Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service Account import from Active Directory

varunpuri
Regular Contributor
Regular Contributor

‎12/06/2022 03:24 AM

Hi,

AD is one of the target systems in customer environment. We have 2 types of AD accounts. One are the normal LAN accounts for users and others are the Service Accounts.

We have to reconcile both these account types into Saviynt and link them to their corresponding user identities created in Saviynt via the authorittative db source.

For LAN accounts - we have the correlation criteria based on employeeId..
But, for Service Accounts - there is no employeeID attribute. Instead the Service Account has an owner which is signified by the manager attribute of Service Account.

Now, for example, my identity is present in Saviynt, and both my LAN account is there in AD as well as the Service Account for which I am the owner is present in AD.

How can i specify the correlation rule such that after the import runs successfully, My identity in Saviynt gets associated with both my LAN account and the Service Account for which I am the owner ?

If I specify the correlation criteria as :

user.username = account.employeeID | user.username = account.manager

Then there is a risk that maybe the LAN accounts for those users for whom I am the manager, also get correlated and starts appearing as tagged to my identity in Saviynt.

Appreciate your help here.

Best Regards,
Varun

Labels:
0 Kudos
12 REPLIES 12

rushikeshvartak
All-Star
All-Star

‎12/06/2022 07:57 PM

Use Saviynt4Saviynt Connector for correlation & Account Owner in case of LAN Accounts


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

varunpuri
Regular Contributor
Regular Contributor

‎12/06/2022 08:21 PM

Can you please elaborate ?

Best Regards,
Varun

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to varunpuri

‎12/06/2022 08:27 PM

Use Saviynt 4 Saviynt Import to map owner in case of service account and correaltion to map account with user


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

varunpuri
Regular Contributor
Regular Contributor

‎12/07/2022 01:13 AM

How can Sav4Sav import be used to pull and correlate account data from Active Directory ?

If you can, please explain in detail, the solution which you are proposing.

0 Kudos

KirtiAjrot
Saviynt Employee
Saviynt Employee
In response to varunpuri

‎12/07/2022 02:53 AM

Hi Varun , 

It is not recommended to tag / corelate service accounts to a user , as the service accounts could have multiple owners and used by multiple users and in Saviynt , once the account is co-related it cannot be uncorrelated , which means if tomorrow a service account owner is inactivated - there are chances that the service account also gets disabled when the User update rules fire up.

It is advised to manage service accounts using the "Manage Service Accounts" module in Saviynt. 

https://docs.saviyntcloud.com/bundle/EIC-Admin-v2021x/page/Content/Chapter04-Application-Management-...

Still if there is a use case to co-relate the service accounts to users, Sav 4 Sav - account import xml query should be used to being accountname,username,endpoint,security system 

Use users, accounts , user_accounts table for the above fields. 

KA
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to KirtiAjrot

‎12/07/2022 03:11 AM

xml is not recommended approach by saviynt rest connector should be used


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

varunpuri
Regular Contributor
Regular Contributor
In response to KirtiAjrot

‎12/07/2022 03:21 AM

Hello Kirti,

The use case is that one Service Account in customer environment can have only one owner. Customer is also looking for the capability where the ownership of a Service Account can be transferred to the owner's manager if the primary owner leaves the organization.

As per your comment, once the Service Account is correlated to a user identity, it then cannot be correlated to another ?
To achieve the above use case, i.e., for Saviynt to be able to detect that the primary owner has left so that it can automatically transfer the ownership of Service Account to the original owner's manager, what is your suggestion - correlation with the identity or "Manage Service Accounts" feature ?

Best Regards,
Varun

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to varunpuri

‎12/07/2022 03:23 AM - edited ‎12/07/2022 03:24 AM

You need to use user update rule and transfer ownership 

 

https://forums.saviynt.com/t5/did-you-know/did-you-know-you-can-transfer-ownership-on-user-terminati...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

varunpuri
Regular Contributor
Regular Contributor

‎12/07/2022 05:56 AM

Hi,
I have gone through the following documentation - https://saviynt.freshdesk.com/support/solutions/articles/43000600559-managing-the-service-accounts
It has a one liner stating - Service accounts can be created directly from the Manage Service Accounts tile. You can also import them into EIC from the target applications

However, throughout the document there is no explanation at all telling how to actually import the Service Accounts from target application.
As I mentioned, in our case, the Service Accounts are present in Active Directory and those need to be imported into Saviynt. Additionally, those Service Accounts must also be linked to their correct owner. The explanation provided in the document does not meet our requirements.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to varunpuri

‎12/07/2022 01:34 PM

Owner needs to be mapped using saviynt 4 Saviynt REST Connector. it wont mapped using AD Connector


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

varunpuri
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎12/09/2022 04:13 AM

Hi @rushikeshvartak 

2 questions :
1. Is Saviynt 4 Saviynt REST connector functionality available in the 2021.x release ? Because I can see one comment in this post - https://forums.saviynt.com/t5/identity-governance/saviynt-for-saviynt-in-v2021/m-p/16788#M7428
Which says that this is a soon to be released functionality and not yet available.

2. How can we use Sav 4 Sav (REST based) to conditionally identify the owner and then set it also, I mean within the modifyAccountJSON, we'll be able to call the REST API to set the account owner only, within the same JSON, how can i call another API to identify which user to set as the account owner ?
OR, is it possible to call 2 separate APIs within a single JSON construct with the result of first API serving as the input for the second API ?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to varunpuri

‎12/09/2022 04:18 AM

automated will come soon but you can create by your own freshdesk having json for same

https://saviynt.freshdesk.com/support/solutions/articles/43000669684-saviynt-for-saviynt-rest-based-...

you can call 2 api refer rest connector docs


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC