Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Birthright Role for Privileged Accounts

deepa
New Contributor III
New Contributor III

Hi,

We are trying to see if we can include groups from Privileged account endpoint to Birthright Roles. I have few questions on it.

1. Is it a good practice to have Privileged account groups in Birthright Role. Birthright Role assigned is based on the teamid attribute.

2. We are doing "Assign Role" in the technical rule to assign the role dynamically. Assign Role creates account if it does not exist on the privileged endpoint. One of the concerns is if the role owner adds the group to the Birthright Role accidentally, we would end up having quite a few privileged accounts created that will need clean up. Is there a possibility to avoid the scenario? Is there any recommended solution on how to handle this?

3. Is there a way to exclude the groups from a particular endpoint to be added in the role. I think we can perform some checks in the workflow to automatically reject in role creation/modification. is that possible, if not is there any other recommendation for this?

Thanks,

Deepa.S

3 REPLIES 3

rushikeshvartak
All-Star
All-Star

1. Privileged Account Groups in Birthright Role

Having privileged account groups in a Birthright Role can be problematic due to the inherent risks associated with privileged accounts. Birthright roles are typically designed to provide baseline access required by users based on their team or role within the organization, and including privileged accounts in these roles can lead to unintentional elevation of privileges, increasing the attack surface.

Best Practice:

  • Separation of Duties: Keep privileged roles separate from birthright roles. Privileged access should be assigned through a more controlled and monitored process, such as an access request and approval workflow.
  • Least Privilege Principle: Only provide the minimum necessary privileges to perform job functions. Birthright roles should grant access needed for general tasks, while privileged roles should be tightly controlled and assigned on an as-needed basis.

2. Preventing Unintended Privileged Account Creation

The concern about accidental addition of privileged groups to a Birthright Role, leading to unintended privileged account creation, is valid. To avoid this, consider the following approaches:

Recommended Solutions:

  • Approval Workflow: Implement a multi-level approval workflow for changes to roles that include privileged groups. This ensures any changes are reviewed and approved by responsible parties before being applied.
  • Role Change Notifications: Set up alerts and notifications for changes to roles, especially those affecting privileged accounts, to ensure that any unintended changes are quickly identified and rectified.
  • Role Review and Audit: Conduct regular reviews and audits of roles to ensure that only the intended groups are included. Automated tools can help detect anomalies or unauthorized changes.

3. Excluding Groups from Endpoint Roles

To exclude specific groups from being added to roles on particular endpoints, you can use several approaches:

Possible Solutions:

  • Workflow Checks: Implement checks within your Identity Governance and Administration (IGA) tool's workflow to automatically reject any role creation or modification requests that include restricted groups. This can often be configured through custom scripts or rules within the workflow engine.
  • Policy Enforcement: Define and enforce policies that restrict the assignment of certain groups to specific roles or endpoints. This can include validation rules that prevent the addition of privileged groups to birthright roles.
  • Dynamic Role Management: Use dynamic role management capabilities, where roles are automatically adjusted based on predefined rules and policies, ensuring that restricted groups are never included in inappropriate roles.
  1.  

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak ,

Please can you elaborate on Validation rules under Policy Enforcement and Custom rules in IGA tool, recommendation you provided for restricting groups to be added to endpoits? Do these involve Custom JAR implementation?

Thanks,

Deepa.S

 

  • You can implement analytics to notify via email if any groups added to endpoint/role which was not supposed to be part  

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.