and more in a single search tool across platforms. Read the announcement here. |
12/20/2022 08:43 AM
Hello,
I have a scenario where I need to create two different account types(regular and privileged) for users under the same Active Directory domain. These accounts will have different naming conventions.
What is Saviyn'ts best practice for handling such a situation?
Is it better to create two endpoints then from within the connection use ACCOUNTNAMERULE to send regular and privileged accounts to different OUs based on an endpoint condition(not sure if possible)
OR
Is it better to just have separate security systems, endpoints, and connections for different account types even if they are pointing to the same AD domain?
Solved! Go to Solution.
12/20/2022 10:21 AM
If user can have only 1 account then go with 1 Endpoint.
If user can have more than one account then go with 2 Endpoint
12/20/2022 11:01 AM
Hi Rushikesh,
This doesn't really answer my question as to what is a best practice. The users can potentially have two different accounts regular and privileged(essentially an admin account) within the same domain.
Question is more so along the lines of is it best practice to use 1 connection and two endpoints for each account type or use a separate connection, endpoint and security system for each account type.
12/20/2022 08:50 PM
Its always better to use 2 different connection
01/19/2023 02:59 AM - edited 01/19/2023 03:02 AM
I know this is an older threat, but for keeping it simple yet as Saviynt is a security and governance product, then managing/governing stuff like orphan accounts, then goin with one connector, marking/tagging accounts and correlating them in the same connector instead of spreading it and having essentially two-three copies of the same objects in two-three "different" endpoints, is a rather important thing.
We have in our development environment, because our implementation partner used this excact solution with having two connectors to same domain, two full copies of entitlements and accounts. This is rather annoying when building roles and looking for entitlements. The reason is that in order to NOT have two full copies, we needed to scope and filter what we would like to import, which effectually makes governance pointless, as any rogue account deviating from expected naming and data convention, is basically just not imported. This makes stuff like Orphan account management a worthless joke. Only other solution is to make:
This is rather ridicouless and would be much mroe powerfull with one connector:
All in same connector, and very generic to maintain. Best of all? Only one LDAP connection and data exchange.
01/19/2023 04:13 AM
When you keep same security system and endpoint . You will find maintenance as well as configuration issues
01/19/2023 05:10 AM
Sure. I am aware that this is how Saviynt has designed it, but it is a bad design. Very bad design.
01/19/2023 05:19 AM
I agree, it isn't a very good design. I tried to do it from one connector, but with the manual endpoint filtering you would have to do then all the logic needed to provision different accounts to different DNs I decided it was easier just to do the separate connection. Shouldn't be this difficult, as it is the same domain.
01/23/2023 06:38 AM
It is not that I disagree that this is the approach which makes sense in respect to how this product has been designed and build. However I was hoping there where others out there concerned about the very central task of IGA: Governing Identity Policies, and especially deviations from expected state. For this, the product is creating obstacles for itself, so I was hoping some had solved it.