Description | SaaS Connector for IdentityNow Orphan Accounts | |
Legal Agreement | By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab. | |
Repository Link | GitHub - sailpoint-oss/colab-saas-conn-identitynow-orphan-accounts: SaaS Connector for IdentityNow orphan accounts | |
New to SaaS connectors in the CoLab? | Read the getting started guide for SaaS Connectors in the CoLab. | |
Supported by | Community Developed |
Overview
This custom SaaS connector enables IdentityNow to extend the default orphan account management capabilities by leveraging SaaS connector framework and IdentityNow API. In particular, this connector allows to:
- Manually correlate orphan accounts to identities by access request
- Disable original orphan accounts by disabling virtual identity/account from the connector
- Disable original orphan accounts by certifying access from virtual identities from the connector
Our current orphan accounts certifications only allow to certify access but not the account itself. This, in my opinion, only covers one of the typical use cases around orphan accounts. One may find useful to certify orphan accounts that are in fact known service accounts or similar entities. However, when an orphan accounts is found we generally know little about it. We don’t know whether it’s a legit account. It may be a correlation failure, a test account, a service account, an old employee account, a backdoor account, etc. We probably best start by disabling it, doing some research and based on the results delete or correlate to an identity. We can then start certifying access now the right context is in place.
In combination with existing functionality, this connector provides a good foundation for orphan account governance by adding manual correlation and account disabling to the existing access certification capabilities. It also makes reporting easier.
Supported use cases
Manual correlation
The connector creates a series of account and entitlement pairs for those uncorrelated accounts found in the specified target sources:
You can use those entitlements from the request center to request the account to correlate on behalf of the identity you want to correlate to:
Demo
Manual disabling
You can create a new identity profile based on the orphan accounts source:
Once in place, you can manually disable the resulting account from the identity in order to disable the original orphan account:
Demo
Disabling by certification
With an identity profile in place, you can certify the whole source or a subset of identities:
By revoking the only entitlement those identities have you’d be disabling the original orphan account:
Demo
Requirements
- IdentityNow, or Identity Security Cloud Subscription
- SailPoint CLI
- Node.js >= 16.2.0
- TypeScript >= 4.4.3