000036325 - What access should be granted to the service account used by RSA Identity Governance & Lifecycle to fully support Active Directory collection and Access Fulfilment Express (AFX) fulfillment?

Document created by RSA Customer Support Employee on Jun 28, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036325
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: All
 
IssueThe RSA Identity Governance & Lifecycle Microsoft Active Directory Application Guide does not explicitly state the access which needs to be granted or delegated to the service account used by RSA Identity Governance & Lifecycle to fully support Active Directory collection and Access Fulfilment Express (AFX) fulfillment to Active Directory.

Find all of the the Collector and Connector datasheets (aka Application Guides) on RSA Link.
ResolutionThe RSA Identity Governance & Lifecycle Active Directory Application Guide does not specifically spell it out, however it says to use an administrator's account in several places:
 
"Domain Account Name Admin account name to use for the collection and provisioning activities

Login Distinguished Name Administrator login- id with write permission on required tree scope

Bind DN Distinguished Name of the user on AD permitted to search
the directory within the defined search base. E.g.
Domain\Administrator

To configure RSA Identity Governance and Lifecycle ADC to collect data from Domain2 using the Domain1 administrator: "


Hence, the account needs to be an administrator's account which by default has all privileges to fully support Active Directory collection and AFX fulfillment to Active Directory. 

Attachments

    Outcomes