Assigning or re-assigning owners for alternative accounts

After Privileged Access Service discovers the alternative accounts that match your defined username filter, the discovered accounts are listed on the Discovered Accounts page. The accounts on this page have not been added to and are not being managed by Privileged Access Service. They need to be committed before they are added. See Committing alternative accounts. You need to review the proposed owners that we have associated with the accounts. Proposed owners are the user accounts that we have found based on the username filter you defined when you created the profile. The “Remark” column shows the username filters we used for matching the accounts to the proposed owners and when no match or multiple matches are found.

It is important that you review the accounts with multiple matches (shown in the Remark column as “More than one match”). Accounts with multiple matches are grouped into the “Weakly Matched” filter category. Accounts with no matches are grouped into the “No Matched” category. Accounts with one match are grouped into the "Strongly Matched" category. You can assign owners to the accounts that do not have proposed owners or re-assign owners. Detailed information around each category:

  • Not Matched – Privileged Access Service could not find an owner to associate with the alternative account. You can manually assign an owner to that account.
  • Strongly Matched – Privileged Access Service found only one owner associated with the alternative account. For example, you have the following accounts in Active Directory: john01, john01-a, and admin-john01-a

    The username filter defined in the profile contains two patterns: {owner}-a|admin-{owner}-a

    The john01-a alternative account is matched with only one owner of john01. The admin-john01-a alternative account is matched with only one owner of john01. These matches represent 2 strong matches.

  • Weakly Matched – Privileged Access Service found more than one owners associated with the alternative account based on your defined username filter. For example, you have the following accounts in Active Directory: john01@company.com, john01-a@test.com, and john01@test.com

    The defined username filter in the profile is: {owner}-a

    The alternative account john01-a@test.com has two matches of john01@test.com and john01@company.com.

    The discovery will automatically pick john01@test.com as the owner because it has the same domain as the alternative account. However, because there are two matches, this discover is considered weakly matched.

    Privileged Access Service assigns the owner of weakly matched accounts using the following prioritization methods:

    1. Assign the owner from the same domain as the alternative account.
    2. Assign the owner from the same forest.
    3. Sort the log-in name by alphabetical order and assign the first owner in the list.

Note:   Accounts in the “Weakly Matched” category must me committed manually. See Committing alternative accounts for information on committing accounts.

To assign or re-assign owners:

  1. Click Discovery > Discovered Accounts.
  2. Select the check box associated with the account for which you want to assign or re-assign an owner.
  3. Click Actions > Assign Owner.
  4. Start typing the relevant account name into the text box.
  5. Click the correct account name from the list and click Select.

    The proposed owner is updated and the Remark column shows “Explicitly set by user...” to record that you manually assigned the owner.

When you are satisfied with the owner association, you are ready to commit