Managing Machine Account Requests
You can configure machine account requests to better track and govern your organization’s machine accounts and identities.
Managing Machine Account Creation Requests
You can enable machine account creation to allow users to submit requests for new machine accounts. Administrators can configure the creation form that users will complete as well as define the approval process that these requests will follow. Account creation requests are configured through machine account subtypes.
Important
When submitting a machine account creation request, a user can select entitlements to be granted to the account and its correlated machine identity.
To disable this option, go to Admin > System Settings. In the Feature Settings section, select Access Requests and disable the Enable Machine Identity Access Requests toggle. When this feature is disabled, users can still submit requests for machine accounts, but they will not have the option to select entitlements during the account creation process.
To configure machine account creation requests:
-
Go to Admin > Connections > Sources.
-
Select the source you want to configure.
-
In the left panel, go to the Machine Accounts section and select Account Subtypes.
-
Create or edit a machine account subtype.
-
On the Details page, enter or update the details about the machine account subtype. Select Save to save this information.
-
In the left panel, go to the Account Creation section and select Creation Form.
-
On the Account Creation page, select Start Setup and complete the following:
-
In the Account Request Form field, select the form that users will complete to request new machine accounts.
Alternatively, select Create Form to create a form using the form builder. After you’ve created the form, return to the Account Request Form page and select the form from the Account Request Form field.
-
Select Save to save these settings.
Important
SailPoint recommends enabling machine account creation after you have configured settings for account creation and approval policies.
-
-
From the Account Creation section, select Attribute Mappings and complete the following:
-
For each attribute, select a mapping type and the related attribute. By default, all connector-required attributes are included.
-
Generator - Generators compute a value for the account attribute, usually based on a pattern you specify. Select the name of a generator that will create the value for the attribute during provisioning.
-
Static - Enter a simple text value or build a value for the attribute using an Apache Velocity script template. Static values use the same Velocity syntax as Static Transforms.
Notes
- Form variables can be referenced in static values by using the syntax
$userInput.{technical key}. - If a static value starts with
$userInput.{technical key}, the mapping will change to use the Form mapping type. For these cases, you can use an inline variable${attribute name}to continue using a static value.
- Form variables can be referenced in static values by using the syntax
-
Form - Select this option to map the attribute to a specific field from the account request form.
-
Disabled - Select this option to omit the attribute when creating a new account.
-
-
Select Add Mapping to create or add an existing attribute in a new mapping. This attribute is only added to the provisioning policy and not to the account schema.
-
Select Save to save these mappings.
Note
Machine accounts created through machine account requests ignore the mappings defined during machine account setup.
-
-
From the Account Creation section, select Password Settings to configure the password policy defined by the connector. When a machine account is provisioned, the system will automatically generate a password for the account based on these settings.
-
Review the connector guide to determine the required password settings:
- Select Set password to existing attribute to map the value to an existing attribute. Select an attribute from the Attribute dropdown list.
- Select Set password to new attribute to map the value to a new attribute. Enter the name of the attribute in the New Attribute field.
- Select Do not set password if no password is required.
Once generated, these passwords are saved in Parameter Storage. Account owners can copy or reveal these passwords as needed by selecting Actions
> Reveal Password for the machine account on their My Ownership page. -
Select Save to save these settings.
-
-
From the left panel, select Approval Settings and configure the approval policy:
- In the Machine Account Creation Requests panel, ensure the Requires Approval option is enabled.
-
In the Approvers section, choose whether the request will be reviewed by a single approver or multiple approvers:
-
Single Approver
-
Select Single from the Approval Type field.
-
Select the type of reviewer from the Reviewer Category field. You can select from the following options:
- Requester's Manager - The manager of the user who submitted the request reviews the request.
- Source Owner - The source owner reviews the request. This is the default reviewer.
- Governance Group - The selected governance group reviews the request. Only one identity in the governance group is required to approve the request.
-
-
Multiple Approvers
-
Select Multi-Step from the Approval Type field.
-
In the Reviewers section, select Add Reviewer.
-
Configure the approval policy by taking the following actions:
-
Select the types of reviewers from the Reviewer Category field. You can select from the following options:
- Requester's Manager - The manager of the user who submitted the request reviews the request.
- Source Owner - The source owner reviews the request. This is the default reviewer.
- Governance Group - The selected governance group reviews the request. Only one identity in the governance group is required to approve the request.
-
Add additional reviewers by selecting Add Approver.
-
Remove reviewers by selecting the Delete icon
. -
Move a reviewer’s tile to change the order the approvers will review the request.
Note
All reviewers must approve the request for the account to be created. If one reviewer denies the user’s request, the request is denied.
-
Select Save to save the approval process.
If the approval process requires changes, select Edit Approvers. You can add or remove approvers and rearrange the order in which they will review the request.
-
-
-
-
Choose whether comments are required when reviewers approve or deny account deletion requests.
-
Select Save to save these approval settings.
-
From the left panel, select Review to review the configurations for the machine account subtype.
-
If the configurations appear correct, select Creation Form from the left panel.
-
Select the Enable Account Creation toggle to allow users to submit requests for new machine accounts. Select Save to enable machine account creation.
Important
The system automatically creates an entitlement named
Create Machine Account — {Source Display Name} / {Subtype Display Name}. All users must request access to this entitlement to view the Create Machine Account option and submit requests for machine accounts.The user who enables machine account creation becomes the entitlement owner and must make the entitlement requestable before users can request access. Administrators can also add the entitlement to roles and access profiles.
Note
If the machine account subtype is deleted, this entitlement is revoked from identities. Any pending requests for the entitlement are automatically canceled. Users will also no longer be able to submit requests for the entitlement.
Managing Machine Account Deletion Requests
As an administrator, you can set approval processes for machine account deletion requests to mitigate possible risks.
Setting Approval Process Per Source
You can define the approval process for the deletion of machine accounts at the source level. By default, approval settings are enabled, and the source owner is the designated reviewer.
-
Go to Admin > Connections > Sources.
-
Select the source you want to configure.
-
In the left panel, go to the Machine Accounts section and select Approval Settings.
-
In the Machine Account Deletion Requests panel, ensure the Requires Approval option is enabled.
-
In the Approvers section, choose whether the request will be reviewed by a single approver or multiple approvers:
-
Single Approver
-
Select Single from the Approval Type field.
-
Select the type of reviewer from the Reviewer Category field. You can select from the following options:
- Account Owner - The owner of the machine account reviews the request.
- Requester's Manager - The manager of the user who submitted the request reviews the request.
- Source Owner - The source owner reviews the request. This is the default reviewer.
- Governance Group - The selected governance group reviews the request. Only one identity in the governance group is required to approve the request.
-
-
Multiple Approvers
-
Select Multi-Step from the Approval Type field.
-
In the Reviewers section, select Add Reviewer.
-
Configure the approval policy by taking the following actions:
-
Select the types of reviewers from the Reviewer Category field. You can select from the following options:
- Account Owner - The owner of the machine account reviews the request.
- Requester's Manager - The manager of the user who submitted the request reviews the request.
- Source Owner - The source owner reviews the request. This is the default reviewer.
- Governance Group - The selected governance group reviews the request. Only one identity in the governance group is required to approve the request.
-
Add additional reviewers by selecting Add Approver.
-
Remove reviewers by selecting the Delete icon
. -
Move a reviewer’s tile to change the order the approvers will review the request.
-
-
Select Save to save the approval process.
Note
All reviewers must approve the request for the deletion to be approved. If one reviewer denies the user’s request, the request is denied.
If the approval process requires changes, select Edit Approvers. You can add or remove approvers and rearrange the order in which they will review the request.
-
-
-
Choose whether comments are required when reviewers approve or deny account deletion requests.
-
Select Save to save these approval settings.
Setting Approval Process Per Account Subtype
Machine account subtypes automatically inherit the approval process defined for the machine accounts on their source. However, if you require a stricter approval policy for some machine accounts, you can configure an approval process for their account subtype.
Note
The machine account subtype maintains this approval policy when the source’s approval settings are updated. Selecting Reset to source approval settings resets the approval policy to use the default policy defined at the source level.
-
Go to Admin > Connections > Sources.
-
Select or edit the source you want to configure.
-
In the left panel, go to the Machine Accounts section and select Account Subtypes.
-
Select the account subtype you want to set up an approval process for.
-
From the left panel, select Approval Settings.
-
In the Machine Account Deletion Requests section, ensure the Requires Approval option is enabled. If approvals are required at the source level, this option will already be enabled.
-
In the Approvers section, choose whether the request will be reviewed by a single approver or multiple approvers:
-
Single Approver
-
Select Single from the Approval Type field.
-
Select the type of reviewer from the Reviewer Category field. You can select from the following options:
- Account Owner - The owner of the machine account reviews the request.
- Requester's Manager - The manager of the user who submitted the request reviews the request.
- Source Owner - The source owner reviews the request. This is the default reviewer.
- Governance Group - The selected governance group reviews the request. Only one identity in the governance group is required to approve the request.
-
-
Multiple Approvers
-
Select Multi-Step from the Approval Type field.
-
In the Reviewers section, select Add Reviewer.
-
Configure the approval policy by taking the following actions:
-
Select the types of reviewers from the Reviewer Category field. You can select from the following options:
- Account Owner - The owner of the machine account reviews the request.
- Requester's Manager - The manager of the user who submitted the request reviews the request.
- Source Owner - The source owner reviews the request. This is the default reviewer.
- Governance Group - The selected governance group reviews the request. Only one identity in the governance group is required to approve the request.
-
Add additional reviewers by selecting Add Approver.
-
Remove reviewers by selecting the Delete icon
. -
Move a reviewer’s tile to change the order the approvers will review the request.
-
-
Select Save to save the approval process.
Note
All reviewers must approve the request for the deletion to be approved. If one reviewer denies the user’s request, the request is denied.
If the approval process requires changes, select Edit Approvers. You can add or remove approvers and rearrange the order in which they will review the request.
-
-
-
Choose whether comments are required when reviewers approve or deny account deletion requests.
-
Select Save to save these approval settings.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.