• State Not Answered
  • Replies 1 reply
  • Subscribers 96 subscribers
  • Views 437 views
  • Users 0 members are here
Options
Related

Best practice for categorization of AD-groups, for privileged accounts

rune hystad
over 1 year ago

In our company we have not yet turned on "Groups can be inherited" on privileged AD user accounts. This is due to the aomunt of AD-groups, and that some AD-groups are assigned both privileged and unprivileged account.

I therefore wanted to get some input from anyone, on what you have done in your companies, regarding managing the lifecycle of creating AD-groups, and categorizing them.

Parents
  • 0 over 1 year ago

    Hello Rune

    I would use 'Admin' identities for privileged AD user accounts in most cases.
    That way you can assign entitlements to the privileged AD user account independent of the 'Primary' identity.
    This is the most flexible solution and is "easy" to implementent, in my opinion.

    If you have both AD accounts (normal and privileged) assigned to one 'Primary' identity.
    Then you can use the category functionality (MatchPatternForMembership) of OneIM.
    This can be more work to implement and maintain, depending on the amount of AD groups.
    Because you have set the Category attribute on all AD groups and account, you want to manage via OneIM.
    Plus beforehand, you will have to make sure that the AD groups are exclusive for 'normal' or 'privileged' accounts
    and this may difficult due to time/technical/responsibility constraints.

Reply
  • 0 over 1 year ago

    Hello Rune

    I would use 'Admin' identities for privileged AD user accounts in most cases.
    That way you can assign entitlements to the privileged AD user account independent of the 'Primary' identity.
    This is the most flexible solution and is "easy" to implementent, in my opinion.

    If you have both AD accounts (normal and privileged) assigned to one 'Primary' identity.
    Then you can use the category functionality (MatchPatternForMembership) of OneIM.
    This can be more work to implement and maintain, depending on the amount of AD groups.
    Because you have set the Category attribute on all AD groups and account, you want to manage via OneIM.
    Plus beforehand, you will have to make sure that the AD groups are exclusive for 'normal' or 'privileged' accounts
    and this may difficult due to time/technical/responsibility constraints.

Children
No Data