Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it a good practice to use two separate service accounts in AD for IGA and CPAM use cases

Ajit
New Contributor III
New Contributor III

‎01/11/2024 12:23 AM

Hi Team,

1. Is it a good practice to use two different service accounts, for IGA and CPAM use cases in Active Directory?

2. If we need to provide the Domain Admin privilege to the service account use to carry out the CPAM functionality, do we also need to provide Domain Admin privilege to the service account use to perform IGA functionality? If not, then for carrying out the following IGA operations:

create account, update account, disable account, enable account, delete account

what minimum privileges should be given to the IGA service account according to the principle of least privilege?

Requesting your response on this.

Thanks

 

Labels:
0 Kudos
1 REPLY 1

rushikeshvartak
All-Star
All-Star

‎01/11/2024 12:54 PM

  1. Using Two Different Service Accounts: It is generally a good practice to use separate service accounts for different use cases, such as IGA (Identity Governance and Administration) and CPAM (Privileged Access Management) in Active Directory. This practice follows the principle of least privilege and enhances security by ensuring that each service account only has the permissions necessary for its specific role. This way, if one set of credentials is compromised, the potential impact is limited to the corresponding functions.

  2. Minimum Privileges for IGA Operations: When defining privileges for an IGA service account, it's essential to follow the principle of least privilege. For the listed IGA operations:

    • Create Account: The service account needs the privilege to create user accounts. This typically involves membership in a security group with permissions to create accounts in the target organizational unit (OU).

    • Update Account: The service account should have the necessary permissions to modify user account attributes. This often involves membership in groups with specific update permissions, possibly in the target OU.

    • Disable Account: The account needs the privilege to disable user accounts. This is commonly achieved through membership in groups with account disable permissions.

    • Enable Account: Similarly, the account requires the privilege to enable user accounts. Membership in groups with account enable permissions is typically necessary.

    • Delete Account: The service account needs the privilege to delete user accounts. This involves membership in groups with delete permissions in the target OU.

It's important to note that granting Domain Admin privileges should be avoided unless absolutely necessary, as it provides excessive permissions. Instead, tailor the permissions to the specific tasks the service account needs to perform. Additionally, consider using Active Directory Delegation to grant fine-grained permissions without resorting to Domain Admin rights. Always regularly review and audit the permissions assigned to service accounts to ensure ongoing security.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC