Troubleshooting
Problem
If service accounts like 'root' are owned within ISIM and "Correct non-compliance" is specified for the related services, there is a possibility that they may be altered or deleted due to changes to related provisioning policies
Symptom
Exposure of critical system accounts to inadvertent changes by ITIM
Cause
.
Resolving The Problem
Recommendations:
1. Identify service accounts for all end-points.
2. Do not adopt service accounts. Auto-provisioning actions will never apply to orphan accounts.
3. If you do allow service accounts to be adopted, ensure that the provisioning policy allowing the entitlement remain tightly managed.
4. Be wary of enabling "Correct non-compliance" for a service if you haven't addressed service accounts.
5. Configure ISIM to exclude reconciliation of service accounts from the end-point(s). Review the topic "Excluding accounts from reconciliations" in ISIM's documentation. This procedure will allow specification of accounts by service type that are to be excluded from reconciliations. This is the safest technique to protect these accounts.
For example, here are sample ldif statements will exclude a series of TAM service accounts from being reconciled:
dn: ou=excludeAccounts, ou=itim, ou=IBM, dc=com
ou: excludeAccounts
objectClass: top
objectClass: organizationalUnit
dn: cn=TAM4Profile, ou=excludeAccounts, ou=ITIM, ou=IBM, dc=com
erObjectProfileName: TAM4Profile
objectClass: top
objectClass: erIdentityExclusion
cn: TAM4Profile
erAccountID: sec_master
erAccountID: ivmgrd/master
erAccountID: ivmgrd/master
erAccountID: default-webseald/hctunx86
erAccountID: default-webseald/hctunx87
erAccountID: amwpm/hctunx83.us.tgr.net
erAccountID: amwpm/hctunx82.us.tgr.net
erAccountID: default-webseald/hctunx88
erAccountID: default-webseald/hctunx89
Product Synonym
isim itim
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21214530