Nailing the Security Audit with RRCU

ConductorOne docs

Managing accounts

Accounts give you visibility into what users, service accounts, and principals exist within an applicaton.

What are accounts?

An application’s Accounts tab shows you a list of all the accounts inside the application, the status of each account, its type (user, service, system, etc), the account owner, and the date when the account was last logged into (if usage data is available for the app).

A screenshot of a Slack application's Accounts tab in ConductorOne.

Account owner mappings

When accounts are ingested into ConductorOne, we will automatically attempt to match them to your ConductorOne Users (the humans in your organization). These mappings are shown in the Account Owner column.

Auto-matching accounts

ConductorOne will use various identifiers to match accounts to users, including email and username. This is what is called Narrow mappings. If this mapping insufficientlly matches most accounts, you can also use Broad mappings. To change to Broad mappings:

  1. Navigate to the application
  2. In the upper right corner of the page, click the (more actions) menu and select Account mapping settings.
  3. Select the type of mapping you want to use:
    • Narrow: (Default) Accounts are mapped using email addresses.
    • Broad Accounts are first mapped using email addresses, but if these cannot be found or matched, accounts are then mapped using the user’s first and last name.
  4. Click Save

ConductorOne will immediately begin re-mapping the app’s accounts.

Manage account owners

If automatic matching can’t be performed, or if there is minor clean-up required, you can set the account owner manually:

  1. Navigate to the application
  2. On the application, click the Accounts tab
  3. Find the account that needs an account owner change
  4. Click the (more actions) menu
  5. Select Set account owner
  6. Choose the correct ConductorOne user from the dropdown and click Set account owner.

If you’ve manually changed the account owner and want to set it back to the matched value, you can reset the account owner mapping.

  1. Click the (more actions) menu
  2. Select Reset account owner
  3. Choose the correct ConductorOne user from the dropdown and click Set account owner.

If you want to remove the account owner completely:

  1. Click the (more actions) menu
  2. Select Clear account owner

Set account types

Accounts are set to User by default. Use the Account type control to designate service accounts and system accounts, which can then be included in or excluded from your access review campaigns as needed.

  1. Navigate to the application
  2. On the application, click the Accounts tab
  3. Find the account that wantt to change the type for
  4. Click the (more actions) menu
  5. Select Set account type.
  6. Choose Service account or System account and click Update account type.

The updated account type is now shown in the Account type column.

Account detail

Click any account name on the Accounts tab to view that account’s details page. On this page you’ll find a list of the entitlements in this application that this account has access to, as well as the account’s profile attributes, which are automatically ingested from the connector.

A screenshot of a Slack application account's details page in ConductorOne.

Manually revoke an account’s access to an entitlement

A user with the Super Administrator role in ConductorOne, the application owner, the entitlement owner, or the direct manager of the account owner can perform this task. Anyone who does not have the Super Administrator role or one of these relationships with the account will see an error if they attempt to revoke access this way.

  1. In the navigation panel, click Applications.

  2. On the Managed apps tab, navigate to an entitlement:

    • Click the application’s name
    • Click the Entitlements tab
    • Locate the entitlement and click its name

  3. Click Grants to view the accounts that currently have access to this entitlement.

  4. To remove an account’s access to the entitlement, click Revoke. A Revoke access modal opens.

  5. Enter your reason for revoking the access and click Revoke.

    Will the access be removed immediately? Maybe. Depending on the revocation policy governing the entitlement, the revocation might require review and approval before the entitlement is removed from the account.

The revocation task is created. Once any required review and approval steps have been completed, the access will be removed from the account using the deprovisioning strategy set on the entitlement.