Share all details related to your problem, including any error messages you may have received.
I have aggregated a couple shared AD accounts into SailPoint. These accounts are orphanded as they don’t have a related or correlated Identity. I need to be able to add/remove an entitlement through the system. I am able to remove an entitlement, but unable to add an entitlement. What is the recommended way of doing this? I am able to remove entitlements because there’s no approval process, but for adding, it errors out most likely due to it not being part of the Identity request workflow. Any recommendations would be appreciated.
In general, when we talk about shared AD accounts, they are basically service accounts used by multiple teams.
Considering best practice, then you must assign an owner who is responsible for managing that service account.
For more details, please read these best practices document.
Thanks Amit. I’ve read through this a few times and have come to the conclusion that custom developement work is probably needed. The accounts are in as Option 1 right now. We don’t currently have the ability to do 3 or 4, which is what I’d like, due to no workflow to create a manual identity. Is there OOB code for this type of thing? I’m guessing not. Thanks!
A comprehensive approach to handling service accounts would be to maintain a delimited file of service accounts with the following application attributes:
User Name:
First Name
Last Name:
Owner:
Inactive:
The naming convention should be as the document prescribed. In this case it would be sAMAccountName for username. The Owner attribute should match the identity attribute of the individual (Identity Attribute from the HR Source) that would be responsible for the service account.
Aggregate this delimited application as an authoritative source.
Perform Identity Mappings
Global Settings>Identity Mapping
Display Name : User Name
First Name : First Name
Last Name : Last Name
Manager : Owner
Inactive : Inactive
Type: Under source mappings > Add source > Application Rule > Choose the application > Rule editor > return "Service Accounts";
Run Refresh Task
Now aggregate the service account AD application you have configured prior.
Correlation for AD application
Application Attribute | Identity Attribute
sAMAccountName : Display Name
These are best practices according for service account management. Since you have an owner assigned and the owner correlated to the manager attribute; your access requests, certifications, and policy management all of it would be streamlined.