Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/15/2023 06:32 PM
Hi ,
Is there a way we can fine tune the account visibility on the endpoint using a role ?, for example , I have 10 accounts in AD endpoint , is there way I can make selected set of accounts visible to selected set of individuals ?.
Also , what does the below configuration in the PAM_Config affects ? I had searched documents and did not find any viable information,
"endpointPamConfig": { "maxConcurrentSession": "50" }, "accountVisibilityConfig": { "accountCustomProperty": "customproperty55", "accountMappingConfig": [ { "accountPattern": "cpamuser*", "mappingData": "roletest1", "override": "false" }, { "accountPattern": "cpamuser1,cpamuser2", "mappingData": "roletest2", "override": "false" } ] }
07/17/2023 03:11 AM
Hi @lionelrl ,
Thanks for posting your question.
Please refer to the below article for managing account visibility.
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/L-Manage-Accounts/Account-Vi...
Please let us know if you have any queries.
07/17/2023 07:31 AM
Hi @lionelrl ,
Thanks for reaching out.
Regarding the configuration information in the PAM_Config that you had posted, please find the details:
endpointAccessQuery: It provides the endpoint visibility for requesting privileged access. It is based on a user-defined query or any entitlements and roles.
allowChangepasswordquery: It ensures the change of password or password rotation for an account.
accountVisibilityControl: It helps in determining the accounts that must be displayed for users when requesting for privileged access. The analytical control PAMDefaultUserAccountAccessControl includes the query for this feature, and it is added to the custom property of an endpoint. This analytical control is available by default and can be easily added to an endpoint.
The account visibility is based on roles or entitlements assigned to users and it is added to the custom property of an endpoint. For example, users in the finance department cannot view any accounts that are available to human resources (HR), as the account visibility is mapped to the user's role within the organization.
Thanks,
Anitha.
07/25/2023 08:34 AM
@lionelrl As discussed in the SME hours call, please share the updated query that worked for you. It will help others looking for similar information.
Thanks,
Nagesh K
10/07/2023 03:32 PM