New Capability: Machine Account Migration!

Announcements Product News
1

Description

:bangbang: SailPoint® is excited to announce Machine Account Migration, a simpler way to move service accounts, bots, and other machine accounts from human identities to machine identities—helping you fully adopt Machine Identity Security.

You’re now able to move service accounts, bots, and other machine accounts from human identities to machine identities. This enables you to migrate legacy machine account governance implementations to Machine Identity Security.

New Capabilities

This capability is for customers who govern machine accounts using the legacy options documented in Service Accounts Best Practices.

  1. Use Machine Account Classification to establish policy that defines your machine accounts.
  2. Review the accounts that are correlated to human identities under Accounts > Human Accounts with the Classified as Machine filter applied.
  3. Re-correlate these accounts to machine identities with the Update Correlation and Correlate to Machine Identity actions.

Problem

You’ve just licensed Machine Identity Security but you’ve got thousands of machine accounts that were correlated to human identities using the legacy options documented in Service Accounts Best Practices. You need an efficient way to migrate to Machine Identity Security.

Solution

A feature set that helps you migrate machine accounts from human identities to machine identities in phases according to your project schedule. You could migrate one account on a source and then all accounts on a source. You could repeat these steps for the next source until your project is complete. Follow these steps to use the new features.

Step 1: Use Machine Account Classification to establish policy that defines your machine accounts.

The example focuses on the Active Directory Source. We’ve used these criteria to define machine accounts in Active Directory.

Classification policy for machine accounts in Active Directory.
Classification policy for machine accounts in Active Directory.3456×1742 433 KB

Step 2: Review the accounts that are correlated to human identities under Accounts > Human Accounts with the Classified as Machine filter applied.

We recommend also using the Source Name filter to focus your review to a particular source. We’ve filtered the list down to accounts that are Classified as Machine on the Active Directory source.

Accounts that are classified as machine but correlated to human identities.
Accounts that are classified as machine but correlated to human identities.3456×1742 400 KB

Step 3: Re-correlate these accounts to machine identities with the Update Correlation action.

You’re able to update the accounts one at a time or in bulk. The system processes Machine Account Mappings when you complete this action. This will set machine account attributes including Account Owner and Machine Identity according to your configuration.

You’re able to use these actions against accounts whether or not the configuration has marked them Classified as Machine.

We’ll move this single account using the Update Correlation action. We’re being conservative to test the machine account mappings we’ve set for this source.

Bonus features! This release enhanced Update Correlation to include options for Machine and Uncorrelated. All customers are able to use either the Human or Uncorrelated options. Machine Identity Security customers are able to use Human, Machine, and Uncorrelated options.

Correlate a single human account to a machine identity.
Correlate a single human account to a machine identity.3456×1742 392 KB

We feel that mappings are working as expected so we will move the rest of the accounts on this source in bulk using the Correlate to Machine Identity action.

Correlate multiple human accounts to machine identities.
Correlate multiple human accounts to machine identities.3456×1742 420 KB

Step 4: Review the updated machine accounts and make additional changes (optional)

Navigate to Machine Accounts and review the attributes that were established based on mappings.

We’ll use the Update Account action to fix an account where mappings failed to locate an owner.

Update an account once it's been correlated to a machine identity.
Update an account once it's been correlated to a machine identity.3456×1742 461 KB

Step 5: Decommission unneeded configurations

All legacy options documented in Service Accounts Best Practices require the creation of a human identity profile to house your machine identities. You no longer need this human identity profile once you’ve migrated to Machine Identity Security. Delete that human identity profile and complete your project!

Step 6: Prove your work to auditors

Use the query "Update Machine Account Passed" in Search to review correlation changes.

Update Machine Account Passed audit.
Update Machine Account Passed audit.1920×968 73.7 KB

Who is affected?

Customers that have licensed Machine Identity Security and implemented a legacy option documented in Service Accounts Best Practices are able to correlate accounts to machine identities.

Action Required

Impacted customers should leverage this feature when adopting Machine Identity Security.

Important Dates

The feature will roll out to all sandbox tenants on Wednesday, February 26th.

The feature will roll out to production tenants between Wednesday, March 5th and Monday, March 10th.

:bangbang: By RSVP’ing to this event you will be reminded of this release prior.

Additional Resources

Machine Identity Security Overview - SailPoint Identity Services

1 Like