PDF

swipe to navigate

Non-human accounts with human owners

In some organizations, if there is no privileged access management system, it may be desirable to use Password Manager to manage non-human accounts. Where this is the case:

  1. Create a user profile for each nonhuman account.
  2. Make the manager of the nonhuman user profile the user profile of the owner.
  3. Configure access rights, such that the human owner can reset passwords for accounts in the nonhuman profile.
  4. Consider using Hitachi ID Identity Manager to periodically recertify ownership of nonhuman profiles, as well as the continued need for the contained accounts.

Linking accounts to user profiles

In most organizations, users are assigned consistent login IDs on different systems and applications. Where this is the case, map accounts to user profiles using the login ID.

Where accounts have non-standard login IDs:

  1. If account attributes suitable for ID mapping are both reliable and widely populated, link accounts to user profiles by matching employee numbers or other unambiguous IDs.
  2. Do not map accounts to profiles using user names, because multiple people may have the same name, because different administrators may have setup accounts for the same user with variations of the same name and because people sometimes change their name, but such changes may not be reflected on all systems and applications.
  3. On systems or applications where there is not well-populated or reliable mapping data, invite users to attach accounts to their own profiles using the self-service mechanism provided in Password Manager.

Do not ask support staff to map accounts to user profiles as an alternative to self-service enrollment. This is both a costly and unreliable (and so insecure) approach, based on data of dubious quality.

PDF

Comment via LinkedIn