A secondary account in this context refers to an account that is associated with a person's primary identity at ISU. Below is a non-exhaustive list of secondary account types:

• Privileged accounts.
  • Student admin accounts.
  • FTE admin accounts.
  • Domain admin accounts.
• Student work accounts.
• Test/emulator accounts.

Typically, these accounts require centralized management by the identity management system to ensure they adhere to the established identity and access management standards.

Currently this process supports the following types of secondary accounts:

• Student admin accounts.
• FTE admin accounts.
• Student work accounts.

The new process introduces a few improvements in both the onboarding and offboarding process of secondary accounts, some of these benefits are outlined below:

Overall Benefits:

• Streamlined self-service capabilities.
  • Can be managed directly in Grouper, via API or through OIAM provided Ansible jobs.
    • This is handled by the teams that directly support the individual.
• Improved visibility and auditability through regularly scheduled attestation.

Onboarding Benefits:

• Student work accounts will be automatically provisioned based on their affiliation with ISU.
• Automatic delivery of activation details at creation time.
• Multiple accounts will no longer be required for students working in more than one department.
• Standard naming convention, student accounts will be prefixed with isu_ and FTE admins will receive _admin.

Offboarding Benefits:

• Secondary accounts will have full lifecycle management through the tight coupling of their primary account affiliation using Grouper.
  • Group math will automatically start the deprovisioning process for accounts that don't meet the affiliation requirements.
• Manual account deletion will no longer be required.

You can request a standard secondary account by navigating to your team folder in the Grouper UI and following the process outlined below:

1. Expand the Requests folder in your team space, you should see two groups:
   1. req_[teamname]_create_persona_admin: This group can be used to request an admin account for a full-time employee. 

      The process will NOT work for any pre-existing fte _admin accounts.

   2. req_[teamname]_create_persona_studentadmin: This group can be used to request an admin account for a student employee. 
2. Add the desired ULID to one of the groups above to request a secondary account be created for them.

 If desired, the OIAM team can share Ansible playbooks in Ansible Automation Platform (AAP) to provide the following capabilities for your team:

• Add members to the request groups for onboarding.
• Remove members from the request groups for offboarding.
• Review membership of the request groups.
• Lookup details required for activation.
• Send activation details to account owner.

AAP enables you to establish recurring tasks using Grouper's API, complete with integrated logging and auditing, all without the need to directly authorize your team for Grouper access.