ITSM, How to Manage and keep track Local db Accounts

Max Lin
Tera Contributor

Hi All! 

We have a use-case. 
Most of our accounts are AD controlled. So when a resignee resigns, we just lock the account and all related applications/windows/server login is disabled.

However, we have some local 'privilege accounts' which are not controlled by AD. They could be local accounts created for SQL/DB access for emergency repairs or such. They are assigned to a 'IT User'. 

We realize we soon lost track of 'What local accounts does this resignee has'. And normally in the HR resign form, the resignee does not remember all the local db accounts he have, especially those not accessed for long. 

Many times, when new local account was requested, there are no centralised area to store these information. Sys Admin of the DB Server once in a while can do a UAR list (User Access Review) and link the account back to the user or spot if any new accounts is created. This but we have like 100db so it will be hard to keep this list updated with each local account linked to their name.

Our objective is to ensure that we are able to list all local account this user has, so when resign, we can properly close these local accounts. We also need to find a way for new applications to be recorded.


We are thinking of using Snow to centralize manage this database (i know automation to each DB to get their local accounts could be hard, i'm okay to start off with manual export of local account then reconcile with centralized records). 

I did some googling, but didn't have good results. Alot of result to purchase another IAM services. We are only using "ServiceNow® IT Service Management Standard" only. we dont have Snow HR Module. 

Please share how did you manage this or anyone who have idea how we can implement an easy flow for this. 

Thank you so much in advance for sharing. 

1 REPLY 1

Ravi9
ServiceNow Employee
ServiceNow Employee

While there could be multiple ways to do this , one way that you could do is to create an M2M table with actual user and service account as mapping - you can populate this data automatically whenever you provision a new service account via request mgmt. That way you can easily build a "related list" which shows up the data all the time and its easy to maintain , let me know if this makes sense

M2M doc site link