Help me understanding Privileged Active Directory Account Creation

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello Experts,

I am trying to come up with a process to create a Privileged Active Directory Account in SailPoint ISC through a Role.

Identities have two Accounts in Active Directory :

  1. Active Directory Account with “OU=Users, OU=Accounts, DC=ABC,DC=EFG”
  2. Privileged Account with “OU=PA,OU=Accounts, DC=ABC,DC=EFG”

Both Active Directory Account and Privileged Account resides in Active Directory but in different OUs.

A separate application “ActiveDirectoryPrivileged” is created in ISC that holds all the privileged Account as a Direct AD connector. This pulls all the privileged account into ISC.

Now I want to create a Role that will create an “ActiveDirectoryPrivileged” account for existing active identities in ISC.

Will I need to write some kind of Rule or creating a Role should handle this business case?If there is better approach. I am more than happy to apply.

2

I expect that you will need to create a 2nd connection to AD just for the PA accounts. Then you can make a Role that creates the PA account. Otherwise, just having the one connector, the existence of a non-PA account will prevent a PA account from being created.

Anyway, that’s how I would do it - assuming that I couldn’t convince the business to do away with PA accounts and use PIM instead

3

Hi @j1241

  1. Ensure that in the aggregation settings for the privileged AD source, you do not aggregate normal accounts, and in the normal AD source, you do not aggregate privileged accounts.
  2. We now have two sets of identities (because we have two sources) from the same target system.
  3. Create a role, and in the membership criteria, add the identity attribute “DN” that contains “OU=Users.” This will ensure the identity has a normal AD account.
  4. The role will be attached to those identities with Normal AD accounts and assign entitlements to them. If an identity does not have a privileged AD account, it will be created.
4

Hello @phil_awlings
Thank you

Yes, I am adding second connection to AD just for PA accounts.I will look for sure into PIM. For now I am just investigating the process

1 Like
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.