OISPP v7.2 | Automatically link Managed Directory Accounts

Dear Gents,

I tried to check the Automatically link Managed Directory Accounts feature checkbox, but no linked accounts are being mapped to OISG users.

during  my test, I've changed the managed objects atttribute with(cn, name,distinguished name) but noting is happening.

Would you specify the best suitable attribute as the AD user and account resides in the same domain with different paths?

- OISG version: v7.2

- AD  onprime AD 

Parents
  • Hi,

    How SPP automatically links Privileged managed accounts to the users?

     

    1. One Example is if you have a group in AD named: Privileged_Accounts_group with members of admin accounts that you need to link to the SPP_User
    - You can set the SPP_User under the Group properties > Managed By tab > add SPP_User as the group manager

    - That causes Active Directory to dynamically populate the managedObjects attribute of the SPP_User

    - So the managedObjects attribute is just a collection of Distinguished Names (SPP expects whatever attribute you configure to contain one or more Distinguished Name values).

    - You can also set the managedBy attribute on an Organizational Unit as another example besides using an AD group

    - So if SPP_User is added to SPP as a user, SPP will then look at the managedObjects attribute of SPP_User and resolve all of the user objects in Active Directory.

    - If you used an OU and for example there are a couple of direct users, a group, and another nested OU. SPP will drill down into the nested group and get any members, and it will drill down into the nested OU and get any members, and they will all be available to SPP_User as linked accounts.

    - This will use the attribute called "managedObjects" which is the default set in Appliance managment > Safeguard Access > Identity and Authentication > AD Provider > Attributes > Managed Objects > is set as managedObjects by default
     

    2. Another option, if you do not need to have a 1:Many linked accounts such as the above, you can also configure it with a 1:1 linked account, for example:

    - SPP_User needs to have priv_admin added as linked account

    - In this case, you can configure the priv_admin properties > Manager tab > Change and add SPP_User as Manager of priv_admin

    - This will use a different attribute called "directReports" which can then be set in Appliance managment > Safeguard Access > Identity and Authentication > AD Provider > Attributes > Managed Objects > set it as directReports

    Note: when using the check box on User Directory Group to Automatically Link Managed Accounts, keep in mind that if you had any manually linked accounts added to the users in SPP that this checkbox will overwrite the existing linked accounts as referenced in the KB below:

    https://support.oneidentity.com/one-identity-safeguard-for-privileged-passwords/kb/4259812/linked-accounts-are-removed-from-users

    Thanks!

  • Thank you, I didn't know that. I appreciate you for taking your time for us. Now, I will search for a site online where I can find essay writers for hire. I was searching for it online, and when I was looking for it online, I found link to your post.

Reply Children
No Data