Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Birthright Role for Privileged Accounts

deepa
New Contributor III
New Contributor III

‎06/03/2024 02:45 PM

Hi,

We are trying to see if we can include groups from Privileged account endpoint to Birthright Roles. I have few questions on it.

1. Is it a good practice to have Privileged account groups in Birthright Role. Birthright Role assigned is based on the teamid attribute.

2. We are doing "Assign Role" in the technical rule to assign the role dynamically. Assign Role creates account if it does not exist on the privileged endpoint. One of the concerns is if the role owner adds the group to the Birthright Role accidentally, we would end up having quite a few privileged accounts created that will need clean up. Is there a possibility to avoid the scenario? Is there any recommended solution on how to handle this?

3. Is there a way to exclude the groups from a particular endpoint to be added in the role. I think we can perform some checks in the workflow to automatically reject in role creation/modification. is that possible, if not is there any other recommendation for this?

Thanks,

Deepa.S

Labels:
0 Kudos
3 REPLIES 3

rushikeshvartak
All-Star
All-Star

‎06/03/2024 04:58 PM - edited ‎06/03/2024 04:59 PM

1. Privileged Account Groups in Birthright Role

Having privileged account groups in a Birthright Role can be problematic due to the inherent risks associated with privileged accounts. Birthright roles are typically designed to provide baseline access required by users based on their team or role within the organization, and including privileged accounts in these roles can lead to unintentional elevation of privileges, increasing the attack surface.

Best Practice:

  • Separation of Duties: Keep privileged roles separate from birthright roles. Privileged access should be assigned through a more controlled and monitored process, such as an access request and approval workflow.
  • Least Privilege Principle: Only provide the minimum necessary privileges to perform job functions. Birthright roles should grant access needed for general tasks, while privileged roles should be tightly controlled and assigned on an as-needed basis.

2. Preventing Unintended Privileged Account Creation

The concern about accidental addition of privileged groups to a Birthright Role, leading to unintended privileged account creation, is valid. To avoid this, consider the following approaches:

Recommended Solutions:

  • Approval Workflow: Implement a multi-level approval workflow for changes to roles that include privileged groups. This ensures any changes are reviewed and approved by responsible parties before being applied.
  • Role Change Notifications: Set up alerts and notifications for changes to roles, especially those affecting privileged accounts, to ensure that any unintended changes are quickly identified and rectified.
  • Role Review and Audit: Conduct regular reviews and audits of roles to ensure that only the intended groups are included. Automated tools can help detect anomalies or unauthorized changes.

3. Excluding Groups from Endpoint Roles

To exclude specific groups from being added to roles on particular endpoints, you can use several approaches:

Possible Solutions:

  • Workflow Checks: Implement checks within your Identity Governance and Administration (IGA) tool's workflow to automatically reject any role creation or modification requests that include restricted groups. This can often be configured through custom scripts or rules within the workflow engine.
  • Policy Enforcement: Define and enforce policies that restrict the assignment of certain groups to specific roles or endpoints. This can include validation rules that prevent the addition of privileged groups to birthright roles.
  • Dynamic Role Management: Use dynamic role management capabilities, where roles are automatically adjusted based on predefined rules and policies, ensuring that restricted groups are never included in inappropriate roles.
  1.  

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

deepa
New Contributor III
New Contributor III
In response to rushikeshvartak

‎06/04/2024 12:23 PM

@rushikeshvartak ,

Please can you elaborate on Validation rules under Policy Enforcement and Custom rules in IGA tool, recommendation you provided for restricting groups to be added to endpoits? Do these involve Custom JAR implementation?

Thanks,

Deepa.S

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to deepa

‎06/04/2024 07:21 PM

  • You can implement analytics to notify via email if any groups added to endpoint/role which was not supposed to be part  

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC