Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Leveraging Primary Account Type for users having multiple Active Directory Accounts

glegault
Regular Contributor
Regular Contributor

Some of our users (mostly IT people) have more than one Active Directory accounts.

While testing out User Update / Technical Rules to trigger Add Access tasks to add group membership based on certain criteria we noticed the access were granted on the wrong accounts (not the primary user accounts).

We would like to understand how to set up and use Primary Account Types to differentiate regular AD accounts from admin AD accounts and make sure birthright accesses are always granted on the regular (primary) account and not the admin ones.

Would it be possible to share the high-level steps to achieve this?

When I look at the Primary Account Type section of our Active Directory Endpoint I see an empty dropdown but I guess this might not be the first step to do.

This is why I am asking Saviynt Forum…

Thank you!

glegault_0-1715974696185.png

 

 

5 REPLIES 5

PremMahadikar
All-Star
All-Star

Hi @glegault ,

Please refer this article - Did You Know? How and why you set up Primary Accou... - Saviynt Forums - 3148

To answer it straight - Set one/any user account with required account type (Primary) and then you can set this value in endpoint

PremMahadikar_0-1715982989960.png

In endpoint:

PremMahadikar_1-1715983030105.png

May be this will also help you:

How to update existing account in bulk: 

Solved: How can we bulk update account type attribute and ... - Saviynt Forums - 18987

Solved: How can we bulk update "Account Type" attribute fo... - Saviynt Forums - 18694

 

If this helps your question, please consider selecting Accept As Solution and hit Kudos

Hi PremMahadikar,

Thank you for the information. 

I read the provided articles. From what I can see this requires quite a bit of configuration and testing (especially for the bulk update / import jobs part to keep account types up-to-date for future employees). It might take a while before I can confirm this is working for us and will reply here if I have additional questions while trying this.  

Thank you.

Guillaume

Hi PremMahadikar,

I was able to test primary accounts by manually setting the account type to Primary on one AD account for an identity having multiple AD accounts and by choosing Primary for the Primary Account Type on our AD Endpoint. The birthright rule added access to the primary account as expected so thank you for the tips.

Regarding bulk updates, in our environment, the systemusername property on identities is equal to the AD account name of the primary account for all our users. Would it be possible to share the high-level steps required to automatically update the account type to Primary for all accounts where the user systemusername associated to the account is equal to the account name?

Also, other than Birthright rules, which features uses the primary account type configured on AD endpoints? For instance, we have user update rules that triggers Update account tasks for AD and we would like to trigger this only for primary accounts also if possible. When testing the birthright part, I noticed our update account task was still created for all AD accounts and not only the primary one.

Thank you for the help,

PremMahadikar
All-Star
All-Star

Hi @glegault ,

As the original question is answered, can you please create a new thread on the second and third request.

It would be helpful for other Engineers to find this article based on your original question, and to find the right solution quickly.

 

If the solution helps, please Accept As Solution and hit Kudos

Hi PremMahadikar, 

No problem I will do this.

Thank you,