Detect/Prevent Second Account Creation in IdentityNow

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Is there a flag at the Application level that we can set, to prevent the system from creating a second account in the same source? I can add code in the BeforeProvisioning Rule, but I was looking for a simpler or OOTB solution.

Also, is it possible to detect users with 2+ accounts in the same source?

2

For detecting users with 2+ accounts, you can use below query:

"query": {
    "query": "source.id:<<SOURCEID>>"
},
"indices": [
    "identities"
],
"aggregationsDsl": {
    "accounts": {
        "nested": {
            "path": "accounts"
        },
        "aggs": {
            "source_id": {
                "terms": {
                    "field": "accounts.source.id",
                    "min_doc_count": 2,
                    "size": 1000
                },
                "aggs": {
                    "identities": {
                        "terms": {
                            "field": "_id",
                            "min_doc_count": 2
                        },
                        "aggs": {
                            "accounts": {
                                "top_hits": {}
                            }
                        }
                    }
                }
            }
        }
    }
}

}

You can refer this too

1 Like
3

@hearst2k can you share what type of source you’re talking about? If it’s AD, there’s a very specific way to deal with account moves to prevent duplicates, and there is an effort underway to make this better.

In any case, will need some additional details and context to provide a useful answer.

Thanks, Rich

4

AD is the major Source where we are facing this issue. I forgot to mention and surprisingly it is in your response, that we are seeing this issue with account moves. Could you please provide the solution for this specific problem?

IIQ has a specific way to detect/prevent second account creation using Policy Violation or Account Certification. I was looking for something similar in IDN.

Also, in IIQ, if you want to request second account, there is a flag that we need to add to the application: ADDITIONAL_ACCOUNT_REQUEST. We do not have that in the featureString in the IDN Application, but we still have this problem.

5

Hi Prashanth @hearst2k ,

Please have a look at this document:

You’ll need to set up a BeforeProvisioning rule and add a couple identity attributes to make it work. Professional Services has done this many times in the past for other customers and can assist if needed.

Thanks! Rich

6

By the way, it’s not unusual to have multiple accounts on the same source get correlated to a particular identity. Sometimes it’s a “regular” account and an “admin” account, but there’s nothing specifically prevented in that regard. The issue arises with AD because our AD connector uses DN rather than GUID to uniquely identity an AD account, so when it is moved to a different OU directly in AD, IDN will see it as two separate actions, a “delete” and a “create”.