We are collecting from a source that has service accounts that are coming up under the Orphans tab. How do we flag these accounts during the collection so that they do not appear as orphans?
We are collecting from a source that has service accounts that are coming up under the Orphans tab. How do we flag these accounts during the collection so that they do not appear as orphans?
See the following post for additional information - How to bring in service account into IMG?
The only way for an account to be not orphan, is to map to an identity
There are a few ways of approaching this scenario Paul.
The "Is Service Account" attribute is a yes-no managed attribute. So you would manually edit the account and mark it as a service account.
This would be difficult to make a collected attribute, because the format of the data could differ markedly from different sources i.e. database app may have "True", AD an attribute number, different database app "1". If an app doesn't provide an attribute to mark service accounts, then you would have to manually edit the G&L database to reflect it correctly.
You could also create a "Service Account" identity and map all service accounts to that user, that will remove them from orphan accounts. The drawback of this approach is that no one is technically owning the account. Who would do access reviews of the accounts? How can you show who has access to log on using the accounts? If a user with access leaves, do you need to change the password of service accounts that they have access to? etc. etc.
The answers to the questions above may give you some directions on the process that is right for your organisation.
If we could edit the accounts and change "Is Service Account" from yes to no that'd be perfect. However it seems the ability to "Edit" accounts isn't enabled, how do we turn that on?
What version are you using?
You are logged in with AveksaAdmin, right? If not, try to see if the behavior is the same with AveksaAdmin
In the top of the pop up window you have the following message: "Edit Operation is disabled since there are no editable attributes configured for this Account"
My local environment (v7.0.1 P2) has managed attributes and the Edit button is enabled.
If you have a test environment, maybe you can try adding a custom managed attribute to the account object and check if it helps?
From RSA directly
Concerning this, you have to have atleast one editable attribute to the account so you can edit the 'Is Service Account' value (to unlock the edit button as well). If you did not create any attributes before, you will need to create an attribute in order to set it as 'Editable' and the edit button unlocks afterwards.
This can be done by heading to Admin > Attributes > Account and add an attribute (make sure that the 'Data Source' column value is managed and not collected, so the 'Editable' checkbox shows up and you can check it).After you do the above, you can head to the Accounts tab in the directory / application and pick an account like the screenshot you attached in the description and you will find that the edit button is now clickable and you can therefore change the 'Is Service Account' value of the account to No or Yes.
From RSA directly