Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/03/2024 02:45 PM
Hi,
We are trying to see if we can include groups from Privileged account endpoint to Birthright Roles. I have few questions on it.
1. Is it a good practice to have Privileged account groups in Birthright Role. Birthright Role assigned is based on the teamid attribute.
2. We are doing "Assign Role" in the technical rule to assign the role dynamically. Assign Role creates account if it does not exist on the privileged endpoint. One of the concerns is if the role owner adds the group to the Birthright Role accidentally, we would end up having quite a few privileged accounts created that will need clean up. Is there a possibility to avoid the scenario? Is there any recommended solution on how to handle this?
3. Is there a way to exclude the groups from a particular endpoint to be added in the role. I think we can perform some checks in the workflow to automatically reject in role creation/modification. is that possible, if not is there any other recommendation for this?
Thanks,
Deepa.S
06/03/2024 04:58 PM - edited 06/03/2024 04:59 PM
1. Privileged Account Groups in Birthright Role
Having privileged account groups in a Birthright Role can be problematic due to the inherent risks associated with privileged accounts. Birthright roles are typically designed to provide baseline access required by users based on their team or role within the organization, and including privileged accounts in these roles can lead to unintentional elevation of privileges, increasing the attack surface.
Best Practice:
2. Preventing Unintended Privileged Account Creation
The concern about accidental addition of privileged groups to a Birthright Role, leading to unintended privileged account creation, is valid. To avoid this, consider the following approaches:
Recommended Solutions:
3. Excluding Groups from Endpoint Roles
To exclude specific groups from being added to roles on particular endpoints, you can use several approaches:
Possible Solutions:
06/04/2024 12:23 PM
Please can you elaborate on Validation rules under Policy Enforcement and Custom rules in IGA tool, recommendation you provided for restricting groups to be added to endpoits? Do these involve Custom JAR implementation?
Thanks,
Deepa.S
06/04/2024 07:21 PM