3.9. Account mappings
This chapter describes how to create patterns to map PxM user accounts to device accounts through profiles. The following topics are included in this chapter:
3.9.1. Mapping accounts to preexisting privileged accounts
Account mappings are a useful tool for organisations that have already created individual privileged accounts on devices for their users.
PxM manages privileged accounts, so you would expect PxM to be able to take over the credential life-cycle of these accounts whilst retaining existing user access.
This is where mapped accounts are helpful. PxM users are mapped through profiles to their pre-existing privileged accounts on the device.
User account john.smith_admin already exists on the device.
Once this account is audited in PxM, in order to use it with an account mapping the state needs to be Known or Managed.
Within PxM the mapping is created as follows: %username%_admin.
The mapping is selected within a profile:
PxM user john.smith logs onto the PxM Client.
From the client an RDP tool is launched. The user is single signed-on to the device as john.smith_admin. PxM maps the username john.smith to the Windows 2008 Active Directory Server account john.smith_admin.
The information presented on the Manage account mappings table includes:
The pattern used to map a PxM user to the relevant device account when accessing a device.
This account mapping pattern can be selected as an access level within a profile.
|Notes||Any additional information relating to the pattern.|
|# Profiles||Total number of profiles the pattern has been used in.|
3.9.2. Trigger scan
Before you trigger a scan, a pattern must be selected. Triggering a scan, runs the ‘MappedAccountScan’ task against the users/devices in the profile the account mapping has been used in. This task verifies if the appropriate account exists on the devices or account sources relevant to the profile.
The task will fail if expected mapped accounts are not found. View the log to find out which accounts weren’t found on the device/authentication services.
3.9.3. Creating an account mapping
Before creating account mappings consider the following cases and mapping substitutions available to help you understand what account mapping pattern you require.
Account mapping substitutions
If we take the username: john.smith
- %username% : the whole username as used by the user to log into the PxM Client = john.smith
- %first_initial% : the first character from the first part (given name) of the username = j
- %first_part% : the whole of the first part (given name) of the username = john
- %last_initial% : the first character of the second part (family name) = s
- %last_part% : the whole of the second part (family name) of the username = smith
Mappings are case insensitive and will be forced to lowercase when saved.
Account mapping patterns
|Implicit UPN (if no eUPN defined =logonname@fqdn)||firstname.lastname@example.orgX.email@example.comX.firstname.lastname@example.orgX.email@example.comX.net|
|Resultant ‘Account’ column||john.smith_admin||joe_bloggs_admin||alice_cooper_admin@companyX.com||administrtor|
|Note||When FQDN = AD Auth Service FQDN||When FQDN = AD Auth Service FQDN||Builtin ‘Administrator’ does not have a logon name or display name|
On the Manage account mappings page, click the New account mapping button.
In the New account mapping window, configure the pattern.
The pattern will differ depending on whether you want to use the Domain FQDN or a UPN Suffix.
The following table gives you an example of how your pattern should be created:
Fill in the following details:
Heading Description Pattern:
Enter the pattern that will be applied to the PxM user when accessing a device.
Patterns are case-insensitive. Any capital letters typed in the Pattern field will save as lower-case.
Notes: Any additional information relating to the pattern.
Click Save. The pattern will now be available in the access level drop-down list when adding devices to a profile. See Configuring a Profile.
3.9.4. Editing an account mapping
See General usage section for inline editing.
3.9.5. Deleting an account mapping
Deleting a mapping will remove all devices using that mapping, from every profile which uses the mapping.