In our implementation we use Service Accounts to create PATs that are used by various process/clients and systems to interact with ISC invoking rest APIs.
We are being questioned by Auditors on how the passwords of these Service Accounts are vaulted and protected, so that there is a clear accountability of whose has used these service accounts.
Because these Service Accounts can be locally logged-in by-passing our org’s SSO process, there is a risk of someone having access to the service account password to login from outside org’s network and perform any rouge action without any traceability back to the actor.
We have vaulted the password of these Service Accounts in our PAM tool, but since we can’t rotate the password this is also considered a weak control.
Now we are looking to find a solution to reset the pwd for these service accounts so that our PAM solution can be rotated regularly to prevent any unauthorized access.
Would really appreciate any response with some suggestions for this problem.
I’m not sure that you can automate the process.
Personally, set a calendar reminder to create a new password every * months, and whenever a senior IT person leaves.
Once you generate PAT, admin can reset password and MFA of that service account to prevent logging in. If you want to add scope or make change to PAT of that service account, you can use reset password link of that account and log in again with new password. And, after the work is completed, reset password and mfa link again so that other wouldn’t have access. That’s what we do temporarily to block unauthorized access.
Ideally you can tie the PAT to an AD Service Account, problem becomes, you tie it to a human identity. I would like to see SailPoint tie the PAT or credentials to a machine identity in ISC which would ideally be managed outside the scope of a human identity.
Any reason why you can’t rotate the password? I’m assuming the “Service Account” is an ISC identity, where its identity profile’s specified Sign-in Method is “SailPoint User Name & Password”. If this assumption is correct, you should be able to programatically rotate its password via this:
v2024 API: set-password | SailPoint Developer Community
Alternatively, if you configure your tenant with a separate identity profile for such Service Accounts / machine identities, you can specify the Sign-in Method to use Directory Connection (say, AD). From there, your PAM solution can rotate the AD account’s password.