14.8 Managing account groups

ID-Synch uses account groups to configure ways to manage membership of corresponding groups on the following target systems:

Windows 2000
Windows NT
Novell NDS
Lotus Notes ID
LDAP
Unix
SAP

The nightly update process can discover all available groups on a target system (e.g. Domain Users Group on Windows 2000), listing them in TARGETID.GRP files and loading them into the NOSGROUP table. After you configure ID-Synch to manage account groups using the Workflow configuration menu in the Central console (nph-psa.exe):

Nightly update lists groups' membership in TARGETID.MBR files and loads them into the XGRPMBR table.
Requesters and console users can add or remove existing users from groups using the New account request module (nph-idr.exe) and Account management console (nph-ida.exe) respectively.

ID-Synch's account group management facility offers a more efficient and flexible way to manage account group membership than by mapping request attributes to target attributes.

Note:
The two methods are incompatible. If you map request attributes to target attributes, and group membership is changed using the Manage groups button in the New account request module (nph-idr.exe) or Account management console (nph-ida.exe), then the list created by mapping attributes will not be updated, and will become unsynchronized with group membership.

Membership of account groups can be:

Open: any user can be added or removed
Moderated: users can be added or removed if approved by an authorizer
Open to members of another group: users can be added or removed only if they belong to another managed group on the same or another target system

It is possible to set differing permissions for adding and removing users from groups. For example, a user may need authorization to join a group, and be removed without requiring authorization.

14.8.1 Setting up group management

To manage account groups on a target system:

On the Workflow configuration menu click Account groups.
Click Update next to the target system on which you want to manage account groups.
ID-Synch displays a list of available groups for the target system, indicating which groups are currently managed.
Click Update next to the group you want to manage.
ID-Synch displays the Account groups management information page.
Optional: Select a Location for the account group.
Optional: Select a Type for the account group.
Select Add type to determine how users can be added to the group.
Select Remove type to determine how users can be removed from the group.
If you selected Open to members of another group for Add/Remove type:
- Select the Target identifier.
  This is the target on which users must have an account before being allowed to join the managed group.
- Type the Group identifier or click Search to select it.
  This is the group to which users must belong before being allowed to join the managed group.
Click Manage.
If you selected Moderated for Add/Remove type, click Add.
ID-Synch displays the Specify authorizer search criteria or Select an authorizer page. You must have authorizers defined to complete this procedure.
Select the authorizer that you want to moderate the group, and click Select.
Add more authorizers if required.

Next: 14.9 Managing inventory Up: 14. Configuring Workflow Previous: 14.7 Defining request attributes Contents Index

ID-Synch™ is an access management solution developed by M-Tech.
The full current version of this guide, shipped with the ID-Synch software, contains detailed reference information not included in this version.

| Glossary | Feedback/Help | ©2003 M-Tech Information Technology, Inc. | Privacy policy

	ID-Synch™ is an access management solution developed by M-Tech. The full current version of this guide, shipped with the ID-Synch software, contains detailed reference information not included in this version.
	\| Glossary \| Feedback/Help \| ©2003 M-Tech Information Technology, Inc. \| Privacy policy