Managing account mappings
This section describes how to create patterns to map PxM Platform user accounts to device accounts through profiles. The following topics are included in this section:
- Mapping accounts to pre-existing privileged accounts
- Trigger scan
- Creating an Account mapping
- Editing an account mapping
- Deleting an account mapping
Mapping accounts to pre-existing privileged accounts
Account mappings are a useful tool for organisations that have already created individual privileged accounts on devices for their users.
The PxM Platform manages privileged accounts, so you would expect the PxM Platform to be able to take over the credential life-cycle of these accounts whilst retaining existing user access.
This is where mapped accounts are helpful. PxM Platform users are mapped through profiles to their pre-existing privileged accounts on the device.
User account john.smith_admin already exists on the device.
Once this account is audited in the PxM Platform, in order to use it with an account mapping the state needs to be Known or Managed.
Within the PxM Platform the mapping is created as follows: %username%_admin.
The mapping is selected within a profile:
PxM Platform user john.smith logs onto the PxM UI.
From the PxM UI an RDP tool is launched. The user is single signed-on to the device as john.smith_admin. The PxM Platform maps the username john.smith to the Windows 2008 Active Directory Server account john.smith_admin.
The information presented on the Manage account mappings table includes:
Heading Description Pattern The pattern used to map a PxM Platform user to the relevant device account when accessing a device.
This account mapping pattern can be selected as an access level within a profile.
NOTE Mappings will be done with diacritic (accents added to words) insensitivity and case insensitivity.
Notes Any additional information relating to the pattern. # Profiles Total number of profiles the pattern has been used in.
Before you trigger a scan, a pattern must be selected. Triggering a scan, runs the MappedAccountScan task against the users/devices in the profile the account mapping has been used in. This task verifies if the appropriate account exists on the devices or account sources relevant to the profile.
The task will fail if expected mapped accounts are not found. View the log to find out which accounts weren't found on the device/authentication services.
Creating an account mapping
Before creating account mappings consider the following cases and mapping substitutions available to help you understand what account mapping pattern you require.
Account mapping substitutions
If we take the username: john.smith
%username1-20 : the first 1-20 characters of a username
%username% : the whole username as used by the user to log into the PxM UI = john.smith
%first_initial% : the first character from the first part (given name) of the username = j
%first_part% : the whole of the first part (given name) of the username = john
%last_initial% : the first character of the second part (family name) = s
%last_part% : the whole of the second part (family name) of the username = smith
%email_address% : the entire email address associated with the PxM user = firstname.lastname@example.org
%email_username% : the username part of the users email address associated with the PxM user = john.smith
%email_username_first_part% : the whole of the first part of the users email address associated with the PxM user = john
%email_username_first_initial% : the first character from the first part of the users email address associated with the PxM user = j
%email_username_last_part% : the whole of the second part of the users email address associated with the PxM user = smith
%email_username_last_initial% : the first character of the second part of the users email address associated with the PxM user = s
Mappings are case insensitive and will be forced to lowercase when saved.
Account mapping patterns
(if no eUPN defined =logonname@fqdn)
|Resultant 'Account' column||john.smith_admin||joe_bloggs_admin||alice_cooper_admin@companyX.com||administrator|
|Note||When FQDN = AD Auth Service FQDN||When FQDN = AD Auth Service FQDN||Builtin 'Administrator' does not have a logon name or display name|
On the Manage account mappings page, click the
New account mappingbutton.
In the New account mapping window, configure the pattern. The pattern will differ depending on whether you want to use the Domain FQDN or a UPN Suffix.
The following table gives you an example of how your pattern should be created:
Fill in the following details:
Heading Description Pattern Enter the pattern that will be applied to the PxM Platform user when accessing a device.
NOTE Patterns are case-insensitive. Any capital letters typed in the Pattern field will save as lower-case.
Notes Any additional information relating to the pattern.
Save. The pattern will now be available in the access level drop-down list when adding devices to a profile. See Manage Profiles.
Editing an account mapping
See Common Interface Functions section for inline editing.
Deleting an account mapping
Deleting a mapping will remove all devices using that mapping, from every profile which uses the mapping.