Skip to main content

Hi All

I am facing one issue in mapping dedicated account for ids on local dmz servers. admin id and users standard ids are not matching. in such case how should use the dedicated account mapping functionality?

Below is data set-up 

1. admin id on managed system is PAO12345

2. standard id of this user in user group is MSS12345

Now since admin id is local i cannot use directory attribute.  in mapping Smart rule i think we cannot use map dedicated account to action with deciated account filter.

 

Kindly help me how can i write the smart rule to map the deciated ids . I don't want to use one-to-one mapping as it will require to write lot of smart rule and lot of user group.

 

Please help

Hi Immi,

did you try the ExtensionAttribute1…15 or mail out?

It could be an possible way to map dedicated Accounts. 
 

Regards

Arno

Hi Arno

Since it is local account mail attribute is also not available 

@immi563 I don't think there is a way to create a single dedicated smart rule in your scenario because there is no criteria matches between standard user account and local admin account. 

Hi Prudhivi 

thanks for the reply.  I also think the same that it is possible. 

However this is very much a valid use case. Wonder product should have done something to make it happen 

@immi563 

Try like this, as long as your username is 12345

You can set the does not equal to anything like B_

Any account that has 12345 no matter the suffix shall be dedicate:

PAO12345 and MSS12345 and TS12345

just like that.

Hi ​@Paulo144 

thanks for valuable inputs.

Let me try to implement the same in my lab and get back..  have you used the under action mad dedicated account to user group condition?

are you sure with this condition you have used  PAO12345 will mapped to MSS12345. i mean mss12345 should have requestor access to PAO12345. when mss12345 logs in PA012345 should be visible to only him and no one else.. 

 

Hi ​@Paulo144 

thanks for valuable inputs.

Let me try to implement the same in my lab and get back..  have you used the under action mad dedicated account to user group condition?

are you sure with this condition you have used  PAO12345 will mapped to MSS12345. i mean mss12345 should have requestor access to PAO12345. when mss12345 logs in PA012345 should be visible to only him and no one else.. 

 


I now understand why it worked for me, i had in mind that the user would be “12345” so as long as just the prefix changes the dedication works just fine, but after seeing your note i was able to understand the problem, since BT uses the name of the account as the main point of dedication when your accounts starts with MSS we already won’t be able to dedicate the PAO account to him.

I am trying to think of a solution, but on this case you would need to create local groups, a smart rule with only the PAO account of that user and only the specific user in them.

The local group and the account you can set with API, but the smart rules you would need to create manually.




 

Hi Paulo,

 

thanks for the response. Yes with data setup we have we wont be able to map it.

 

I have created local account using API. I even created smart rules using the API. It saved lot of my time .

 

thanks 

 

Imran

Reply


Badge Earners

  • BCA: Remote Support
    CodeEternalhas earned the badge BCA: Remote Support
  • BCIE: Privileged Remote Access
    Mudupurihas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    Zubairhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Privileged Remote Access
    kcooperhas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    30-B-Lohas earned the badge BCA: Endpoint Privilege Management - Windows
Show all badges
Terms & ConditionsCookie settings