One IM Allowing Normal account(Non Admin) to access Tools if we use ad Authentication

Hi Pradeep,

A few things to consider / check;

-Have you considered accountBasedSystemUsers (https://support.oneidentity.com/technical-documents/identity-manager/9.1/authorization-and-authentication-guide/20 ) these should allow you to make system users 'linked' to specific AD accounts. This will allow you to link the admin accounts to the system users however creating the users is a more intensive process then 'just' having a person, linking an AD-account and assigning permission groups. Still, for back-end usage it might be a good / viable usecase.

---

Assuming you do not want to use AccountBasedSystemUsers, a few more questions;

-Do you also use AD authentication for the 'front-end' (Webportal) or do you use another authentication method like OAuth there?

Assuming you only use AD Authentication for the back-end the config parameter TargetSystem\ADS\AuthenticationDomains might give 'options' if the admin accounts are in a different domain. However, I'm going to assume they aren't...

If the admin accounts and the normal AD-accounts are in the same domain (and both accounts have a manage level) it becomes a bit more tricky... What you could consider is a set-up with the admin accounts being linked to sub identities and / or a main (person wide) master identity. This way you can make an actual 'split' between the two person records, giving the one to which the admin account is linked the permissions in the back-end tooling.

Not a magic bullet, but a few thoughts and options to consider.

Account based Authentication works for me, but need to know how secure it is?

Does it actually authenticate to AD or considers the account that logged into the machine.

Account based Authentication works for me, but need to know how secure it is?

Does it actually authenticate to AD or considers the account that logged into the machine.

Hi Pradeep,

As per the documentation:

Account based system user