Team,
What is the best practice for handling the case where a user has more than one account on an endpoint?
Endpoint1 csv:
User1, Acct1, Entitlement1
User1, Acct1, Entitlement2
User1, Acct2, Entitlement1
User1, Acct2, Entitlement3
For display in the IP Entitlement Catalog, we will choose to have a 1:1 ProvRole-Res mapping, since there are not too many different endpoint entitlements so for the Res1, Res2, Res3 we will show these in Identity Portal as Role1, Role2, Role3. This also allows for auto-remediation of rejected items from a certification and IP is immediately updated.
In IP we show: User1: Role1, Role2, Role3
In IG we show: User1: Role1, Role2, Role3 and Res1, Res2, Res3
(Note: We'll not want to use "Remove Redundant" because we want to keep track of the account which is not part of the user-role relationship, but the account link attribute does exist on the user-res link) {Not sure if link attribute is correct when global user is linked to an entitlement via more than one account}
If we run a certification in IG using roles:
- Then we can export the rejects back to IM and the user will automatically be removed from the role.
- Let's say Role1 is rejected:
- Does IM try to remove Res1 from both Acct1 and Acct2 on the endpoint?
- If only Acct1, then the Reviewer has no method of rejecting access to that user through an entitlement review.
If we run a certification in IG using resources and Entitlement 1 is rejected:
- Then if we export rejects back to IM,
- Which account(s) is the entitlement removed from?
- How can we also remove the link between the user and the role as this is used to indicate the current access in IP?
- Is the best way just to wait a day for the next import to sync things back up?
If we run an account certification, I can see that IG removes the account mapping from the accounts.cfg and recalculates the effective permissions. Does anyone know what IM does with this command during an export from IG to IM?
What are some of the methods that other clients use to handle this use case of multiple accounts on an endpoint?
Thanks,
Ricky Gloden
Security Architect | Enterprise Studio
HCL Technologies Ltd | www.hcltech.com
+1 770-377-6865 | ricky.gloden@hcl.com | Atlanta, GA