Configuring Machine Accounts

To get started, you'll set classification criteria to identify the machine accounts on a source. You can then map attributes to correlate machine accounts to a machine identity and identify the user responsible for the accounts.

Note

Classification criteria and mappings should only be configured during initial setup or when configurations require updates.

Classifying Machine Accounts

You can configure machine accounts for sources and classify them by attributes and account type. For example, if a source only contains machine accounts, you can classify all accounts as machine accounts. For sources with human and machine accounts, you can define the criteria that will classify machine accounts.

Go to Admin > Connections > Sources.
Select or edit the source you want to configure.
In the Machine Accounts section, select Classification.
Ensure Enable Classification is enabled.
Under Classification Settings, choose how to classify accounts on this source:
- Select Classify all accounts if the source only contains machine accounts.
- Select Customize classification if the source contains human and machine accounts. This option allows you to set specific criteria to classify machine accounts.
If you choose to customize the criteria for classification, define the logic used to classify machine accounts. If a classified machine account no longer meets the defined criteria, it will be reclassified as a human or uncorrelated account.
Select Save to save the configuration.

You can now map the account attributes for the machine accounts on this source.

Mapping Machine Account Attributes

After configuring classification criteria for machine accounts, choose attributes and transforms to correlate the machine accounts to a machine identity. You can also map the account owner responsible for the machine accounts.

Go to Admin > Connections > Sources.
Select or edit the source you want to configure.
In the Machine Accounts section, select Mappings.
In the Machine Account Owner tile, choose how to identify the human identity who will own machine accounts on this source.
- Select Account to Identity to map an account attribute to a human identity attribute. The matching human identity is set as the account owner. If multiple human identities match the value, no identity will be assigned as the account owner.
- Select Account to Account to map an account attribute to another account. The following logic applies:
  - If the values match a single human account, the account’s correlated identity is set as the account owner.
  - If the values match multiple human accounts that are correlated to the same identity, the correlated identity is set as the account owner.
  - If the values match multiple human accounts correlated to multiple identities, no identity will be assigned as the account owner.
Note

If the Machine Account Owner field is not mapped, no account owner will be assigned.
In the Machine Identity tile, select an account attribute to correlate the machine accounts to a machine identity.

For organizations that don't maintain application data, SailPoint recommends leaving the Machine Identity field unmapped. This creates a partial machine identity during classification. A partial machine identity is a single-account identity created when the mapping is left unmapped or results in no matches. Identity Security Cloud creates a partial machine identity for each machine account on the source.
Additional Information on Partial Machine Identities

A partial machine identity is automatically assigned the following attributes:
- Name: The partial machine identity takes on the name of its correlated machine account:
  - If the machine account is named, the identity will use the same name.
  - If the machine account is not named, the identity will use the name of the account’s native identity.
- BusinessApplication: BusinessApplication-<unique number>
- Description: The partial machine identity will not have a description.
If multiple partial machine identities were created for the same application, you can create a single machine identity to represent the application. You can then correlate the accounts tied to the partial machine identities to the new machine identity.
If your organization stores application data and has created a machine identity, select the account attribute used for the business application value. For example, if the application value is stored in the application_id attribute, that attribute should be selected. The machine accounts will correlate to the corresponding machine identity. If an account is missing a value for the attribute, a partial machine identity is created.
In the Environment tile, select the attribute indicating the machine account's environment, like staging or production.
In the Description field, select the attribute that describes the purpose or function of the accounts.
Select Save to save your configurations.

Processing Classification

In the Machine Accounts section, select Classification.
Select Process Classification to process your classification and mapping configurations. You can return to this page to view the status of the classification.

To cancel the classification, select Cancel Classification. Accounts processed before the cancellation are classified and mapped.

After processing has completed, you can go to Admin > Identity Management > Accounts to view the results. From the left panel, select Machine Accounts to view the accounts classified as machine accounts. Select an account to review its mapped attributes.

If you need to make changes, you can modify and reprocess the classification.

For future aggregations, accounts will automatically be classified based on the classification criteria and mappings.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.