Hi Everyone,
Reaching out to everyone for some suggestions on what action to be taken if the roles that we have created is not assigned to users with multiple accounts on the same source. We see these roles are not being assigned in SailPoint.
So, Is there any work around we can use on this issue?
Regards,
Soundarya
Are the roles assigning access profiles? If so in the access profiles configuration screen there is an option to define how it handles multiple account options:
In addition to what @vkashat said, be aware that the multiple account options only work for automated provisioning.
Also this will work only if the criteria is unique. If there are 2 accounts matching the criteria then the role will be assigned but Entitlement/Group wont be provisioned.
Hey! The roles are assigning the entitlements. so, we haven’t made use of access profile in this scenario.
To give you a better idea the role configured is as follows
1.okta entitlement added to the manage access
2. define assignment is defined as type- entitlement, source- xyz, Operation-equals, Entitlement- okta entitlement added.
3. And defined another assigment as type -identity attribute, name - xyz,operation-equals, value - active
Hi Alicia!
Thanks for this information. But we have not used the access profile in this scenario.
Regards,
soundarya
Hi Yathish!
Thank you for the knowledge! But we are not making use of Access profile. And can workflow be implemented as a workaround for this issue?
Regards,
soundarya
Unfortunately No, Workflows wont help here
Another approach to situations like this is to make multiple sources. For example, an identity in Active Directory may have two (or more accounts).
myusername
myusername-DomainAdmin
We have made a source for regular user accounts and a source for privileged accounts. This allows you to get around the provisioning issue with multiple accounts but also allows you to identify which roles/access profiles/entitlements should be requestable for each source type. For example, email access or vpn access should not be requested for a domain admin account.
Would it be possible to separate the two accounts? Do you have any attributes that indicate the purpose of the account?
You don’t need to use access profiles for this, you just need to have some criteria in the define assignment screen in the role that can differentiate between the two accounts. For example, if you have a naming scheme like “first initial lastname” (jsmith) for a regular account, and “first initial lastname dash admin” (jsmith-admin), then you could add criteria that uses that information depending on which account you want to assign the access to.
Or like @agutschow mentioned you could separate the source into multiple sources for each account type.
Hi Alicia,
This approach is something we can’t implement. because every client has different id’s so there are more then 100 accounts for the same user.
Hi,
We added a criteria which is unique which is samAccountName but it doesn’t work has expected.
Regards,
soundarya
Can you share more details on the criteria? How are you differentiating between the two accounts?
Sure! We have defined the criteria has identity attribute - LGNsamAccountName - equals - samAccountName. So, this LgnsamAccountName tells us which is the main account of the user for which the role needs to be assigned with. So if the samAccountName matches with LgnsamAccountName then that’s the main account of the user which needs the assignment
Ah I see, my assumption must be incorrect, we’re running into the same problem because the role criteria just assign the role, the provisioning still doesn’t know which account to use. Can you add the entitlement to an access profile and assign that with the role? That would allow you to use the multiple accounts configuration.
I did try that as well! That scenario also doesn’t work.
Are you updating this LGNsamAccountName identity attribute value with one of the account value (out of 2 account) which is main account. Also what is this samAccountName that you are comparing with? Is it right now hardcoaded with some value?
Can you share some examples.
is the samAccountName unique to each account or unique to the user?
