Users › Creating Users

Creating Users

User profiles allow administrators to manage user information; manage privilege, application, and service access; and grant users self-management for their own accounts and services. Creating user profiles is a common task for a system administrator.

When creating and configuring a user, consider the following user account elements:

Self-Service Tasks: User profiles are configured by default to grant the user access to certain self-service tasks, such as changing their password and profile information. A system administrator with appropriate tasks can modify which self-service tasks are granted to a user by default.

Groups: Groups simplify role management. For example, a system administrator with appropriate tasks can configure multiple roles for the system to assign automatically to a user who is added as a member of a group.

Admin Roles: Admin roles define the tasks that a user can perform in the User Console. For example, a task can allow a user to modify user account information, such as the address or job title. Another task can allow a user to administer tasks, such as granting a user membership in a group. When you assign an admin role to a user, the user can perform the tasks associated with the role.

Endpoint Accounts and Provisioning Roles: Accounts that exist on other systems are named Endpoints Accounts. You can assign accounts in endpoints to CA Identity Manager users through provisioning roles. For example, a user needs an Exchange account for email, an Oracle account for database access, and an Active Directory account to use a Windows system. When you assign a provisioning role to a user, the user receives the endpoint accounts the provisioning role specifies.

Access Roles: Access roles provide an additional way to provide entitlements in CA Identity Manager or another application. For example, you can use access roles to accomplish the following:

• Provide indirect access to a user attribute
• Create complex expressions
• Set an attribute in a user profile, which is used by another application to determine entitlements

Services: Services allow you to combine you choice of user tasks, roles, groups, and attributes into a single package. You can manage this package of privileges as a set. For example, all new Sales employees need access to a defined set of tasks, accounts on specific endpoint systems, and information added to their user account profiles. When you assign a service to a user, the user receives the entire set of roles, tasks, groups and account attributes the service specifies.

Password Policies: Password policies manage user passwords by enforcing rules and restrictions governing password expiration, composition, and usage. If a system administrator has created password policies for your environment, those policies are applied automatically to new users matching one or more password policies rules. A system administrator with appropriate tasks can modify password policies.

The following diagram shows the information to understand, and the steps to perform, in creating and configuring a user.

The following topics explain creating users in depth, and how to configure them.

1. Create a User.
2. Assign Groups.(if needed)
3. Assign a Role to a User (if needed)
4. Assign Services. (if needed)