Onboard and manager users on servers through IIQ

Hi all,

We have a requirement to create an access review in IIQ for 10 servers that provide jump host access.

Is there an OOTB connector that can achieve this? Is it possible to onboard servers and manage their users as accounts and their accesses on the servers as entitlements.

Thanks in advance.

Hi @rishavghoshacc Can you explain more about what you are referring as server here, Is it a AD server or LDAP etc? If you aware of the product then please check the below link having the details of all the OOTB connectors available in SailPoint 8.5

IdentityIQ 8.5 Connectors

Hi Rishav,

Could you please clarify what type of servers these are and how the jump host access is managed currently? It would help in suggesting the right connector and integration approach.

Thanks!

10 servers that provide jump host access to environment, and there is a problem with overprovisioned users that act as administrators on these servers

Local accounts must also be reviewed, so there is a requirement for how we work with these

10 servers that provide jump host access to environment, and there is a problem with overprovisioned users that act as administrators on these servers

Local accounts must also be reviewed, so there is a requirement for how we work with these

@santhirajumunganda These are Windows server. We need to manage the user accounts on these servers

Hi Rishav,

Since these are Windows jump servers, a better approach would be to manage access through AD groups instead of local accounts wherever possible. IIQ can then certify and govern the AD group memberships that provide jump host access.

For existing local accounts, the Windows Local connector can also be used for aggregation and access reviews.

Thanks!

@santhirajumunganda

We would like to manage the users and their accesses through IIQ

@rishavghoshacc You can integrate these servers using Windows Local - Direct connector. This is being used to manage local accounts. Please refer to attached documents for more details.

However as a best practice, try to provision the access via AD groups only. In case it is not possible, then go for Windows local account.

SailPoint Microsoft Windows Local Connector Guide.pdf (265.4 KB)

@rishavghoshacc In additional to what NeelMadhav has mentioned.
There is also a multi connector adaptor (Separately license) if you have a lot of servers to be onbaorded that is the way to go.

You can use JIT tool to provide access to window servers using PAM Service CyberArk or BeyondTrust by onboarding into SailPoint

Hi @rishavghoshacc We implemented a similar use case. First, we integrated the authentication through AD. Then, user management was done through IIQ provisioning, deprovisioning, and access reviews. I think a cleaner and neater approach is to integrate with AD, which is the better approach. If not, I think you can use the Windows local connector.

I hope it helps.

Thanks,
PVR.

Just checking in to see if the suggested solution worked for you. Please let us know if you need any further help.