Managing Functional Users

Functional users are special representations of users, so we recommend reading the section "Managing Users" to become familiar with the user management tasks that also apply to functional users. The following user functionality also applies to functional users:

  • Functional users can have privileges (roles, permissions, groups) assigned that are maintained by the same processes as for users.

  • The privilege resolution process also applies to functional users, resulting in the creation of accounts and group assignments.

  • Functional users have the same life-cycle and the same states as users.

The following sections describe special aspects of functional users, including:

  • Where to locate functional users in the user tree.

  • How to manage functional users.

  • How to work with functional users states.

  • How to work with links at functional user entries.

Locating Functional Users

Functional User objects reside under the cn=Users sub tree, where they are mixed with user objects and persona objects that also populate this tree.

Functional users are independent objects that are loosely coupled to user objects via their sponsor links.If the user no longer exists or is no longer active, it makes sense to re-link the functional user object to another sponsor.As a result, functional users can be created anywhere in the subtree.Re-linking a sponsor object to a functional user does not require the functional user to be moved, but it is of course possible if necessary.We recommend that you locate functional users in their own folder; for example, ou=Resources.

Working with Functional Users

Working with functional users includes:

  • Viewing functional user properties

  • Adding functional users to the Identity Store

  • Deleting functional users from the Identity Store

  • Changing the attributes of existing functional users

You use DirX Identity Manager to perform these tasks by hand.

Viewing Functional Users with DirX Identity Manager

When you log into DirX Identity Manager and select Users from the view bar, DirX Identity Manager displays a hierarchical tree of the users, personas and functional users that you are allowed to manage in the left-hand pane. Users, personas and functional users are distinguished in the user tree by their icons, as shown in the following figure:

Functional User
Figure 1. Functional User, Persona and User Icons

To view the properties of a functional user, click its entry in the tree. It is displayed in the same tabs as a user.

If a functional user is not in the ENABLED state, its current status is displayed in brackets at its entry. For more information about functional user states, see the section "Functional User States" in the section "Managing States" in the chapter "Managing Provisioning" and the section "Working with Functional Users States".

Adding Functional Users with DirX Identity Manager

To add a new functional user with DirX Identity Manager:

  1. Click a user folder in the subtree or click the top-level User folder. We recommend using a specific folder - for example, ou=Resources - to store the functional users separately from users and personas.

  2. Select NewFunctional User in the context menu. The General tab is displayed for editing, and the mandatory attributes for a user (the user’s common name (cn) and surname (sn)) are displayed in red.

  3. Change to the Relationships tab and then select the functional user’s sponsor (that’s the user who is responsible for the functional user).

You can also use Web Center to create a functional user is to create it in Web Center; in fact, this is the recommended way to create them. Creating a functional user in Web Center is performed by a request workflow with an activity that uses the selected sponsor as a template for creating the functional user. Its parent folder and the attributes to be copied from the sponsor are configured in the workflow definition. See the section "Using the Users Menu" in the chapter "Using DirX Identity Web Center" in the DirX Identity User Interfaces Guide for details.

When you add a functional user, you can:

  • Specify a functional user lifetime (a start and an end date)

  • Create a functional user template

Specifying a Functional User Lifetime

You can specify a functional user lifetime by defining start and end dates for the functional user as you can for users. In contrast to personas, the functional user’s life-cycle is not related to the life-cycle of the sponsor. If the sponsor’s state changes to TBDEL, DirX Identity removes the sponsor link is from all related functional users and starts request workflows for assigning a new sponsor.

Creating Functional User Templates

When you create a new functional user, you can create it as a functional user template by checking Use as Template. Note that you must provide a sponsor for the functional user template since the sponsor is a mandatory attribute. If you do not want to define a sponsor for the template, just remove the template’s dxrSponsor attribute in the Data View.

Deleting Functional Users with DirX Identity Manager

To delete a functional user, click it and then select Delete from the menu bar or context menu.The delete process for functional users is the same as for users.See the section "Deleting Users with DirX Identity Manager" for details.

Changing Functional Users Attributes with DirX Identity Manager

You change a functional user’s attributes as you would a user’s attributes; the same tabs are provided.See the section "Changing User Attributes with DirX Identity Manager" for details.

A set of functional user attributes can be mastered from its sponsor.These attributes cannot be edited at the functional user but are automatically updated to the user’s values when the functional user is saved.

In addition, if an attribute that is mastered to the functional user is changed during a user edit, the related functional users are updated with the new values.

Working with Functional User States

The DirX Identity Provisioning system recognizes the same states for functional users as for users:

  • NEW - the functional user has been added to the user subtree but is not yet activated.

  • TEMPLATE - the functional user has been created as a functional user template.

  • ENABLED - the functional user has been activated (its start date has arrived).

  • DISABLED - the functional user has been deactivated.All of the accounts associated with the functional user are also disabled.

  • TBDEL - the functional user end date has arrived, and DirX Identity has marked the functional user for deletion.

The Status field in the Operational tab for a functional user displays the functional user’s current state.In the tree view, the current status of a functional user is displayed in brackets at each functional user entry if the functional user is not in the ENABLED state.For detailed information about functional user states, see the section "Managing States" in the chapter "Managing Provisioning".

Working with Links at Functional User Entries

You can link functional user entries to the same objects as user entries.See the section "Working with Links at User Entries" in the chapter "Managing Users" for details.

The sponsor link is of special importance for a functional user: it contains the reference to its responsible user.