Managing Account Mappings

This section describes how to create patterns to map PxM Platform user accounts to device accounts through profiles. The following topics are included in this section:

Mapping Accounts to Pre-existing Privileged Accounts

Account mappings are a useful tool for organisations that have already created individual privileged accounts on devices for their users.

The PxM Platform manages privileged accounts, so you would expect the PxM Platform to be able to take over the credential life-cycle of these accounts whilst retaining existing user access.

This is where mapped accounts are helpful. PxM Platform users are mapped through profiles to their pre-existing privileged accounts on the device.

For example:

  1. User account john.smith_admin already exists on the device.

    W2K8 account user properties

  2. Once this account is audited in the PxM Platform, in order to use it with an account mapping the state needs to be Known or Managed.

    W2K8 account auth service state

  3. Within the PxM Platform the mapping is created as follows: %username%_admin.

    Manage account mapping table

  4. The mapping is selected within a profile:

    W2k8 Profile add access level mapping

  5. PxM Platform user john.smith logs onto the PxM Client.

  6. From the PxM Client an RDP tool is launched. The user is single signed-on to the device as john.smith_admin. The PxM Platform maps the username john.smith to the Windows 2008 Active Directory Server account john.smith_admin.

    The information presented on the Manage account mappings table includes:

    Heading Description
    Pattern The pattern used to map a PxM Platform user to the relevant device account when accessing a device.

    This account mapping pattern can be selected as an access level within a profile.

    NOTE Mappings will be done with diacritic (accents added to words) insensitivity and case insensitivity.

    Notes Any additional information relating to the pattern.
    # Profiles Total number of profiles the pattern has been used in.

    Manage Account Mapping table

Trigger Scan

Before you trigger a scan, a pattern must be selected. Triggering a scan, runs the MappedAccountScan task against the users/devices in the profile the account mapping has been used in. This task verifies if the appropriate account exists on the devices or account sources relevant to the profile.

The task will fail if expected mapped accounts are not found. View the log to find out which accounts weren't found on the device/authentication services.

Creating an Account Mapping

Before creating account mappings consider the following cases and mapping substitutions available to help you understand what account mapping pattern you require.

Account Mapping Substitutions

If we take the username: john.smith

  • %username1-20 : the first 1-20 characters of a username

  • %username% : the whole username as used by the user to log into the PxM Client = john.smith

  • %first_initial% : the first character from the first part (given name) of the username = j

  • %first_part% : the whole of the first part (given name) of the username = john

  • %last_initial% : the first character of the second part (family name) = s

  • %last_part% : the whole of the second part (family name) of the username = smith


Mappings are case insensitive and will be forced to lowercase when saved.

Account Mapping Patterns

Case 1 2 3 4
Logon Name john.smith_admin joe.bloggs_admin alice.cooper_admin
sAMAccountName john.smith_admin joeb_admin alicec_admin administrator
Explicit UPN
Implicit UPN
(if no eUPN defined =logonname@fqdn)
Resultant 'Account' column john.smith_admin joe_bloggs_admin administrtor
Standard User john.smith joe.bloggs alice.cooper
Mapping %username%_admin %username%_admin
Note When FQDN = AD Auth Service FQDN When FQDN = AD Auth Service FQDN Builtin 'Administrator' does not have a logon name or display name
  1. On the Manage account mappings page, click the Plus icon New account mapping button.

  2. In the New account mapping window, configure the pattern. The pattern will differ depending on whether you want to use the Domain FQDN or a UPN Suffix.

    The following table gives you an example of how your pattern should be created:

    New account mapping

    Fill in the following details:

    Heading Description
    Pattern Enter the pattern that will be applied to the PxM Platform user when accessing a device.

    NOTE Patterns are case-insensitive. Any capital letters typed in the Pattern field will save as lower-case.

    Notes Any additional information relating to the pattern.
  3. Click Save. The pattern will now be available in the access level drop-down list when adding devices to a profile. See Manage Profiles.

    W2k8 Profile add access level mapping

Editing an Account Mapping

See Common Interface Functions section for inline editing.

Deleting an Account Mapping

Deleting a mapping will remove all devices using that mapping, from every profile which uses the mapping.