Can someone clarify the difference between Machine Account Owner and Machine Identity Owner in SailPoint Machine Identity Security?
I am trying to understand the roles and responsibilities of each owner:
Does the Machine Account Owner manage/review the access assigned to that specific machine account?
What is userEntitlement in a Machine Identity? Is it considered a type of access?
What does the Machine Identity Owner manage? Do they manage only the related machine accounts, or do they also manage/review access?
Example: If one machine identity/application has multiple service accounts, should the service account owner review account-level access, while the machine identity owner manages the overall machine identity and related accounts?
machine account owner is “human is responsible for the specific machine account”. Let say that machine account is correlated to machine identity and of course it can have machine identity owner who can be human again.
Yes, both the Machine Account Owner and Machine Identity Owner are human owners who are responsible for the machine account/identity.
However, what is the exact difference between their roles and responsibilities? Specifically, what are they authorized to manage?
For example:
Does the Machine Account Owner manage the access and permissions assigned to that specific machine account?
Does the Machine Identity Owner only manage the accounts associated with the machine identity, or are they also responsible for managing access and entitlements?
Could you please clarify the distinction between these two ownership roles?
Yes, both are human owners, but they don’t own the same level of object. That is the main difference. Let me try to put it this way
Machine Account Owner is tied to a specific machine account on a source. For example, one service account, one bot account, or one non-human account. You configure this in the source’s Machine Account Mappings page under the Machine Account Owner tile. SailPoint can match a machine account attribute to a human identity, or to another human account. The matching human becomes the owner of that particular machine account. In a machine account certification campaign, this person can be selected as the reviewer using the Account Owner reviewer type. If no account owner is mapped, the certification falls back to the source owner.
Machine Identity Owner is tied to the application identity itself. This is the higher-level object that groups related machine accounts under one application or service. In the UI, this shows as Primary Owner and Additional Owners. This owner is responsible for the application identity as a whole: the related machine accounts grouped under it, succession planning, and the overall governance of that identity. You can add up to 10 additional owners, so ownership does not get stuck if the primary owner becomes inactive.
So these are not two names for the same thing. Machine Account Owner is about: who owns this specific account? Machine Identity Owner is about: who owns this overall application or service identity?
Yes, the Machine Account Owner is the right person to review access for that specific machine account in a machine account certification campaign. In that campaign type, you can select Account Owner as the reviewer. Account owners can only be selected as certifiers in machine account certification campaigns, not in other campaign types. Also, if no account owner is configured, the review falls back to the source owner.
For userEntitlements, I would not confuse these with the entitlements held by the machine accounts. userEntitlements are entitlements that grant human users access to the application identity. You can add up to 10 from multiple sources when creating the application identity, and you can view them in the Details tab.
So yes, they are a type of access, but they track which human users receive access to the application identity. They are not the same as the entitlements assigned to the correlated machine accounts. Those are reviewed separately in the Access tab.
The Machine Identity Owner is the owner of the overall application identity. In the UI, this is the Primary Owner and Additional Owners. This owner is responsible for the bigger picture: the application identity itself, the related machine accounts grouped under it, ownership continuity, succession, and the overall governance of that identity.
Your example is right: If one application identity has multiple service accounts, each service account’s machine account owner would be the right person to review that account’s access in a machine account certification. The machine identity owner looks at the overall application identity: the accounts grouped under it, user entitlements, and ownership continuity.
So both owners play a role in governance, but at different levels:
Hi @punna0001, in case of certification, how are these user entitlements certified, and can you please also clarify what the role of the machine identity primary owner is in reviewing and certifying the application identity’s access?
Hello Isha,
From what I see in the docs, I don’t see userEntitlements showing up as separate review items inside a machine account certification campaign. In that flow, the reviewer selects the machine identity and reviews its access under the Entitlements tab, which is the entitlement access from the correlated machine accounts. The userEntitlements sit separately on the application identity’s Details tab and represent entitlements that grant human users access to that application identity. If the requirement is to certify that human access, I would handle it as a separate certification approach.
For the Primary Owner, I wouldn’t treat them as the automatic certifier. They own the application identity itself, the related accounts, succession, and overall governance. But in the certification setup, Account Owner is the reviewer type called out for machine account certifications, with source owner as the fallback. If you want the Primary Owner reviewing access too, you would map that same person as the machine account owner at the source level. But those are two separate configurations, they don’t automatically connect.