Provisioning AD entitlement on orphaned account

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

I have aggregated a couple shared AD accounts into SailPoint. These accounts are orphanded as they don’t have a related or correlated Identity. I need to be able to add/remove an entitlement through the system. I am able to remove an entitlement, but unable to add an entitlement. What is the recommended way of doing this? I am able to remove entitlements because there’s no approval process, but for adding, it errors out most likely due to it not being part of the Identity request workflow. Any recommendations would be appreciated.

Hi Angie,

In general, when we talk about shared AD accounts, they are basically service accounts used by multiple teams.
Considering best practice, then you must assign an owner who is responsible for managing that service account.

For more details, please read these best practices document.

Thanks Amit. I’ve read through this a few times and have come to the conclusion that custom developement work is probably needed. The accounts are in as Option 1 right now. We don’t currently have the ability to do 3 or 4, which is what I’d like, due to no workflow to create a manual identity. Is there OOB code for this type of thing? I’m guessing not. Thanks!

Hi @angie_vetrone,

A comprehensive approach to handling service accounts would be to maintain a delimited file of service accounts with the following application attributes:

User Name:
First Name
Last Name:
Owner:
Inactive:

The naming convention should be as the document prescribed. In this case it would be sAMAccountName for username. The Owner attribute should match the identity attribute of the individual (Identity Attribute from the HR Source) that would be responsible for the service account.

Owner correlation:

image1303×215 6.86 KB

Aggregate this delimited application as an authoritative source.

Perform Identity Mappings
Global Settings>Identity Mapping
Display Name : User Name
First Name : First Name
Last Name : Last Name
Manager : Owner
Inactive : Inactive
Type: Under source mappings > Add source > Application Rule > Choose the application > Rule editor > return "Service Accounts";

Run Refresh Task

Now aggregate the service account AD application you have configured prior.

Correlation for AD application

Application Attribute | Identity Attribute
sAMAccountName : Display Name

These are best practices according for service account management. Since you have an owner assigned and the owner correlated to the manager attribute; your access requests, certifications, and policy management all of it would be streamlined.

Hope this helps.

can you share what error you get when you try to remove an entitlement

Sure!

• An unexpected error occurred: BeanShell script error: bsh.EvalError: Sourced file: inline evaluation of: import sailpoint.object.*; import sailpoint.tools.Message; import sailpoint. . . . '' : Typed variable declaration : Incorrect type returned from method: calculateRequestorCan't assign void value to java.lang.String: Can't assign void value to java.lang.String : at Line: 511 : in file: inline evaluation of: import sailpoint.object.*; import sailpoint.tools.Message; import sailpoint. . . . ‘’ : calculateRequestor ( launcher , identityName , identityDisplayName ) BSF info: Sentry Approval Assignment Rule at line: 0 column: columnNo

Could you please check what this method calculateRequestor is expected to return and what it actually tries to return in the actual code?

Ensure that this method is returning a value of type String rather than void.