We are seeing provisioning failures with error Create Access Request Multi Account Failed when we are trying to assign role/access profiles. This is happening for users linked with multiple accounts ( Standard account + admin account) from same source,
We tried the multi account configuration option in the access profile to select one of the account explicitly based on the account parameter. But it looks like this is having limitation as below.
These criteria only apply when access profiles are automatically provisioned through lifecycle states or automated role assignment.
These criteria do not apply to access requests. Access requests are not supported for users with multiple accounts on the entitlement source.
Could you suggest how to mange multiple accounts for a user linked from a single source and do the access provisioning via roles and access profiles.
Hi @gauravsajwan1,
.
Thank you for the response.
Currently we have a lot of sources with multiple account types. So we donât want to have separate sources for each account type as it will be a development overhead as well as a lot of duplicate sources will be created in IDN.
Right now the multi account setup in ISC is not that great, with the problems youâve noted yourself as well. So I believe the only ârealâ solution is to avoid having multiple accounts on one source and provision in that way.
Hi Bahul! Only to enforce what other colleages say, you can have only one account per source. This is very common in AD, where some admins have their normal user account, and manage other service accounts. Unfortunately solution is to have a source for each type of account (for example one source for AD and other for AD Services).
You can âcloneâ the sources using the sp tools, or by exporting the source object and do some manipulation on the json object.
One final note is that this is good for multiple type of accounts belonging to some identity. This is not a good practice that a person has more than one nominal account in any production system. In this cases the rollout phase should help to normalize this kind of situations.