Handling Litigation Hold for Secondary AD Accounts in ISC

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi all,

We’ve implemented a working solution in SailPoint Identity Security Cloud (ISC) to support litigation hold based on data from our HR source. Here’s how it currently works:

Current Working Design (Primary AD Account)

  • When an identity is flagged as being on litigation hold (from the HR feed), a role assignment adds the identity’s AD account to a specific AD group.
  • This triggers an after-modify rule on the AD connector that sets the ProtectedFromAccidentalDeletion flag in Active Directory via a PowerShell integration.
  • This works perfectly when a user has only one AD account.

Challenge: Handling Secondary AD Accounts

In our environment, a single identity can have two AD accounts:

  • A primary AD account
  • A secondary AD account (not admin account)

We now want to extend the litigation hold process to ensure that both AD accounts are marked as protected from deletion.

My Questions:

  1. When we assign a role based on the identity’s litigationHold status, and that role has membership criteria for the AD group, how does ISC know which of the two AD accounts to add to the group?
  2. Are both AD accounts automatically evaluated and added to the group, since they are both linked to the same ISC identity?
  3. If not, how can we ensure that both the primary and secondary AD accounts are properly handled and added to the group (or at least have the deletion flag set)?

Would love to hear if anyone has handled similar multi-account scenarios or has suggestions on how to control which account is added to the group — or if there’s a better approach than using a group-based trigger for the secondary account.

Thanks in advance!

2

@adebolu_omololu,

Sounds like you have a pretty mature ISC environment, nice work!

We had similar issues with multiple accounts in same source and we utilize the " Multiple Account Options" in the Access Profiles to help us in filtering them out.

For our use case, we filtered based off of employeeType, because we set that differently, depending on the account type. I’m not sure if, or how, you separate the AD accounts you’re referencing, but if there is some distinction, I think you would just build an access profile, targeting each type, and then you would be able to add both to the AD group as you’re looking to do.

Managing Access Profiles - SailPoint Identity Services

Hope that helps.

Thanks!

3

Thanks Justin! This makes sense. The behavior I am seeing takingt his approach is that the access profiles get assigned to the identity based on the filter in the multiuple account opptions. I’d like the acces profiles to nly be appled based on a role criteria

4

@adebolu_omololu you can either use multiple account support feature in access profile or you can use another option is to create two seperate AD sources and filter the sources using ldap filters which will remove this issue

thanks