NHI Ownership Attribution
SailPoint Entro matches the ownership of every NHI by tailoring the process to each integration. Since owner can mean different things depending on the platform, we adapt our attribution logic to the type of NHI and the data we can collect from that integration. This integration-specific approach ensures ownership is accurate, actionable, and aligned with how each system defines responsibility.
There are 3 levels of ownership for each NHI. For each integration it is a bit different and dependent on the data we receive from the integration. Usually it is the direct ownership of the NHI, then the higher hierarchy levels of admin that have access to handle a risk related to that NHI, meaning revoke/rotate the token.
The next level of ownership is matching the owner to an employee (human identity). The 'Employee' column will pick the best candidate to match the owner we detected with an employee from the Employees inventory, where the human identities from the customer IDP are stored.
AWS Non-Human-Identities
Direct Ownership:
-
Human user who used the NHI Token via Audit log
-
Creator of NHI Token via Audit log
-
Modifier of the NHI
-
Name of NHI Token (Description / Token name) matched to employee name
Higher Level Ownership Hierarchy:
- We default to account owners with permissions over the NHI
GCP Service Account
Direct Ownership:
-
Human user who used the NHI Token via Audit log
-
Creator of NHI Token via Audit log
-
Creator of NHI Service account via Audit log
-
Modifier of the NHI
-
Owner of the Workload/CICD using the NHI
-
Name of NHI Token (Description / Token name) matched to employee name
2nd-Level Ownership Hierarchy:
SA.Key.Creatorpermission, binding (users and groups) from IAM policy of specific permissions on the project that the SA belongs to
3rd-Level Ownership Hierarchy:
SA.Key.Creator, binding (users and groups) from IAM policy of specific permissions on Folder and Organization that the SA and Project belongs to
Azure App Registrations
Direct Ownership:
-
Human user who used the NHI Token via Audit log
-
Creator of NHI Token via Audit log
-
Creator of NHI Service account (Azure app ownership)
-
Modifier of the NHI
-
Owner of the Workload/CICD using the NHI
-
Name of NHI Token (Description / Token name) matched to employee name
2nd-Level Ownership Hierarchy:
- Azure Application owners
3rd-Level Ownership Hierarchy:
- Cloud Application administrators
Okta Applications
Direct Ownership:
- Client secret creator
2nd-Level Ownership Hierarchy:
- Application creator/owner
3rd-Level Ownership Hierarchy:
- Super administrators
GitHub Personal Access Token
Direct Ownership:
- IAM username, email, or full name matched to employee name
2nd-Level Ownership Hierarchy:
- Organization administrators
GitHub Fine-Grained Token
Direct Ownership:
- Token creator
Higher Level Ownership Hierarchy:
- Missing higher level ownership matching.
Google API Key
Direct Ownership:
- API Key creator
Higher Level Ownership Hierarchy:
- Missing higher level ownership matching.