When configuring a new directory connector in Access Manager you will be prompted to select the Usage of the connector, this option will determine the permissions that Access Manager will grant users within the directory that is created. The options are available are:
- Primary: User level connector that is used to login, authenticate, self service and manage all other linked accounts
- Secondary: Connector whose users are managed by a primary account. These users cannot directly login or perform direct self service actions, this can only by done through primary users
- Helpdesk: Connector used to provide users a subset of administrative permissions
- Administration: Connector used to group users who have administration privileges
Privileges of each connector are detailed in the following sections.
A Primary directory is the main directory type. The users in a primary directory will be standard user accounts that your end users will be using to manage their accounts:
- Logon to Access Manager directly with user permissions
- May set login details for Questions, PIN, Passphrase authentication
- May add email address and phone numbers for OTP authentication if allowed by administrator
- May link to accounts in secondary directories to manage their passwords
- May perform password reset and account unlock actions for themselves and linked accounts
- Notification emails are usually sent to this account
- Can change the user's current password, or the password of linked secondary accounts
Multiple Primary Accounts
When multiple Primary directories have been configured on a single Access Manager installation it may become necessary for users to identify which directory they are logging in to. If a username is unique among all directories then Access Manager will be able to identify it correctly however once duplicate usernames are in use the directory name will also be required, there are two ways to do this:
Using the 'Directory, Username and Password' module during authentication which provides a visual dropdown of directories.
Once configured end users will be able to select the directory when navigating to their My Account page as shown below.
A Secondary directory allows the management of users in this directory by users in the Primary directory. If you use multiple user databases you can set one database as the primary directory and then connect the other databases as secondary directories with the users attached to the primary directory user as linked accounts. The key benefits are:
- Users in Secondary directories cannot login to Access Manager with their own credentials
- Password reset and account unlock actions for these users are performed through the primary account
- There is no limit to the number of linked accounts a user can have
As you can see below this user has 2 secondary accounts linked to it allowing him to manage 3 accounts under a single primary identity.
A Helpdesk directory is used to provide users with elevated permissions in order to act in a helpdesk/internal support role. For example if you want your IT management team to be able to manage users in Access Manager you can create a Helpdesk directory that includes only those users. The key benefits are:
- Users will be able to logon and administer users from this connector
- Users will have access to the Dashboard, Identities and Events pages in the administrator interface
- Access to the Identities page will allow helpdesk users to unlock accounts from Access Manager lockouts, reset passwords, and link accounts
- Helpdesk users login through the administration option and login process
As you can see below the helpdesk user has a limited set of administrative actions available to them.
NOTE: These users should not exist in the primary directory to avoid account duplication.
An Administrator directory is used to provide users with administrator level permissions equal to the default admin user. For example you can completely secure the default admin user and allow your own system administrators to manage the system with their own user accounts. The key benefits are:
- Users will be able to logon and administer the entire system from this connector
- Secure the default admin user for emergency use only
- Allow each of your own administrators to use their own account for managing Access Manager
As you can see in the image users within this connector has full admin rights to the Access Manager server
NOTE: These users should not exist in the Primary directory to avoid account duplication.