7.8. Account mappings

This chapter describes how to create patterns to map PxM user accounts to device accounts through profiles. The following topics are included in this chapter:

7.8.1. Mapping accounts to preexisting privileged accounts

Account mappings are a useful tool for organisations that have already created individual privileged accounts on devices for their users.

PxM manages privileged accounts, so you would expect PxM to be able to take over the credential life-cycle of these accounts whilst retaining existing user access.

This is where mapped accounts are helpful. PxM users are mapped through profiles to their pre-existing privileged accounts on the device.

For example:

  • User account john.smith_admin already exists on the device.

    W2K8 account user properties

  • Once this account is audited in PxM, in order to use it with an account mapping the state needs to be Known or Managed.

    W2K8 account auth service state

  • Within PxM the mapping is created as follows: %username%_admin.

    WebUI Manage Account Mapping table

  • The mapping is selected within a profile:

    W2k8 Profile add access level mapping

  • PxM user john.smith logs onto the PxM Client.

  • From the client an RDP tool is launched. The user is single signed-on to the device as john.smith_admin. PxM maps the username john.smith to the Windows 2008 Active Directory Server account john.smith_admin.

    W2K8 account pattern username odc

The information presented on the Manage account mappings table includes:

Heading Description
Pattern

The pattern used to map a PxM user to the relevant device account when accessing a device.

This account mapping pattern can be selected as an access level within a profile.

Notes Any additional information relating to the pattern.
# Profiles Total number of profiles the pattern has been used in.

WebUI Manage Account Mapping table

7.8.2. Trigger scan

Before you trigger a scan, a pattern must be selected. Triggering a scan, runs the ‘MappedAccountScan’ task against the users/devices in the profile the account mapping has been used in. This task verifies if the appropriate account exists on the devices or authentication services relevant to the profile.

The task will fail if expected mapped accounts are not found. View the log to find out which accounts weren’t found on the device/auth services.

7.8.3. Creating an account mapping

Before creating account mappings consider the following cases to help you understand what the account mapping pattern should be.

Case 1 2 3 4
Logon Name john.smith_admin joe.bloggs_admin alice.cooper_admin  
sAMAccountName john.smith_admin joeb_admin alicec_admin administrator
FQDN ad.companyX.net ad.companyX.net    
Explicit UPN john.smith_admin@ad.companyX.net joe.bloggs_admin@ad.companyX.net alice.cooper_admin@companyX.com  
Implicit UPN (if no eUPN defined =logonname@fqdn) john.smith_admin@ad.companyX.net joeb_admin@ad.companyX.net alicec_admin@ad.companyX.com administrator@ad.companyX.net
Resultant ‘Account’ column john.smith_admin joe_bloggs_admin alice_cooper_admin@companyX.com administrtor
Standard User john.smith joe.bloggs alice.cooper  
Mapping %username%_admin %username%_admin %username%_admin@companyX.com  
Note When FQDN = AD Auth Service FQDN When FQDN = AD Auth Service FQDN   Builtin ‘Administrator’ does not have a logon name or display name

  1. On the Manage account mappings page, click the Plus iconNew account mapping button.

  2. In the New account mapping window, configure the pattern.

    The pattern will differ depending on whether you want to use the Domain FQDN or a UPN Suffix.

    The following table gives you an example of how your pattern should be created:

    WebUI New account mapping window

    Fill in the following details:

    Heading Description
    Pattern: Enter the pattern that will be applied to the PxM user when accessing a device.
    Notes: Any additional information relating to the pattern.
  3. Click Save. The pattern will now be available in the access level drop-down list when adding devices to a profile. See Configuring a Profile.

    W2k8 Profile add access level mapping

7.8.4. Editing an account mapping

See General usage section for inline editing.

7.8.5. Deleting an account mapping

Deleting a mapping will remove all devices using that mapping, from every profile which uses the mapping.