Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Account Visibility Feature

mgra
New Contributor III
New Contributor III

We have a requirement to Grant access to authorized users and restrict access to unauthorized users. 

So I have created two Enterprise Roles: ITSecurity_PAMUsers and PAM_TEST_ROLE

The goal is that the ITSecurity_PAMUsers should only be the one who has access to a specific credential shareable account. While the PAM_TEST_ROLE users will only have access to credentialless accounts.

But upon testing, even if the user is not added to any of the roles, the accounts are still visible and requestable on their side. 

Any idea what type of Roles is required or what configuration that's missing to meet this requirement? 

 

 

"endpointPamConfig": {
            "maxConcurrentSession": "50"
        },
        "accountVisibilityConfig": {
            "accountCustomProperty": "customproperty55",
            "accountMappingConfig": [
                {
                "accountPattern": "wintest01",
                "mappingData": "ITSecurity_PAMUsers",
                "override": "false"
                },
                {
                    "accountPattern": "wintest02",
                    "mappingData": "PAM_TEST_ROLE",
                    "override": "false"
                }
            ]
        }

 

3 REPLIES 3

arpit_b
Saviynt Employee
Saviynt Employee

Hi @mgra ,

To achieve this you will have to use the account visibility control and the following steps can help you achieve your use case :

1. Navigate to analytics and create a runtime analytics , you can also create a copy of control named(the control has to be a runtime analytics)

PAMDefaultUserAccountAccessControl

2. In the new control use the query below , in place of <ROLE_NAME> put the role for credential in the first block and on second block for credentialess (This query takes into account the logged in user and the endpoint that you are requesting for as variables and they are resolved by the system at runtime so you don't have to put in values for those)

 select acc.accountkey as 'id', acc.name as 'name' from role_user_account rua,roles r, users u,user_accounts ua, accounts acc
where rua.USERKEY = u.userkey and r.rolekey = rua.ROLEKEY and ua.userkey = u.userkey and ua.accountkey = acc.accountkey and acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and acc.accountconfig like '%\"pamType\"%CREDENTIAL%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) and r.role_name='<ROLE_NAME>' and u.username =${username} union
select acc.accountkey as 'id', acc.name as 'name' from role_user_account rua,roles r, users u,user_accounts ua, accounts acc
where r.USERKEY = u.userkey and r.rolekey = rua.ROLEKEY and ua.userkey = u.userkey and ua.accountkey = acc.accountkey and acc.endpointkey = ${endpointkey} and and acc.accountconfig like '%\"pamState\"%ENABLED%' and acc.accountconfig like '%\"pamType\"%CREDENTIALLESS%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) and r.role_name='<ROLE_NAME>' and u.username =${username}; 

3. Update the name of the Control in Endpoint's customproperty43(if you are using the default setting, this can be found in PAMCONFIG of the connection, the property is called "endpointAttributeMappings")

4. Run the Delta Sync Job to sync the syncing endpoint properties to elastic.

Let me know if this works or not.

Thanks

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

There were some errors in your SQL, which I adjusted to the following:

select acc.accountkey as 'id', acc.name as 'name' from role_user_account rua, roles r, users u,user_accounts ua, accounts acc where rua.USERKEY = u.userkey and r.rolekey = rua.ROLEKEY and ua.userkey = u.userkey and ua.accountkey = acc.accountkey and acc.endpointkey = ${endpointkey} and acc.accountconfig like '%pamState%ENABLED%' and acc.accountconfig like '%pamType%CREDENTIAL%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) and r.role_name='ActiveDirectory_Admins' and u.username =${username} union select acc.accountkey as 'id', acc.name as 'name' from role_user_account rua, roles r, users u,user_accounts ua, accounts acc where rua.USERKEY = u.userkey and r.rolekey = rua.ROLEKEY and ua.userkey = u.userkey and ua.accountkey = acc.accountkey and acc.endpointkey = ${endpointkey} and acc.accountconfig like '%pamState%ENABLED%' and acc.accountconfig like '%pamType%CREDENTIALLESS%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) and r.role_name='ActiveDirectory_Admins' and u.username =${username};

I set up the CP43 value and ran delta sync. Now get the following error when accessing pam request:

BrandonLucas_BF_0-1679927965421.png

I cannot find any more detailed errors in the log for this.

 

Did you try to run the query in data analyzer by replacing variables with respective values. Do you see expected output? If so how much time it is taking. This error generally happens with analytics is taking longer time to give results or has some issue with analytics.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.