Managed Service Account Search Scope

Hi community,

The documentation says that type is an identity attribute which can be :

• Employee

• Contractor

• External / Partner

• RPA / Bots

• Service Account

In Active directory, I can identify a service account by its distinguishedName containing OU=Services.

Why the best way to populate the type attribute to “Service Account” ?

• Using Managed Service Account Search Scope in application in application configuration ?
• Using Aggregation Rules (which one is recommended?)
• Using Schema Rules → Account → Customization Rule
• Using Source Mappings in Edit Identity Attribute
• Something else I didn’t think of ?

Thank you for you help.

Customization Rule — Configure a Customization Rule on the AD application schema. In the rule, inspect the distinguishedName attribute: if it contains OU=Services, set the type attribute to "Service Account". This runs during aggregation on every account and is the cleanest, most direct mechanism for this use case.

1. https://documentation.sailpoint.com/identityiq_84/help/appconfig/applicationschemas.html
2. https://documentation.sailpoint.com/identityiq_84/help/appconfig/provisioningpolicies.html

Hi @alimd, we are using a Source Mapping with a global rule.

If you edit the Identity ObjectConfig, you can define more identity types should you need them.

I’ve created a schema attribute named “identityType” then pupolate it with a schema account customization rule to “Service Account”.

String dn = object.getAttribute(“distinguishedName”);

if (dn != null && dn.toLowerCase().contains(“ou=services”)) {
object.setAttribute(“identityType”, “Service Account”);
}

return object;

Then I’ve added it as a source mapping in Identity Attribue “type”

I get the attribute in the objects after aggregation but the type still not filled in the identity object and I have these warnings in the logs during aggregation :

WARN QuartzScheduler_Worker-3 sailpoint.api.Identitizer:4161 - Identity type value [Service Account] not found in IdentityConfig. Skipping setting of the attribute.

Found it. The documentation isn’t clear enough.

The type values are these and not those in the documentation

  <entry key="identityTypeDefinitions">
    <value>
      <List>
        <IdentityTypeDefinition displayName="identity_type_employee" name="employee">
          <DisallowedAttributes>
            <String>softwareVersion</String>
            <String>administrator</String>
          </DisallowedAttributes>
        </IdentityTypeDefinition>
        <IdentityTypeDefinition displayName="identity_type_contractor" name="contractor">
          <DisallowedAttributes>
            <String>softwareVersion</String>
            <String>administrator</String>
          </DisallowedAttributes>
        </IdentityTypeDefinition>
        <IdentityTypeDefinition displayName="identity_type_partner" name="partner">
          <DisallowedAttributes>
            <String>softwareVersion</String>
            <String>administrator</String>
          </DisallowedAttributes>
        </IdentityTypeDefinition>
        <IdentityTypeDefinition displayName="identity_type_rpa" name="rpa">
          <DisallowedAttributes>
            <String>manager</String>
          </DisallowedAttributes>
          <ManagerCertifierAttribute>administrator</ManagerCertifierAttribute>
        </IdentityTypeDefinition>
        <IdentityTypeDefinition displayName="identity_type_service" name="service">
          <DisallowedAttributes>
            <String>softwareVersion</String>
          </DisallowedAttributes>
          <ManagerCertifierAttribute>administrator</ManagerCertifierAttribute>
        </IdentityTypeDefinition>
      </List>
    </value>
  </entry>

@alimd Try doing a source mapping in existing Type attribute and you can write a global rule. It’ll be applicable for all the types and you need to make sure, service accounts and user accounts are there on separate identities. In case due to some correlation failure, if they are merged, then you may not see the right type attribute set on the identities.