Service Accounts and Roles in AD

chrisp · November 21, 2021, 6:23pm

We have Identities in IDN that have multiple AD accounts assigned to them. For example, we have a user Frank, who has 2 accounts associated with the Identity in AD:
Frank.Smith, an employee AD account, who we want to assign birthright groups to(memberOf)
fsmith.admin, an admin AD account that Frank uses to administer an external system. this account won’t have any group assigned

We have a Role that we want to assign to the employee account in AD, but not to the admin account.
The Role has specific criteria for an AD Account attribute that only the employee account will have, so the Role would fail for the admin AD Account. But the Role is assigned to the Identity, not a specific Account, correct?

How can we assign the Access Profile(AD groups) only to the employee AD account, and not the admin AD account?

Sushant · November 21, 2021, 9:31pm

Hi @chrisp,

If there is an account attribute that you can leverage to distinguish between the admin and employee account then I believe you can use the “Provisioning Criteria for Multiple Accounts” feature of Access Profile for provisioning access into the right account.
Please, look into the “Configure Provisioning Criteria for Multiple Accounts” section of this link for more information.

Thanks,
Sushant

chrisp · November 22, 2021, 1:47pm

The “Provisioning Criteria for Multiple Accounts” works great for our admin account.
It adds an accountSelector into the Access Profile.

I don’t see any option in the PATCH API call for https://{tenant}.api.identitynow.com/beta/access-profiles/{id} to update the accountSelector. The API documentation states: The following fields are patchable:

name , description , enabled , owner , requestable , accessRequestConfig , revokeRequestConfig , segments

Is the only way to update the Access Profile through the UI for this? We currently have over 40 Access Profiles.

Thanks,
Chris

Sushant · November 22, 2021, 3:42pm

I was able to update the accountSelector using v2 API

PATCH https://{tenant}.api.identitynow.com/v2/access-profiles/{id}

{
   "accountSelector":{
      "selectors":[
         {
            "applicationId":"externalIDOfTheSource",
            "accountMatchConfig":{
               "matchExpression":{
                  "matchTerms":[
                     {
                        "name":"nameOfTheAttribute",
                        "value":"valueOfTheAttribute",
                        "op":"eq", (Equals --> eq, Does Not Equal --> ne, Contains --> contains)
                        "container":false,
                        "and":false
                     }
                  ],
                  "and":false
               }
            }
         }
      ]
   }
}

Thanks,
Sushant

Topic		Replies	Views
Request Center : request role for user that have more than 2 accounts ISC Discussion and Questions identity-security-cloud , access-requests	5	194	March 4, 2024
Provisioning Criteria for Multiple Accounts (Request Access) ISC Discussion and Questions	2	1266	June 30, 2023
Sequential Provisioning Discussion ISC Discussion and Questions identity-security-cloud , provisioning	7	265	January 21, 2024
Create and manage AD Service Account in IdentityNow ISC Discussion and Questions	4	1581	July 19, 2023
Hybrid Provisioning in AD and Azure AD ISC Discussion and Questions identity-security-cloud , provisioning	9	344	December 10, 2023

Service Accounts and Roles in AD

Related Topics