We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Existing Service Accounts

amer
New Contributor
New Contributor

Hello Team, 

We on the process of ingesting AD service accounts to Saviynt, the future goal to have visibility to those accounts based on teams and run Campaigns. we had a call with the Saviynt management team, and they recommended to pull those accounts as orphan and assign a user owner or group owner.
but I do have some concerns:

1- Should we leverage the same connector or set a new connector 
2- Documentation is not showing how to protect those accounts or assign a privilege or service account tag
3- When assigning a user group owner to an account, there are no visibility to look at each group to see the associated accounts.
4- Just FYI , we are not using this to for shared IDs or password management, we have Cyber Ark, this is only for visibility and Campaigns.

Please share suggestion.
Link used 

https://docs.saviyntcloud.com/bundle/EIC-User-v23x/page/Content/12-mang-sa/ars-mang-sa.htm

13 REPLIES 13

adarshk
Saviynt Employee
Saviynt Employee

It is recommended to setup a fresh connection for importing AD Service Accounts.

You can use the Account Type filed to specify the Account category.

https://docs.saviyntcloud.com/bundle/AD-v24x/page/Content/Managing-Service-Accounts-v2022x.htm

Please refer the below documentation for Service Account Campaigns
https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter06-EIC-Configurations/Config...

 

amer
New Contributor
New Contributor

Hello adarshk,

In our case we have an AD connector that is been used to pull accounts to Saviynt and there is an OBJECT Filter on the user level that only pulls accounts that have an employee ID ONLY, I did create a second connector, question will be? Are you referring to leverage the second connector to pull the service account and dump them at the same endpoint or a new endpoint?

amer
New Contributor
New Contributor

Hello adarshk,
Can you please share an update on the ask?
@michael.rodzinka@saviynt.com

adarshk
Saviynt Employee
Saviynt Employee

@amer 

You can setup a new endpoint to store and manage service accounts independently. Make sure the object filter is setup to filter only for the category of accounts you are expecting to be pulled. 

amer
New Contributor
New Contributor

Hello adarshk

What about if a Campaigns is launched for a group on the other endpoint then it won't detect those account?

adarshk
Saviynt Employee
Saviynt Employee

You can select the endpoints on which the campaign is launched. 
Only the accounts/groups associated to that particular endpoint will be considered for campaigns.

amer
New Contributor
New Contributor

Hello,

First thought was to setup a new connector and separate endpoint BUT in this case if a campaign was launched it won't be able to detect all the members in the group since it's been filtered to only employee. and vice versa.

Second thought is to setup 2 connector and point them to the same endpoint but the problem with this that every time the impot runs it's going to bounce back the accounts, and will mark the account suspended from import every time in each.

So at this point I don't see good results with neither solution.

What would the team suggest to handle this case ?

amer
New Contributor
New Contributor

Hello adarshk,

Do we need to open a case, the direction given seems to be not sufficient to accomplish our need here?

amer
New Contributor
New Contributor

Hello adarsh,

Any update?
@MARodzinka 

adarshk
Saviynt Employee
Saviynt Employee

Hi @amer 

Can you please elaborate on the issue with second process? Here, only the accounts that are filtered in Object Filter will be brought in for the particular endpoint. This endpoint will only hold the accounts specific to the mentioned filter.

amer
New Contributor
New Contributor

Hello @adarshk 
Setting 2 connectors that does have a filter object and one end point will make the account bounce from Active to suspended

amer
New Contributor
New Contributor

Hello @adarshk 
Can you transfer the request to another member please, I had this question for 20 days and can't get an answer ? 

adarshk
Saviynt Employee
Saviynt Employee

Hi @amer 

In Second option where you will be setting 2 connectors, make sure the the object filters you set in each connections contradict each other and the same account is not imported from both the connections. This will restrict each import for only the filtered accounts and accounts will not bounce to Suspended.