7.8. Account mappings
This chapter describes how to create patterns to map PxM user accounts to device accounts through profiles. The following topics are included in this chapter:
7.8.1. Mapping accounts to preexisting privileged accounts
Account mappings are a useful tool for organisations that have already created individual privileged accounts on devices for their users.
PxM manages privileged accounts, so you would expect PxM to be able to take over the credential life-cycle of these accounts whilst retaining existing user access.
This is where mapped accounts are helpful. PxM users are mapped through profiles to their pre-existing privileged accounts on the device.
User account john.smith_admin already exists on the device.
Once this account is audited in PxM, in order to use it with an account mapping the state needs to be Known or Managed.
Within PxM the mapping is created as follows: %username%_admin.
The mapping is selected within a profile:
PxM user john.smith logs onto the PxM Client.
From the client an RDP tool is launched. The user is single signed-on to the device as john.smith_admin. PxM maps the username john.smith to the Windows 2008 Active Directory Server account john.smith_admin.
The information presented on the Manage account mappings table includes:
The pattern used to map a PxM user to the relevant device account when accessing a device.
This account mapping pattern can be selected as an access level within a profile.
|Notes||Any additional information relating to the pattern.|
|# Profiles||Total number of profiles the pattern has been used in.|
7.8.2. Trigger scan
Before you trigger a scan, a pattern must be selected. Triggering a scan, runs the âMappedAccountScanâ task against the users/devices in the profile the account mapping has been used in. This task verifies if the appropriate account exists on the devices or authentication services relevant to the profile.
The task will fail if expected mapped accounts are not found. View the log to find out which accounts werenât found on the device/auth services.
7.8.3. Creating an account mapping
Before creating account mappings consider the following cases to help you understand what the account mapping pattern should be.
|Implicit UPN (if no eUPN defined =logonname@fqdn)||email@example.comX.firstname.lastname@example.orgX.email@example.comX.firstname.lastname@example.orgX.net|
|Resultant âAccountâ column||john.smith_admin||joe_bloggs_admin||alice_cooper_admin@companyX.com||administrtor|
|Note||When FQDN = AD Auth Service FQDN||When FQDN = AD Auth Service FQDN||Builtin âAdministratorâ does not have a logon name or display name|
On the Manage account mappings page, click the New account mapping button.
In the New account mapping window, configure the pattern.
The pattern will differ depending on whether you want to use the Domain FQDN or a UPN Suffix.
The following table gives you an example of how your pattern should be created:
Fill in the following details:
Heading Description Pattern: Enter the pattern that will be applied to the PxM user when accessing a device. Notes: Any additional information relating to the pattern.
Click Save. The pattern will now be available in the access level drop-down list when adding devices to a profile. See Configuring a Profile.
7.8.4. Editing an account mapping
See General usage section for inline editing.
7.8.5. Deleting an account mapping
Deleting a mapping will remove all devices using that mapping, from every profile which uses the mapping.