AD account - deprovisioning

Laks1 · September 23, 2024, 7:25pm

Hello,

We are currently having a connector to AD and AD accounts gets created through IDN as birthright accounts. However, there are some AD accounts that are created outside of IDN (example : local admin accounts xyz-LA accounts) manually. Can IDN de-provision these AD accounts that were not provisioned through IDN when a user is terminated?

Thanks,
Lakshmi.

gourab · September 23, 2024, 7:40pm

Hi @Laks1 ,
Yes ISC can deprovision those accounts as well. You will need a beforeProvisioning rule to remove those entitlements.

Sachin_Rajathadri · September 23, 2024, 7:45pm

Hi @Laks1,

Is the manually created AD account correlated to an identity (For example, to an authoritative source)? then yes, IDN can deprovision these. But if an identity has more than one AD account correlated (coming from the same AD source), then there will be an issue because IDN does not know which account to provision/deprovision.

To handle multiple account issue, you would need to create a new AD source for managing those. For example, if an identity has a regular AD account and an Admin AD account, you will have to create 2 seperate AD sources (1 for regular accounts, and 1 for Admin accounts). Hope this helps!

udayputta · September 24, 2024, 3:54pm

When you say local admin accounts. Are these some service accounts created for a user or an admin account. When you say you want to deprovision this accounts when user is terminated. Do you want to terminate his regular and admin account (assuming this is been created manually)? Can you share more details. Above suggestion might be applicate if the answer are yes.

sivakrishna_1993 · September 24, 2024, 4:07pm

Hi

Except domain user entitlement rest of all entitlements can remove.
As @gourab said you can use BP rule of you can also use workflow to remove the entitlements.

Thanks,
Siva.K

Laks1 · September 24, 2024, 8:08pm

Yes, both regular and admin accounts needs to be disabled on AD.

udayputta · September 25, 2024, 6:24am

Okay if you have both regular and admin accounts then you need to create two AD sources using filter criteria. A sample filter criteria could be like this. If you have employeeType in the AD account

(&(objectCategory=person)(objectClass=user)(employeeType=A))

Lets says “AD for Human” will bring in your regular AD users and “AD for Admins” will bring in your admin AD users. You can correlate the accounts to the regular identity and add both the sources in inactive lifecycle state. When the regular user is terminated from SOT then both the accounts will be disabled.

Topic		Replies	Views
Rehire Use Case Discussion ISC Discussion and Questions identity-security-cloud	16	760	December 15, 2023
AD Entitlement Provisioning to Inactive Identities ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , entitlements	5	725	July 21, 2023
Deprovision non-local ISC Discussion and Questions identity-security-cloud , provisioning , connectors	6	421	August 3, 2023
Do not deprovision access when removing Role ISC Discussion and Questions rules , identity-security-cloud , roles , entitlements	2	882	July 19, 2023
Can we provision the account without entitlements for Target Source? ISC Discussion and Questions identity-security-cloud , provisioning , entitlements	3	250	May 19, 2024

AD account - deprovisioning

Related Topics