AD group assignment to privilege accounts

Hi All,

In One Identity sandbox we assigned AD groups to selected privilege accounts from IT shop web portal using Resource properties and custom process.

So we created a Resource property for privilege accounts and normal account , defined them in personwantsorg, shoppingcartitem, Identity type in person table.

Now user can select Account type from Resource property and can raise the request for AD group.

so using custom process we are able to assign the AD group to requested privilege account rather than normal AD account.

Here we are facing few issues:

1)The same AD group can be assigned to multiple privilege accounts and to the normal AD account for the same user?

2)Once the AD group is already assigned to any of privilege account or AD account to particular user in IT shop, under that AD group service item the message is like "the product is already assigned to the user", so in this scenario this the right message or not? and the same group can be assigned to other privilege account or normal AD account to the same user?

3)How this service item or product will behave among these accounts and this scenario could you please suggest us.

Parents
  • Hello,

    Regarding your questions:

    1) The same AD group can be assigned to multiple privilege accounts and to the normal AD account for the same user?

    Do you mean this is NOT working or you're just asking if this is possible?  I would think this should work without issue.

    2) Once the AD group is already assigned to any of privilege account or AD account to particular user in IT shop, under that AD group service item the message is like "the product is already assigned to the user", so in this scenario this the right message or not? and the same group can be assigned to other privilege account or normal AD account to the same user?

    If the product is assigned to the user then it's expected to see "the product is already assigned to the user".  The problem here is that you can only assign a product to an Employee once.  But as long as the associated ADSAccount can inherit group membership, this should work.

    3) How this service item or product will behave among these accounts and this scenario could you please suggest us.

    As above, a service item can only be assigned once to an Employee, and if there are managed accounts, i.e. ADSAccount, group membership should be inherited.  But assuming this is what you're referring to, I'd suggest to refer to the Admin guide for more information: support.oneidentity.com/.../administration-guide-for-privileged-account-governance

    Trevor

Reply
  • Hello,

    Regarding your questions:

    1) The same AD group can be assigned to multiple privilege accounts and to the normal AD account for the same user?

    Do you mean this is NOT working or you're just asking if this is possible?  I would think this should work without issue.

    2) Once the AD group is already assigned to any of privilege account or AD account to particular user in IT shop, under that AD group service item the message is like "the product is already assigned to the user", so in this scenario this the right message or not? and the same group can be assigned to other privilege account or normal AD account to the same user?

    If the product is assigned to the user then it's expected to see "the product is already assigned to the user".  The problem here is that you can only assign a product to an Employee once.  But as long as the associated ADSAccount can inherit group membership, this should work.

    3) How this service item or product will behave among these accounts and this scenario could you please suggest us.

    As above, a service item can only be assigned once to an Employee, and if there are managed accounts, i.e. ADSAccount, group membership should be inherited.  But assuming this is what you're referring to, I'd suggest to refer to the Admin guide for more information: support.oneidentity.com/.../administration-guide-for-privileged-account-governance

    Trevor

Children
No Data