and more in a single search tool across platforms. Read the announcement here. |
09/19/2022 10:45 AM
09/21/2022 08:14 AM - edited 09/21/2022 08:19 AM
Hello @vermark,
The Password Sync uses Saviynt API's to change the user and account password. This should be easy for you to Test/validate with Postman on your lower environments.
Please find my response to your questions:
In SavPwFilter.json we have more endpoints corresponds to those there is no application in Saviynt. Will it cause any issue?
avinash : I have not tried this personally but it should fail with an error that it could not find the endpoints in Saviynt.
Is there a way to stop the password sync for selected endpoints(Ex- We have only three endpoints in Saviynt so it should create change password task for those three endpoints and should not create change password tasks for additional endpoints which are there in SavPwFilter.json)
avinash : No, list of comma separated endpoints needs to be passed for WHICH you need the password changed
Every time a new application is onboarded the password sync filter to be redeployed on all the DCs and all DCs to be rebooted.
avinash : Yes the configurations are picked up once at startup, any changes needs a restart.
09/22/2022 01:47 PM
Hi Avinash,
We have performed the testing from our end. Below are the test cases that we executed and their outcome-
Test Case 1:
We added three applications dummyapp1, dummyapp2, dummyapp3 in SavPwFIlter.json which currently does not exist in Saviynt and restarted the DC
After restart we reset the password for one user (user1) which was having account on applications SAP1, SAP2, SAP3, Oracle DB
Outcome –
2022-09-22T16:42:36ℹ️796: curlInterface-ChangePassword:: Response status code: 412, Error Response:{"Status":"Failure","Error":"Endpoint(s) dummyapp1, dummyapp2, dummyapp3 not found","errorCode":"1","message":"Failure to update password"}
Test Case 2:
We onboarded the applications dummyapp1, dummyapp2, dummyapp3 in Saviynt(while they were already present in SavPwFilter.json) and reset the password for user (user1)
Outcome –
Test Case 3:
We assigned the application dummyapp1 for user user1 and reset the password
Outcome –
Summary –
If we want to avoid the multiple DC restart, we should follow below approach. Please let us know if there is any other possibility.
09/22/2022 02:32 PM
With your approach, how will you do a phased password sync implementation ?
E.g. If currently SAP1 and SAP2 needs the password synched and you put in an application LDAP (for future implementation which doesnt even exist), along with the two SAP instances, the whole sync process will fail isnt it. Have you tried this scenario ?
I would list out all the applications that needs a password sync, have them them implemented in phases as and when they are ready rather than doing one application at a time since every update needs a DC restart.
09/22/2022 02:55 PM
From Design perspective from saviynt should have provided some flag to sync password or dedicated customproperty to avoid restart of DC. This will be easy and Manageable in saviynt end only 🙂
09/22/2022 09:21 PM
If currently SAP1 and SAP2 needs the password synched and you put in an application LDAP (for future implementation which doesnt even exist), along with the two SAP instances, the whole sync process will fail isnt it. Have you tried this scenario ?
<Rakesh> - Yes, I have tested it as part of use case 2, For LDAP app there has to be an endpoint in Saviynt(just the template with same name as in SavPwFilter.json). We can fully setup the same LDAP endpoint in future as per business requirement. This way password sync is working and change password tasks are generating for SAP1 and SAP2. Do you see any challenge with this approach?
I would list out all the applications that needs a password sync, have them them implemented in phases as and when they are ready rather than doing one application at a time since every update needs a DC restart.
<Rakesh> Ask is to push all the changes on DC in one go and restart the DC. Even if we go phase wise all apps will be onboarded let say in 5 phases, we need to restart all DCs 5 times once after every phase release.
Please let us know what is the recommended approch that we need to follow.
09/23/2022 07:04 AM
@vermark ,
I would not suggest creating dummy security systems/endpoints in Saviynt knowing fully that they cannot be deleted (in the future).
If there is a limitation, the best way forward would be to discuss this with the stakeholders and come up with an approach that works best for all.