Skip to main content

Accounts

Description

An account is the way a user is presented on a target system.  There can be user accounts as well as system-purpose accounts.

Search Types

You can search for accounts created in the system by applying different ways of searching: 

Quick

This option allows quick search by fields that have been defined in the application metadata.

Basic

This is the default option. It provides some default search criteria, but other criteria can be added from the add criteria option. 

Each search criterion will have different search forms depending on the type of data in the particular field. For example, a text field provide four different options to search, "Contains", "Start with", "End with" and "Equals", a date field provide the date "Since" and date "Until".

Each criterion will be added to the previous ones.

Advanced

This option allows an advanced search system using the SCIM standard.

You can access to SCIM Chapter for more information

Screen overview

&&TODO&&

Related objects

An account is related, in Soffid, to other objects:

  1. User: users related to this account.
  2. Groups: groups to which the account belongs.
  3. Roles: the permissions that this account has associated with the system in which it is used. They can be assigned or revoked by users with administrator privileges.
  4. System: the environment in which that account is used (AD, Exchange, etc).

Custom attributes

Basic

Commons attibutes
  • System: target system in which the account is registered.
  • Name: account name, as used by the target system.
  • Description: plain text with information about the account.
  • Type: there are four kinds of accounts:
    • Single user account: accounts should normally be user accounts and belong to exactly one user. We can see user accounts on user management screen, and will mostly be created by Soffid.
    • Shared accounts: these accounts are shared among multiple users. They have an access control list to prevent unauthorized usage. Will be granted to users, groups or roles. Passwords on shared accounts might be set by operators or by the user. It depends on the password policy definition.
    • High privilege accounts: shared among users, but only one user possess it at one time. Through self service portal, high privilege account owner can check-in and check-out them. Will be granted to users, groups or roles. Passwords on these accounts will be set only by the user using self-service portal. The user can set it for a period of time. After that, the system will change the password by a temporary one.
    • Unmanaged accounts: ignored by Soffid. They can be populated based on existing system accounts.
  • Status: it could be enabled, disabled, manually enabled, manually disabled, removed or locked.
    • Enabled: the account can be used by the user. Soffid engine will disable it when the user does not match the access requirement policy.
    • Manualy enabled: The account can be used by the user. Soffid engine will keep it enabled, even when the user does not match the access requirement policy.
    • Disabled: the account canot be used by the user. Soffid engine will enable it when the user does matches the access requirement policy.
    • Manualy enabled: the account canot be used by the user. Soffid engine will keep it disabled, even when the user matches the access requirement policy.
    • Removed: the account no longer exists in the target system, but its image is kept in Soffid for audit purposes
  • Password policy: the policy applied to this account. 
Owners, Managers and SSO users

Specify the list of users authorised to use this account. For accounts of type "single user", only one user can be specified. Other accounts can have more than one user. The users that can use this account can be specified either directly, by entering the user name, or indirectly, by entering a group or role name. In the latest, any user having that group or role will automatically be entitled to use this account.

There are three access level for each account and user:

  • SSO User: can use it by means of the SSO or PAM engines.
  • Manager: can use it, and set or query the password, depending on the password policy restriction.
  • Owner: can use it, set or query the password, or modify the access control list.
Password vault
  • Vault folder: personal or shared folder, depending on the account type, in which account data are stored.
  • Inherit new permissions: determines if the account will inherit the permissions granted to the folder that contains it.
Launch properties

&&TODO&& 

  • Login url:
  • Login name:
  • Launch type:
Audit infomration
  • Created on: account creation date.
  • Last login: last registered access.
  • Last updated: last modified.
  • Last password set: date of last password change.
  • Password expiration: password expiry date.
  • In use by: account owner
  • Password synchronization.
System properties
  • SSH Private key: private key that establishes trust to be able to access the system without requiring a password.
  • SSH Public key: public key that establishes trust to be able to access the system without requiring a password.

Roles

On the roles tab, you can view the roles assigned to the account, it is shown information about the role name, description, application or start (and, if proceed, end) date of the role assignment. 

You can also assign roles to the account, you can click the add symbol (+), select the role that you want assign, depends on the role you must fill the scope, and finally set memberships properties.

It is also possible to revoke roles to the account from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol (-). 

By clicking on a record, it is shown the detail  role assignment information.

Additionally you can download a CSV file with the roles information and you can also upload a CSV file to assign or revoke roles.

Effective roles

This screen details the effective roles for the selected account. Those that are directly assigned or those that are inherited.

Actions

Account query actions

Query Allows to query accounts through different search systems, Quick, Basic and Advanced.
Add or remove columns Allows to show and hide columns in the table.
Add new Allows to create a new account in the system.
Download CSV file Allows to download a csv file with the basic information of all accounts. 
Bulk actions Allows massive operations to be performed on all system accounts.  With that operation, updates can be made to any of the account's parameters.

Account detail actions

Apply changes Allow to update the data account.
Delete Allow to remove the account.
Set password Allow to set a new password to the account. It can be a system generated or manually generated password.
Show actual account properties &&TODO&& me da error
Roles
Assign Role Allows to assign a new role to the account. 
Revoke Role Allows to revoke the role to the account.
Import Allows to upload a CSV file with the información about account roles, to assign or revoke that roles.
Download CSV file Allows to download a CSV file with all the information about account roles.