Account Mapping

The account mapping rules allow users to configure how a discovered account is mapped to an identity. The highest priority matching rule determines the identity that an account is mapped to.

To filter the table view, use the checkboxes to enable/disable view options, like

• Default Rules: These are Hydden’s out of the box default rules, they can be viewed, but not edited.
• Custom Rules: These are rules created on your tenant.

Use Search to trim the view down to a specific context.

Creating an Account Mapping Rule

1. Navigate to Configuration | Identify and select the Account Mapping tab.

2. Click + Add Rule.

   

3. Specify the Rule Priority. A lower number specifies a higher priority in the evaluation order. By default, the modal opens with a value of 1 (highest priority).

4. Enter a Name and Description for your rule for organizational clarity.

5. From the Match Accounts Using Property field, select if the mapping should happen via

   • Display Name,
   • Primary Email, or
   • UPN.

6. If required, select whether the mapped account’s alternate name and/or email should be updated when matching.

7. Under the Account Matching Requirements section, specify

   1. The Account Type(optional) can be

      • User Account (default)
      • Service Account
      • Resource Account
      • Computer Account
      • Vaulted Account
      • Federated Account

      If not specified, all types apply.

      Note: If both Account Type and Account Classification are configured, then the rule will apply to an account that matches either the account type or classification.

   2. An Account Classification if configured. This is an optional field.

   3. A RegEx Pattern to be match by the rule.

   4. A RegEx Replacement to be used in the rule.

8. Use Test to verify your rule works as intended.

9. Once you are ready to use the rule in your environment, check the Enable Rule checkbox at the top of the modal. The Actions column indicates if a custom rule is enabled or disabled. It will either have a checkmark for enabled or an x for disabled. You may change the state by clicking the x or checkmark to enable or disable a rule without entering the Edit Custom or View Default Account Mapping Rule modals.

   

   Note: Mapping rules must be enabled on each data source separately to be active.

10. Click Add to save and add the rule to your environment.

Testing a RegEx Rule

RegEx testing is available via the Test button on the add or edit account rule mapping modal. Save the test if you want to keep it associated with the rule.

The regex pattern is used to match the account by selected attribute (name, email, upn). If a match is found, the ‘replace with’ string provides the value that is used to map to an identity. This example:

• matches any account name ending with ‘- admin’, e.g. jane doe - admin
• replaces the matched string with the first capturing group in the regex, ie jane.doe
• uses the resulting string when matching the account to an identity.

Don’t forget to press Save to save any changes you have made to the regex pattern or replacement string.

Previewing a Rule

Run a preview to view the result of applying the rule.

This runs a preview of this rule on all currently unmapped accounts from all datasources, and reports each account that matches.

• For a create rule, it reports all the accounts that that rule could map to a new identity.
• For a match rule, it reports all the accounts that match the rule, and for each account, the identity (if any) to which the rule will map the account

Mapping Migration

Previously (pre 1.3.0) account mapping defaulted to the following rules:

• If matches were found on the primary email and account UPN.

With the advanced Account Mapping Rules, Hydden delivers the following default account mapping and identity creation rules.

NOTE: To use any of these rules, they need to be enabled on the configured Data Sources.