Symantec IGA

  • Private Community
 View Only

  • 1.  Best Practice for Handling Multiple Accounts for one user

    Posted Jan 08, 2020 11:59 AM

    Team,

     

    What is the best practice for handling the case where a user has more than one account on an endpoint?

     

    Endpoint1 csv:

    User1, Acct1, Entitlement1

    User1, Acct1, Entitlement2

    User1, Acct2, Entitlement1

    User1, Acct2, Entitlement3

     

    For display in the IP Entitlement Catalog, we will choose to have a 1:1 ProvRole-Res mapping, since there are not too many different endpoint entitlements so for the Res1, Res2, Res3 we will show these in Identity Portal as Role1, Role2, Role3.  This also allows for auto-remediation of rejected items from a certification and IP is immediately updated.  

     

    In IP we show:  User1:  Role1, Role2, Role3

    In IG we show:  User1:  Role1, Role2, Role3 and Res1, Res2, Res3

    (Note:  We'll not want to use "Remove Redundant" because we want to keep track of the account which is not part of the user-role relationship, but the account link attribute does exist on the user-res link) {Not sure if link attribute is correct when global user is linked to an entitlement via more than one account}

     

    If we run a certification in IG using roles:

    • Then we can export the rejects back to IM and the user will automatically be removed from the role.  
    • Let's say Role1 is rejected:  
      • Does IM try to remove Res1 from both Acct1 and Acct2 on the endpoint?
        • If only Acct1, then the Reviewer has no method of rejecting access to that user through an entitlement review.  

    If we run a certification in IG using resources and Entitlement 1 is rejected:

    • Then if we export rejects back to IM, 
      • Which account(s) is the entitlement removed from?
      • How can we also remove the link between the user and the role as this is used to indicate the current access in IP?
        • Is the best way just to wait a day for the next import to sync things back up?

     

    If we run an account certification, I can see that IG removes the account mapping from the accounts.cfg and recalculates the effective permissions.  Does anyone know what IM does with this command during an export from IG to IM?  

     

    What are some of the methods that other clients use to handle this use case of multiple accounts on an endpoint?

     

     

    Thanks,

    Ricky Gloden

    Security Architect  |  Enterprise Studio

    HCL Technologies Ltd  |  www.hcltech.com

    +1 770-377-6865  |  ricky.gloden@hcl.com  | Atlanta, GA

    /Users/rickygloden/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_293550031    

    ::DISCLAIMER::
    The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.


  • 2.  RE: Best Practice for Handling Multiple Accounts for one user
    Best Answer

    Broadcom Employee
    Posted Jan 09, 2020 06:09 PM
    Hi Ricky, 

    When you are running role cert, if role was reject I assume you mean entity that was associated with role has been rejected.  The account was tie with account template which is subrole in our case. If provisioning role was rejected, then both accounts will be removed. If you reject only the subrole, then depends on which subrole that was tie with specific account.  Those account will be removed. Same concept apply to entitlement. 

    Regarding the questions

    If we run an account certification, I can see that IG removes the account mapping from the accounts.cfg and recalculates the effective permissions.  Does anyone know what IM does with this command during an export from IG to IM?  

    It is base on how IM configure to handle the endpoint to remove  accounts. IG has no control how IM behave.

    ------------------------------
    ------------------------------
    And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
    ------------------------------

    Original Message