It is also possible to link more than one account template to the same business source.

And then the product will ask (if request made in the product) which account template to use when executing the form.

Although personally I don't use this approach, because the end user usually don't know the difference on these accounts.

Usually when using "G&L" (as Boris mentioned) it is better to re-think the data model of a big directory, to keep it 1-on-1 for templates.

It is often more easy to "split up" directories (like AD) and have two different business sources for say "normal accounts" (business use) and "admin accounts" (low level environment use)

And if you do it, it is even much easier to lock both roles (and accounts) to "Title=Admin" (or any other trusted source that verifies who a person is).

My personal best approach is to have rolesets for admins of different "Tiers", where I limit the entitlements to belong to an admin-application (which has the correct account template for admins and those admin-entitlement). Meaning that if new roles are created for admins, then you/owner can't make an incorrect configuration of the role. This approach even allows to make "super-roles" which set both admin and normal accounts at the same time during fulfilment.

But there is a trap here when splitting a big business source:

• You still need to check that you still have collectors that "show all accounts", so that you can catch "orphaned" accounts.
  • It is very easy to miss parts of a business used "ai-agents", or just simple "service acccounts"

It is very important to give the owners of a Directory/Application a correct view of the state of ALL accounts which give possible logins to their system. With the target to set ownership on all.