Skip to content

Managing Multi-Host Machine Accounts

SailPoint Machine Identity Security helps organizations achieve comprehensive governance, compliance, and security outcomes related to machine accounts.

Machine Identity Security helps you:

  • Discover and classify machine accounts on a source.

  • Correlate machine accounts to a machine identity.

  • Certify machine identities and their access.

  • View and manage machine accounts for all sources.

Multi-host Machine Identity Security enables bulk classification of accounts for sources within a multi-host group.

Configuring Machine Accounts

To get started, you'll set a classification policy to identify the machine accounts for all sources on a multi-host group. You can then map attributes to correlate machine accounts to a machine identity and identify the user responsible for the accounts.

Note

Classification policies and mappings should only be configured during initial setup or when configurations require updates.

Classifying Machine Accounts

You can configure machine accounts for sources within a multi-host group and classify them by attributes and account type. For example, if a source only contains machine accounts, you can classify all accounts as machine accounts. For sources with human and machine accounts, you can define the criteria that will classify machine accounts at multi-host level and it will be applied to sources within the multi-host group.

  1. Go to Admin > Connections > Multi-Host Sources.

  2. Select Edit to view configuration details about the multi-host group.

  3. In the Machine Accounts section, select Classification.

  4. Ensure Enable Classification is enabled.

  5. Under Classification Settings, choose how to classify accounts on this source:

    • Select Classify all accounts if the source only contains machine accounts.

    • Select Customize classification if the source contains human and machine accounts. This option allows you to set specific criteria to classify machine accounts.

  6. If you choose to customize the criteria for classification, define the logic used to classify machine accounts.

    Note

    By default, the Value field is case insensitive. Select the Case Sensitive checkbox to change this setting.

    If a classified machine account no longer meets the defined criteria, it will be reclassified as a human or uncorrelated account.

  7. Select Save to save the configuration.

You can now map the account attributes for the machine accounts within the multi-host group.

Mapping Machine Account Attributes

After configuring the classification criteria for machine accounts, choose attributes and transforms to correlate the machine accounts to a machine identity. You can also map the account owner responsible for the machine accounts.

  1. Go to Admin > Connections > Mutli-Host Sources.

  2. Select Edit to view configuration details about the multi-host group.

  3. In the Machine Accounts section, select Mappings.

  4. In the Machine Account Owner tile, choose how to identify the human identity who will own machine accounts on this source.

    • Select Account to Identity to map an account attribute to a human identity attribute. The matching human identity is set as the account owner. If multiple human identities match the value, no identity will be assigned as the account owner.

    • Select Account to Account to map an account attribute to another account. The following logic applies:

      • If the values match a single human account, the account’s correlated identity is set as the account owner.
      • If the values match multiple human accounts that are correlated to the same identity, the correlated identity is set as the account owner.
      • If the values match multiple human accounts correlated to multiple identities, no identity will be assigned as the account owner.

    Note

    If the Machine Account Owner field is not mapped, no account owner will be assigned.

  5. In the Machine Identity tile, select an account attribute to correlate the machine accounts to a machine identity.

    For organizations that don't maintain application data, SailPoint recommends leaving the Machine Identity field unmapped. This creates an uncorrelated machine identity during classification. An uncorrelated machine identity is a single-account identity created when the mapping is left unmapped or results in no matches. Identity Security Cloud creates an uncorrelated machine identity for each machine account on the source.

    Additional Information on Uncorrelated Machine Identities

    An uncorrelated machine identity is automatically assigned the following attributes:

    • Name: The uncorrelated machine identity takes on the name of its correlated machine account:

      • If the machine account is named, the identity will use the same name.

      • If the machine account is not named, the identity will use the name of the account’s native identity.

    • BusinessApplication: BusinessApplication-<unique number>

    • Description: The uncorrelated machine identity will not have a description.

    If multiple uncorrelated machine identities were created for the same application, you can create a single machine identity to represent the application. You can then correlate the accounts tied to the uncorrelated machine identities to the new machine identity.

    If your organization stores application data and has created a machine identity, select the account attribute used for the business application value. For example, if the application value is stored in the application_id attribute, that attribute should be selected. The machine accounts will correlate to the corresponding machine identity. If an account is missing a value for the attribute, an uncorrelated machine identity is created.

  6. In the Environment tile, select the attribute indicating the machine account's environment, like staging or production.

  7. In the Description field, select the attribute that describes the purpose or function of the accounts.

  8. Select Save to save your configurations.

Processing Classification

After you have set a classification policy and mapped the machine account attributes, you can process your configurations to classify the machine accounts for sources within the multi-host group.

  1. Go to Admin > Connections > Multi-Host Sources.

  2. Select Edit to view configuration details about the multi-host group.

  3. In the Machine Accounts section, select Classification.

  4. Select Process Classification to process your classification and mapping configurations for all sources within the multi-host group. To view the status of the classification process for a source, select a source within the Source List, and select Machine Accounts > Classification.

After processing has completed, you can go to Admin > Identity Management > Accounts to view the results. From the left panel, select Machine Accounts to view the accounts classified as machine accounts. Select an account to review its mapped attributes.

If you need to make changes, you can modify and reprocess the classification.

For future aggregations, accounts will automatically be classified based on the classification criteria and mappings.

Declassifying Machine Accounts

After classification has been processed, you might find that the logic used to classify machine accounts was not configured correctly. In this case, you can declassify all the machine accounts on this source and return them to their original account type and correlation.

  1. Go to Admin > Connections > Multi-Host Sources.

  2. Select Edit to view configuration details about the multi-host group.

  3. In the Machine Accounts section, select Classification.

  4. Ensure the Enable Classification toggle is disabled.

  5. Select Save to save this change.

  6. Select the Declassify All Machine Accounts button.

  7. Select Declassify Accounts to confirm the declassification and return the accounts to their original classification and correlation.

    Note

    Upon confirmation, the machine account attribute data will be deleted from Identity Security Cloud.

You can now reconfigure the logic for classifying the machine accounts on this source.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.