A requirement to match identities between the System of Record (SOR) and an application being connected to the SecurEnds tool is to match on: the first/last name, an email address or perhaps an Employee ID between SOR and application. In all three cases, that attribute needs to already be a part of your SOR to match against. As an example, Service Accounts or Vendor identities, an email address may not be present or the vendor identity may not be in your SOR. There is an alternate solution or strategy that can be leveraged.
The Psuedo-Account Strategy
You can consider this strategy for those Active/Terminated users and for Service accounts or other records that cannot be matched to a user in the People view (SOR).
Simply using the Assign feature for the unmatched users and assigning them to a user in the People view who then has the manager whom you want to perform a user access review, may “muddy” the list of entitlements under that user. Meaning, when you view that users list of entitlements, they will have their own entitlements for the respective application PLUS all these others accounts which you want to Bulk Assign. Not really a true view of that person’s entitlement list.
Instead, we can create a new identity or Pseudo-user within the People tab. By providing a meaningful name which represents the unmatched users, using a unique, dummy email address and providing the actual manager email address whom you would like to review these accounts/entitlements. A Bulk Assign of one or more unmatched records to this pseudo-user will cause those unmatched users to be matched. Then that pseudo-user will appear in reviews under that manager user access review list. Here is an example of creating a pseudo user. Keep in mind that you cannot edit or remove this user once you select Create.
- People -> Select Add
- Employee Type = Regular
- Employee First Name = AppName
- Employee Last Name = Service Account
- Employee Email Address = firstname.lastname@example.org
- Manager Email ID = The email address of the manager who will be reviewing the service account(s) entitlement or users.
- You can add additional attributes if needed but that is optional
Then, when you go thru the Bulk Assign, update the IAM User field within the CSV to email@example.com. Then upload. All those records will be assigned to “Mr. Appname Service Account” who has the manager you provided. You can create as many pseudo-users as you need to account until all the unmatched records that you want to assign is completed. Keep in mind that each pseudo-user will need their own dummy email address.