Accelerate the Value of Data

Identifying Service Accounts

Learn how to identify service accounts within your Reltio environment, a critical step in transitioning to client credentials.

Identifying service accounts within your Reltio environment is a critical step in transitioning to client credentials. This process can be performed manually or semi-automatically, and this page provides detailed instructions for both methods.

  1. Identify non-SSO Users
    Review your user list to identify users who were manually created in Reltio and are currently non-SSO users.
    • From the UI, see Managing User Accounts to review all your users and identify non-SSO users by looking at the SSO column (SSO=N).
    • From API, with Get Users, you can get all your users with a single API call. You will see a JSON definition for each user. Users with the attribute externalUser=false are your non-SSO users.
  2. Review each user to determine if they are service accounts
    Manually review the identified non-SSO users to confirm if they are service accounts.
  3. Track and document service accounts manually
    We recommend adding each identified service account to the group SERVICE_ACCOUNTS for tracking and allowing for a temporary MFA exemption.
    • From the UI, follow the steps described in Working with Existing User Accounts and assign the user to the group “SERVICE_ACCOUNTS”.
      • If the group does not exist, you can create a new group called SERVICE_ACCOUNTS. Make sure you don’t add any roles to this group. We will use it only as a reference to exclude these service accounts from MFA.
    • From API:
      • Get the current user definition as described in View User.

      • Identify the groups attribute and add SERVICE_ACCOUNTS in it.
      • Update the user definition with this API endpoint.
  4. Review temporary exemption process
    Note: We plan to enhance our UI to flag service accounts, but this feature is currently under development.
    Note:

    ROLE_ADMIN_CUSTOMER is required to perform these operations.

Semi-Automatic Identification

Reltio offers semi-automatic identification of service accounts through behavioral analysis of login patterns. This method classifies users based on their login behavior.

  • Behavioral Analysis: we perform behavioral analysis on login patterns. Users identified as potential service accounts should be assigned to the SERVICE_ACCOUNTS group.
  • Exclusion from MFA: Users in the SERVICE_ACCOUNTS group will be temporarily excluded from the MFA process.
  • Detailed Reporting: If needed, we can provide a report detailing the behavioral analysis. This report classifies users as potentially automation, potentially human, or both.
Behavioral Analysis Report Sample

Below is a sample of what the behavioral analysis report might look like:

UserEmailSSOEnabledFirst Login DateLast Login DateActive DaysTotal LoginsAvg Logins Per DayHuman Login CountSSO LoginsLogin PatternCriteria
data_syncdata_sync@fakecompany.comFALSETRUE2024-01-012024-07-3191142765411.42651300automationHigh activity, low/none human logins in 90 days
backup_servicebackup_service@fakecompany.comFALSETRUE2024-02-062024-07-30629853108.274725300automationHigh activity, low/none human logins in 90 days
api_connectorapi_connector@fakecompany.comFALSETRUE2024-01-012024-07-31911796165.7912087900automationHigh activity, low/none human logins in 90 days
report_generatorreport_generator@fakecompany.comFALSETRUE2024-01-012024-07-3113201.11111111100unknownNo matching criteria
john.doejohn.doe@fakecompany.comFALSETRUE2024-02-012024-06-0755150humanAt least one human/SSO login, no automation pattern
jane.smithjane.smith@fakecompany.comTRUETRUE2024-04-292024-04-3022122humanAt least one human/SSO login, no automation pattern

If you require additional assistance or guidance, then please contact us. See topic Need some help?