in the system. For more information, see Integrating Managed Endpoints.

In most organizations, administrators spend significant time providing users with login accounts for different systems and applications. To simplify this repetitive activity, you can create provisioning roles, which are roles that contain account templates. The templates define the attributes that exist in one type of account. For example, an account template for an Exchange account defines attributes such as the size of the mailbox. Account templates also define how user attributes are mapped to accounts.

Consider an example where every employee at Forward, Inc needs access to a database and email. An administrator wants to avoid creating a database account and an email account for each employee one at a time. Therefore, the administrator creates a provisioning role for that company. The role contains an account template for a Microsoft Exchange server, to provide email accounts, and a template for an Oracle database. In this example, the Exchange server and the Oracle database are named endpoints, which are the system or application where the accounts exist.

Note: Forward, Inc. is a fictitious company name which is used strictly for instructional purposes only and is not meant to reference an existing company.

Diagram illustrates one provisioning role assigning multiple accounts to multiple users.

After the roles are created, business administrators, such as managers or support personnel, can assign those roles to users to give them accounts in endpoints. After users receive the role, they can log in to the endpoint.

Creating a provisioning role that includes an account template is a two-step process as follows:

The diagram shows a two step process for creating roles to assign accounts.

The following sections explain how to create a role that can be used to assign accounts:

  1. Create an Account Template
  2. Create a Provisioning Role
Create an Account Template

A default account template exists for each endpoint type. In a provisioning role, you can use the default account template. However, you can create your own account templates for any endpoint that you have configured.

Follow these steps:

  1. Log in to the User Console and select Endpoints, Manage Account Templates, Create Account Template.

    A screen appears with a list of endpoint types.

  2. Select an endpoint type for the template.
  3. Complete the Account Template tab.
    1. Provide an account template name.
    2. Select Use Strong Synchronization for the maximum correlation of the account template and endpoint account.
  4. Complete the Endpoints tab.
    1. Select an endpoint.
    2. Define Endpoint Name as the system name of the endpoint or localhost if that applies.
  5. Complete the Account tab.
    1. Modify the rule strings in percent signs if necessary. The rules strings define the format of Login fields for the account.
    2. Enter a %AC% rule string in the Account Name field. You enter this string because account names must be unique.
  6. Complete the fields in the other tabs or use the default values.

    Each endpoint type has a different set of tabs. Click Help for field definitions.

  7. Click Submit.

CA CloudMinder creates the account template and makes it available for use in provisioning roles.

Rule Strings in Account Templates

When you create an account template, you use rules strings to define the format of many account attributes. Rule strings are variables for the actual value. Rules strings are useful when you want to generate attributes that change from one account to another. When rules are evaluated, Identity Management replaces the rule strings entered in the account templates with data specified in the user object.

Note: Rule evaluation is not performed on accounts created during an exploration or on accounts created without provisioning roles.

The following table lists the rule strings in Identity Management:

Rule String

Description

%AC%

Account name

%D%

Current date in the format dd/mm/yyyy (the date is a computed value that does not involve the global user information).

This rule string is equivalent to one of the following:

%$$DATE()%
%$$DATE%

%EXCHAB%

Mailbox hide from exchange address book

%EXCHS%

Mailbox home server name

%EXCMS%

Mailbox store name

%GENUID%

Numeric UNIX/POSIX user identifier. This rule variable is the same as %UID% as long as the global user UID value is set. However, if the global user has no assigned UID value, and UID-generation is enabled (Global Properties on System Task), several actions occur. The next available UID value is allocated, assigned to the global user, and used as the value of this rule variable.

%P%

Password

%U%

Global user name

%UA%

Full address (generated from street, city, state, and postal code)

%UB%

Building

%UC%

City

%UCOMP%

Company name

%UCOUNTRY%

Country

%UCUxx% or %UCUxxx%

Custom field (xx or xxx represents the two-digit or three-digit field ID as specified on the Custom User Fields tab in the System Task frame)

%UD%

Description

%UDEPT%

Department

%UE%

Email address

%UEP%

Primary email address

%UES%

Secondary email addresses

%UF%

First name

%UFAX%

Facsimile number

%UHP%

Home page

%UI%

Initials

%UID%

Numeric UNIX/POSIX User Identifier

%UL%

Last name

%ULOC%

Location

%UMI%

Middle initial

%UMN%

Middle name

%UMP%

Mobile telephone number

%UN%

Full name

%UO%

Office name

%UP%

Telephone number

%UPAGE%

Pager number

%UPC%

Postal code, ZIP Code

%UPE%

Telephone number extension

%US%

State

%USA%

Street address

%UT%

Job title

%XD%

Generates the current timestamp in XML dateTimeValue format, a fixed-length string format.

In a dateValue or timeValue attribute, you can write an (:offset,length) substring expression to extract the date or time parts of the dateTimeValue. For example, %XD:1,10% yields YYYY-MM-DD; and %XD:12,8% yields HH:MM:SS.

Create a Provisioning Role

After you create the account template, you decide about the role requirements, as follows:

After you decide about the role requirements, you are ready to create a provisioning role.

Follow these steps:

  1. Log in to the User Console and click Roles and Tasks, Provisioning Roles, Create Provisioning Role.
  2. Complete the Profile tab.

    Only the Name field is required unless you are using a customized version of Create Provisioning Role.

  3. Complete the Account Templates tab.
    1. Click an endpoint type, such as SAP.
    2. Click an account template.

      The templates that you can click are based on the endpoint type you selected.

    3. Add more account templates if needed for different endpoint types.
  4. Complete the Administrators tab and Owners tab.

    Add admin rules that control who manages members and administrators of this role.

    Add owner rules that control who can modify this role.

  5. Click Submit.

    A message appears to indicate the status of the Create Provisioning Role task.

  6. To verify that the role was created, click Roles and Tasks, Provisioning Roles, View Provisioning Role.

You have now successfully created a provisioning role. The role can now be assigned to users, so that they can access the accounts that they need.

More information:

User-defined Custom Attributes for Roles