Identity and Access Management
Standard Secondary Account Request Process
Last modified 10/31/2024
The target audience of this documentation (for requesting a secondary account) is the endpoint support team of the supporting unit.
- What is a secondary account?
A secondary account in this context refers to an account that is associated with a person's primary identity at ISU. Below is a non-exhaustive list of secondary account types:
- Privileged accounts.
- Student admin accounts.
- FTE admin accounts.
- Domain admin accounts.
- Student work accounts.
- Test/emulator accounts.
Typically, these accounts require centralized management by the identity management system to ensure they adhere to the established identity and access management standards.
- What types of secondary accounts does this process support?
Currently this process supports the following types of secondary accounts:
- Student admin accounts.
- FTE admin accounts.
- Student work accounts.
- What benefits does this process provide?
The new process introduces a few improvements in both the onboarding and offboarding process of secondary accounts, some of these benefits are outlined below:
Overall Benefits:
- Streamlined self-service capabilities.
- Can be managed directly in Grouper, via API or through OIAM provided Ansible jobs.
- This is handled by the teams that directly support the individual.
- Can be managed directly in Grouper, via API or through OIAM provided Ansible jobs.
- Improved visibility and auditability through regularly scheduled attestation.
Onboarding Benefits:
- Student work accounts will be automatically provisioned based on their affiliation with ISU.
- Automatic delivery of activation details at creation time.
- Multiple accounts will no longer be required for students working in more than one department.
- Standard naming convention, student accounts will be generated an isu_ulid (isu_ulid_admin for student admin) account and FTE admins will receive ulid_admin.
- Sponsorship will be automatically populated with their manager listed in HCM (This is maintained by HR, changes to account sponsor need to be submitted to HR).
Offboarding Benefits:
- Secondary accounts will have full lifecycle management through the tight coupling of their primary account affiliation using Grouper.
- Group math will automatically start the deprovisioning process for accounts that don't meet the affiliation requirements.
- Manual account deletion will no longer be required.
- How do I request a standard secondary account?
You can request a standard secondary account by navigating to your team folder in the Grouper UI and following the process outlined below:
- Expand the Requests folder in your team space, you should see two groups:
- req_[teamname]_create_persona_admin: This group can be used to request an admin account for a full-time employee.
The process will NOT work for any pre-existing fte _admin accounts.
- req_[teamname]_create_persona_studentadmin: This group can be used to request an admin account for a student employee.
- req_[teamname]_create_persona_admin: This group can be used to request an admin account for a full-time employee.
- Add the desired ULID to one of the groups above to request a secondary account be created for them.
If desired, the OIAM team can share Ansible playbooks in Ansible Automation Platform (AAP) to provide the following capabilities for your team:
- Add members to the request groups for onboarding.
- Remove members from the request groups for offboarding.
- Review membership of the request groups.
- Lookup details required for activation.
- Send activation details to account owner.
AAP enables you to establish recurring tasks using Grouper's API, complete with integrated logging and auditing, all without the need to directly authorize your team for Grouper access.