There is a requirement to match identities between the System of Record (SOR) and an application being connected to the SecurEnds tool in order for the credential to be included in reviews. Applications match to the system of record using three different methods: 1) a first/last name, 2) an email address or 3) perhaps an Employee ID between SOR and application. In all three cases, that attribute needs to already be present in the SOR in order to match against. As an example, a credential in your application which represents a Vendor with an email address may not be present in your HR system of record. There is an alternate solution or strategy that can be leveraged.
The Psuedo-Account Strategy
You can consider this strategy for those Active/Terminated users and for records that cannot be matched to an identity in the People data (populated by your SOR sync).
Simply using the Assign feature for the unmatched users and assigning them to a user in the People view may “muddy” the list of entitlements under that user you assigned the unmatched record to. Now that manager needs to review a credential, he has no idea about for one of his direct reports. Meaning, when you view that user’s list of entitlements, they will have their own entitlements for the respective application PLUS the credential and entitlements of this unmatched user. Not really a true view of that person’s entitlement list.
Instead, we can create a new, fake identity or Pseudo-user within the People data. By providing a meaningful, “smart” name to represent the unmatched user, coupled with a unique, fake “smart” email address; you can then assign this pseudo user to an actual manager email address whom you would like to review these accounts/entitlements. A Bulk Assign of one or more unmatched records to this pseudo-user will cause those unmatched users to become matched. Then that pseudo-user will appear in reviews under that manager user access review list. Here is an example of creating a pseudo user. Keep in mind that you cannot edit this user once you select Create without using an import of a CSV approach.
- People -> Select Add
- Employee Type = Regular
- Employee First Name = AppName
- Employee Last Name = Vendor Account
- Employee Email Address = firstname.lastname@example.org
- Manager Email ID = The email address of the manager who will be reviewing the vendor account(s) entitlement or users.
- You can add additional attributes if needed but that is optional
Then, when you go thru the Bulk Assign, update the IAM User field within the CSV to email@example.com. Then upload. All those records will be assigned to “Mr. Appname Vendor Account” who has the manager you provided. You can create as many pseudo-users as you need to account until all the unmatched records that you want to assign is completed. Keep in mind that each pseudo-user will need their own dummy email address.
How do I match Service Accounts?
How do I review role or group permissions for CSV applications?