Configuring Machine Accounts
To get started, you can create machine account subtypes to classify existing and future machine accounts on a source by their function. You'll then set a classification policy to identify the machine accounts on that source. While setting this policy, you can also map attributes to assign account subtypes, correlate machine accounts to an application identity, and identify the users responsible for the accounts.
Note
Classification policies and mappings should only be configured during initial setup or when configurations require updates.
Creating Machine Account Subtypes
Before you classify the machine accounts on a source, you can create account subtypes to help organize your machine accounts based on their type and function. For example, you can create an account subtype for the service accounts on a source. Once grouped together, you can easily view and track these machine accounts.
Note
A maximum of 20 account subtypes can be added per source.
-
Go to Admin > Connections > Sources.
-
Select or edit the source you want to configure.
-
In the Machine Accounts section, select Account Subtypes.
-
Select Create Subtype.
-
In the window, complete the following:
-
In the Name field, enter a unique name for this subtype.
-
In the Technical Name field, enter a unique value that will map to the value stored in the account attribute defining the subtype on this source. You’ll define this attribute when you configure machine account mappings.
Important
The Technical Name cannot be changed after the account subtype is created.
-
In the Description field, enter a description of the subtype.
-
-
Select Save to create the account subtype.
The machine account subtype can be updated as needed.
After you classify the machine accounts for this source, you can correlate machine accounts to this subtype when you map its attributes.
Classifying Machine Accounts
You can configure machine accounts for sources and classify them by attributes and account type. For example, if a source only contains machine accounts, you can classify all accounts as machine accounts. For sources with human and machine accounts, you can define the criteria that will classify machine accounts.
-
Go to Admin > Connections > Sources.
-
Select or edit the source you want to configure.
-
In the Machine Accounts section, select Classification.
-
Ensure Enable Classification is enabled.
-
Under Classification Settings, choose how to classify accounts on this source:
-
Select Classify all accounts if the source only contains machine accounts.
-
Select Customize classification if the source contains human and machine accounts. This option allows you to set specific criteria to classify machine accounts.
-
-
If you choose to customize the criteria for classification, define the logic used to classify machine accounts.
Note
By default, the Value field is case insensitive. Select the Case Sensitive checkbox to change this setting.
If a classified machine account no longer meets the defined criteria, it will be reclassified as a human or uncorrelated account.
-
Select Save to save the configuration.
You can now map the account attributes for the machine accounts on this source.
Mapping Machine Account Attributes
After configuring the classification criteria for machine accounts, choose attributes and transforms to correlate the machine accounts to an application identity. You can also map the account owner responsible for the machine accounts.
-
Go to Admin > Connections > Sources.
-
Select or edit the source you want to configure.
-
In the Machine Accounts section, select Mappings.
-
In the Machine Account Owner tile, choose how to identify the human identity who will own machine accounts on this source.
-
Select Account to Identity to map an account attribute to a human identity attribute. The matching human identity is set as the account owner. If multiple human identities match the value, no identity will be assigned as the account owner.
-
Select Account to Account to map an account attribute to another account. The following logic applies:
-
If the values match a single human account, the account’s correlated identity is set as the account owner.
-
If the values match multiple human accounts that are correlated to the same identity, the correlated identity is set as the account owner.
- If the values match multiple human accounts correlated to multiple identities, no identity will be assigned as the account owner.
-
Note
If the Machine Account Owner field is not mapped, no account owner will be assigned.
-
-
In the Machine Identity tile, select an account attribute to correlate the machine accounts to an application identity.
For organizations that don't maintain application data, SailPoint recommends leaving the Machine Identity field unmapped. This creates an uncorrelated application identity during classification. An uncorrelated application identity is a single-account identity created when the mapping is left unmapped or results in no matches. Identity Security Cloud creates an uncorrelated application identity for each machine account on the source.
Additional Information on Uncorrelated Application Identities
An uncorrelated application identity is automatically assigned the following attributes:
-
Name: The uncorrelated application identity takes on the name of its correlated machine account:
-
If the machine account is named, the identity will use the same name.
-
If the machine account is not named, the identity will use the name of the account’s native identity.
-
-
BusinessApplication:
BusinessApplication-<unique number>
-
Description: The uncorrelated application identity will not have a description.
If multiple uncorrelated application identities were created for the same program or service, you can create a single application identity to represent the program or service. You can then correlate the accounts tied to the uncorrelated application identities to the new identity.
If your organization stores application data and has created an application identity, select the account attribute used for the business application value. For example, if the application value is stored in the
application_id
attribute, that attribute should be selected. The machine accounts will correlate to the corresponding application identity. If an account is missing a value for the attribute, an uncorrelated application identity is created. -
-
In the Account Subtype tile, select the attribute that stores the value indicating the account’s subtype. The stored value should map to the value configured for the subtype’s Technical Name.
Note
If no matches are found, the account’s subtype value is null.
-
In the Environment tile, select the attribute indicating the machine account's environment, like staging or production.
-
In the Description field, select the attribute that describes the purpose or function of the accounts.
-
Select Save to save your configurations.
Processing Classification
After you have set a classification policy and mapped the machine account attributes, you can process your configurations to classify the machine accounts on the source.
-
Go to Admin > Connections > Sources.
-
Select or edit the source you want to configure.
-
In the Machine Accounts section, select Classification.
-
Select Process Classification to process your classification and mapping configurations. You can return to this page to view the status of the classification.
To cancel the classification, select Cancel Classification. Accounts processed before the cancellation are classified and mapped.
After processing has completed, you can go to Admin > Identity Management > Accounts to view the results. From the left panel, select Machine Accounts to view the accounts classified as machine accounts. Select an account to review its mapped attributes.
If you need to make changes, you can modify and reprocess the classification.
For future aggregations, accounts will automatically be classified based on the classification criteria and mappings.
Declassifying Machine Accounts
After classification has been processed, you may find that the logic used to classify machine accounts was not configured correctly. In this case, you can declassify all the machine accounts on this source and return them to their original account type and correlation.
-
Go to Admin > Connections > Sources.
-
Select or edit the source you want to configure.
-
In the Machine Accounts section, select Classification.
-
Ensure the Enable Classification toggle is disabled.
-
Select Save to save this change.
-
Select the Declassify All Machine Accounts button.
-
Select Declassify Accounts to confirm the declassification and return the accounts to their original classification and correlation.
Note
Upon confirmation, the machine account attribute data will be deleted from Identity Security Cloud.
You can now reconfigure the logic for classifying the machine accounts on this source.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.