• State Verified Answer
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 791 views
  • Users 0 members are here
Options
Related

Automatically link Managed Directory Accounts

walied shoaip
7 months ago

OISG version: 7.1.1

Active Directory version: 2019

 

I have followed the answer to a forum question about configuring OSID and AD for the accounts to be automatically linked to SG users. This is the question link: OISPP v7.2 | Automatically link Managed Directory Accounts - Forum - Safeguard Community - One Identity Community

 

I did the configuration of the 1:1 account linking. In my environment, I have a user named hatem ali that is the manager of an account named hatem pam.

 I have also configured the Active Directory in Safeguard to be using the directReports attribute in the Managed Objects settings.

 Also, both hatem ali and hatem pam are members of LinuxAdmins directory group.

 and in Safeguard I have checked the Automatically Link Managed Directory Accounts for this group.

Now when I sync the AD from Safeguard, both users are added to users. From what I understand, the hatem pam user should have been added to Safeguard accounts not users.

Can you tell me what is missing?

Parents
  • +1 7 months ago

    Hi Walied, 

    Pre-requisites:

    - Create a new directory group in AD for example SafeguardUsers and add only the users you wish to import as SPP Users to be members of that group for example "hatem ali" as member of SafeguardUsers 

    - Add the expected managed account to the AD asset in SPP > Go to the AD asset and select accounts tab then add for example "hatem pam" (this can be automated via Account Discovery or manually add the account for testing purpose first)

    After the above is completed:

    - Go to User groups section in SPP and add the SafeguardUsers to SPP via Add Directory User group and enable Automatically Link Managed Directory Accounts checkbox

    - This will import the user "hatem ali" who is a member of SafeguardUsers for example and then when directory sync runs, it will link the existing managed account "hatem pam" as a linked account to the SPP user "hatem ali"

    The linked account does not automatically get created in SPP as a managed account via the Directory Sync process as that is a separate process and so the managed account needs to exist in SPP or added (either manually or via Account Discover from AD) then the above steps would allow the managed account to be linked automatically to the User (1:1 relationship in this use-case) based on the directReports attribute.

    I would avoid using groups that have both users and accounts in terms of SPP objects as that will cause the undesired result where an account is added as a user which is likely not required in this use-case.

    Thanks!

  • 0 7 months ago in reply to Tawfiq.Ahmad

    Hello Tawfiq,

    Thank you for replying. I have tried what you said, and it works well. However, when I tried reversing the order the process (i.e. I imported the users by syncing from AD before the importing the accounts into Safeguard through an account discovery job) it didn't work. So, is it necessary that accounts are imported into Safeguard before users? 

  • 0 7 months ago in reply to walied shoaip

    It will work either way (Users added first or Accounts added first) but the accounts must be added in order for the linked accounts to update correctly.

    Thanks!

  • 0 7 months ago in reply to Tawfiq.Ahmad

    Hello Tawfiq, I have tried the process and found it working, but I can't see what triggers it.

    I have done a directory sync from the web client and a full sync from the API and neither of them triggered the account linking. Nevertheless, when I restarted the appliance and look at the logs, I find the relationship between the Safeguard user and the account added right after the restart.

    Do you have any clue on this?

  • 0 6 months ago in reply to walied shoaip

    Hi Walied,

    I would suggest to upgrade to 7.4.1 and see if you can reproduce the issue or if this gets resolved as we have included several fixes since 7.1.1


    Thanks!

Reply Children
No Data