IdentityNow Orphan Accounts Connector

CoLab SaaS Connectors
, ,
1

idn-orphaned-accounts-connector
idn-orphaned-accounts-connector2401×1351 248 KB
:spiral_notepad: Description SaaS Connector for IdentityNow Orphan Accounts
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link GitHub - sailpoint-oss/colab-saas-conn-identitynow-orphan-accounts: SaaS Connector for IdentityNow orphan accounts
:open_book: New to SaaS connectors in the CoLab? Read the getting started guide for SaaS Connectors in the CoLab.
:hospital: Supported by Community Developed

Overview

This custom SaaS connector enables IdentityNow to extend the default orphan account management capabilities by leveraging SaaS connector framework and IdentityNow API. In particular, this connector allows to:

  • Manually correlate orphan accounts to identities by access request
  • Disable original orphan accounts by disabling virtual identity/account from the connector
  • Disable original orphan accounts by certifying access from virtual identities from the connector

Our current orphan accounts certifications only allow to certify access but not the account itself. This, in my opinion, only covers one of the typical use cases around orphan accounts. One may find useful to certify orphan accounts that are in fact known service accounts or similar entities. However, when an orphan accounts is found we generally know little about it. We don’t know whether it’s a legit account. It may be a correlation failure, a test account, a service account, an old employee account, a backdoor account, etc. We probably best start by disabling it, doing some research and based on the results delete or correlate to an identity. We can then start certifying access now the right context is in place.

In combination with existing functionality, this connector provides a good foundation for orphan account governance by adding manual correlation and account disabling to the existing access certification capabilities. It also makes reporting easier.

Supported use cases

Manual correlation

The connector creates a series of account and entitlement pairs for those uncorrelated accounts found in the specified target sources:

image
image3072×872 431 KB

You can use those entitlements from the request center to request the account to correlate on behalf of the identity you want to correlate to:

image
image1920×642 62 KB

Demo

Manual disabling

You can create a new identity profile based on the orphan accounts source:

image
image2144×605 112 KB

Once in place, you can manually disable the resulting account from the identity in order to disable the original orphan account:

image
image2144×605 145 KB

Demo

Disabling by certification

With an identity profile in place, you can certify the whole source or a subset of identities:

image
image2144×712 187 KB

By revoking the only entitlement those identities have you’d be disabling the original orphan account:

image
image2144×1189 224 KB

Demo

Requirements

Guide

Supported Operations

1 Like
2

Thanks for the connector.

Could you please give more detailed information about the connector’s purpose?
On the other hand, the repository link is not working.

3

What’s the intended purpose of this connector? What would it solve for me?

Thanks!

4

The repository should be public now. Please try again.

5

Documentation is up-to-date now. Please let me know if it’s sufficient.

Cheers.

1 Like