–This is my first post here and I keep bumping my head, hopefully someone has encountered this before or has a recommendation.–
Background:
I took over the certification campaigns at my company from a previous analyst and have been working to improve this process ever sense. We have three AD sources dedicated to the following: Users, Admins, Service Accounts.
How campaigns were set up previously:
For each sensitive entitlement to be reviewed, three access profile are created (one for every entitlement source). All of these access profiles are then selected in a certification campaign filter. Each Campaign was created manually under the certifications tab in IDN and would reference the filters. (explanation: If more than one entitlement is added to an access profile, the accounts being reviewed must to be a member of all entitlements to be added to the campaign.) One campaign is against 6 AD Groups against 3 connectors which gives me 18 access profiles dedicated to this one campaign that gets referenced in my campaign filter.
How I improved the process:
Entitlements were not called out in the group search scope, this field was null. The only entitlements that were being pulled in were groups that users were members of. When trying to audit sensitive entitlements we needed to confirm what users were members of the groups regardless if they were empty or not. I included the whole domain and LDAP Search Filter (objectClass=group) so every group would be visible and queryable.
Shifted from manual creation of campaigns under the Certifications Tab to using search. My search query was to review against my access profiles that were previously created removing the need for campaign filters.
I attempted to shift from access profiles to an entitlement based search: (Search > Campaigns > New > Access Items > Specific access items that I selected > Search AD entitlement > Check the entitlement box against my 3 different connectors (AD User, AD Admins, AD Service Accounts) > Add to campaign)
Once I had my search populated and would review in Refine Identities, I can confirm that I had accounts from each connector however; when selecting Certify All Identities my campaign bricks and errors out with no data.
I have 26 current campaigns that I am attempting to review against all AD connectors and I do not want to x3 this for a dedicated campaign per AD connector against each access profile. Please spare me from needing to create 78 individual campaigns.
Not sure why your campaign is bricking but if I’ve understood your scenario correctly, I’d look at using the following following flow to set up the campaign:
(Search > Campaigns > New > Access Items > All Access Items Returned by a Query> Search AD entitlements > Certify This Access > Certify All Identities > Finish setting up the campaign)
This will create a single campaign spanning all users who have the entitlements of interest across the three sources, and present them at the highest level of their grouping, e.g. in your case, assuming the entitlements are mapped 1:1 with the access profile; the campaign will be generated at the access profile level.
Please correct me if I’ve misunderstood the premise.
Hi @jacobshoe
We faced similar scenario while creating campaign from AD source. We had to get rid of Access Profiles setup for AD groups to certify users from each entitlements. We follow same flow as Rishabh suggested.
(Search > Campaigns > New > Access Items > All Access Items Returned by a Query> Search AD entitlements > Certify This Access > Certify All Identities > Finish setting up the campaign)**
Some of my campaigns worked and I could not figure out why some of them were failing. My elevated user accounts are being read from two different connectors. When the entitlement only applied to user accounts I did not have any issue and same went for any service accounts but as soon as I would introduce a campaign review for an entitlement applied to an elevated account it breaks.
So what I think is happening here - AdminUser is a member of entitlement in two different sources and SailPoint doesn’t know what to do since its the same account.
I need to call out the parent OU in the service accounts connector as some accounts are located here. It looks like I do not have the ability to exclude a child OU in my search DN which would get me where I need to be but it is looking like I may need to merge these sources.
Just to confirm, are you saying you’re aggregating the same accounts from AD through the different sources or are you aggregating different account type from the same AD using different sources?
I can see how and why the former may be a problem when the time comes to remediate access, but if these are different accounts then centralising them under a single campaign shouldn’t give you any trouble.
The idea is:
You have one AD
3 different sources talking to the same AD
Each source pulls in a different account type(Admin, Standard, Service) based on scoping of the OU and/or filters
Build out UAR as mentioned above.
This will give you coverage for the entitlements across all three account types.