Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CPAM JIT Access permission segregation based on entitlement

RMJ
New Contributor III
New Contributor III

‎05/17/2023 04:17 AM

We have a scenario where set of users required admin access and other set of users not required admin access through JIT for the same  AWS Linux Instances.

Is there a solution where we can achieve this use case to provide the admin access to set of users based on entitlement to the AWS linux instances where other set users not required a admin access using JIT to the same linux instances.

0 Kudos
4 REPLIES 4

NageshK
Saviynt Employee
Saviynt Employee

‎05/17/2023 08:12 AM

@RMJ Thanks for posting your question. Yes, there is a way to do this. Please find below an example which check if user has a particular entitlement in GCP and assigns non-admin/admin permissions according to the entitlement user has. You can update the query to fit your requirement. 


{"unix":{"command":"if [[ "${queryParam?.get(0)?.entitlement_value}" == *"view"* ]];then sudo useradd -m -s /bin/bash ${accountName} ;else sudo useradd -m -s /bin/bash ${accountName} -g google-sudoers;fi","queryParam": "SELECT IFNULL((select distinct ev3.entitlement_value from users u inner join arstasks arst on u.USERKEY=arst.USERKEY inner join endpoints ep on arst.endpoint=ep.endpointkey inner join entitlement_values ev on ev.ENTITLEMENTID=ep.CUSTOMPROPERTY17 Inner Join entitlement_types et on ev.entitlementtypekey = et.entitlementtypekey and et.Entitlementname = 'Project' inner join entitlement_values ev1 on ev.ENTITLEMENT_VALUE=SUBSTRING_INDEX(ev1.ENTITLEMENT_VALUE,'~',1) inner join entitlement_types et1 on ev1.entitlementtypekey=et1.entitlementtypekey and et1.Entitlementname = 'Project_Roles' inner join entitlement_values ev2 on ev2.ENTITLEMENT_VALUE=SUBSTRING_INDEX(ev1.ENTITLEMENT_VALUE,'~',-1) inner join entitlement_types et2 on ev2.entitlementtypekey=et2.entitlementtypekey and et2.Entitlementname = 'Role' inner join entitlements2 e2 on e2.ENTITLEMENT_VALUE1KEY=ev2.ENTITLEMENT_VALUEKEY inner join entitlement_values ev3 on e2.ENTITLEMENT_VALUE2KEY=ev3.ENTITLEMENT_VALUEKEY inner join entitlement_types et3 on ev3.entitlementtypekey=et3.entitlementtypekey and et3.Entitlementname = 'RolePermission' and ev3.ENTITLEMENT_VALUE in ('compute.instances.osAdminLogin') inner join user_accounts ua on arst.userkey=ua.userkey inner join accounts ac on ac.ACCOUNTKEY=ua.ACCOUNTKEY inner join account_entitlements1 ae1 on ae1.ACCOUNTKEY=ac.ACCOUNTKEY inner join entitlement_values ev4 on ev4.entitlement_valuekey=ae1.entitlement_valuekey Inner Join entitlement_types et4 on ev4.entitlementtypekey = et4.entitlementtypekey and et4.Entitlementname = 'Project_Roles' and ev4.ENTITLEMENT_VALUEKEY=ev1.ENTITLEMENT_VALUEKEY and arst.tasktype=3 and arst.STATUS=1 and u.username='${user.username}' and arst.TASKKEY=${tasks.id} limit 1), 'view') as 'entitlement_value'"}}

Thanks

Nagesh K

0 Kudos

Shravan
New Contributor
New Contributor
In response to NageshK

‎05/19/2023 12:19 PM

Hi Nagesh,

We tried to use below provision command, but it is failing with following error while launching session.
Error Message: 'Error while creating Account'

Command:

{"unix":{"command":"if [[ "${queryParam?.get(0)?.entitlement_value}" == *"view"* ]];then sudo useradd -m -s /bin/bash ${username};else sudo useradd -m -s /bin/bash '${username}' -c '${user?.lastname}.${user?.firstname}/${user?.email}' -g users && echo  ${username}:${password} | sudo chpasswd && sudo usermod -G cpamgrp ${username}-sudoers;fi","queryParam": "SELECT IFNULL((select tbl.entitlement_value from (select 'CPAM_PlatformAdmins' entitlement_value from dual) tbl), 'view') as 'entitlement_value'"}}

Regards,
Shravan

0 Kudos

Shravan
New Contributor
New Contributor

‎05/24/2023 11:15 AM

 

Hi Nagesh,
 
As we discussed we have used Taskid and username in Provision command.
We tried to use below provision command, but it is failing with following error while launching session.
Error Message: 'Error while creating Account'
Shravan_0-1684952091400.png
below is the command:

 

{"unix":
                {"command":"if [[ "${queryParam?.get(0)?.entitlement_value}" == *"view"* ]];
                               then sudo useradd -m -s /bin/bash '${username}' ;
else sudo useradd -m -s /bin/bash '${username}' -c '${user?.lastname}.${user?.firstname}/${user?.email}' -g users && echo  ${username}:${password} | sudo chpasswd && sudo usermod -G cpamgrp ${username}-sudoers;fi"
,"queryParam": "SELECT IFNULL((select distinct ev3.entitlement_value from users u inner join arstasks arst on u.USERKEY=arst.USERKEY inner join endpoints ep on arst.endpoint=ep.endpointkey inner join entitlement_values ev on ev.ENTITLEMENTID=ep.CUSTOMPROPERTY17 Inner Join entitlement_types et on ev.entitlementtypekey = et.entitlementtypekey and et.Entitlementname = 'Project' inner join entitlement_values ev1 on ev.ENTITLEMENT_VALUE=SUBSTRING_INDEX(ev1.ENTITLEMENT_VALUE,'~',1) inner join entitlement_types et1 on ev1.entitlementtypekey=et1.entitlementtypekey and et1.Entitlementname = 'Project_Roles' inner join entitlement_values ev2 on ev2.ENTITLEMENT_VALUE=SUBSTRING_INDEX(ev1.ENTITLEMENT_VALUE,'~',-1) inner join entitlement_types et2 on ev2.entitlementtypekey=et2.entitlementtypekey and et2.Entitlementname = 'Role' inner join entitlements2 e2 on e2.ENTITLEMENT_VALUE1KEY=ev2.ENTITLEMENT_VALUEKEY inner join entitlement_values ev3 on e2.ENTITLEMENT_VALUE2KEY=ev3.ENTITLEMENT_VALUEKEY inner join entitlement_types et3 on ev3.entitlementtypekey=et3.entitlementtypekey and et3.Entitlementname = 'RolePermission' and ev3.ENTITLEMENT_VALUE in ('compute.instances.osAdminLogin') inner join user_accounts ua on arst.userkey=ua.userkey inner join accounts ac on ac.ACCOUNTKEY=ua.ACCOUNTKEY inner join account_entitlements1 ae1 on ae1.ACCOUNTKEY=ac.ACCOUNTKEY inner join entitlement_values ev4 on ev4.entitlement_valuekey=ae1.entitlement_valuekey Inner Join entitlement_types et4 on ev4.entitlementtypekey = et4.entitlementtypekey and et4.Entitlementname = 'Project_Roles' and ev4.ENTITLEMENT_VALUEKEY=ev1.ENTITLEMENT_VALUEKEY and arst.tasktype=3 and arst.STATUS=1 and u.username='${user.username}' and arst.TASKKEY='${tasks.id}' limit 1), 'view') as 'entitlement_value'"
                }
}
 
Regards,
Shravan
0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎05/25/2023 06:23 AM

@Shravan The error you are seeing is due to the double quotes not being escaped. I referred to the documentation and it was indeed escaped rightly there. Earlier versions of the product allowed the query to run without escaping but the later versions need it. 

Also, the task type and status values should be changed as we are not creating a "new account" task anymore when we submit JIT request. I'm following up internally on this and will get back. In the meanwhile can you try the below option and see if that works?

1. Navigate to Global Config -> select Tasks in the left dropdown and in the text field for "Instant Provisioning Tasks" remove the option Emergency Access Instance Grant Access

2. In the above query, add the escape for quotes as given in the second sample query in this article : Configuring Quick Access. And change the tasktype and status conditions as below
   and arst.tasktype=34 and arst.STATUS=3 

3. Also the above query is an example for checking if user has a specific GCP project role. Is that what you are trying to check in your environment? If not, you should modify the query accordingly

4. Now submit the JIT request, let the Enterprise Role job run and create a task. Then run wsretry and see if the provisioning works fine.

Thanks,

Nagesh K

0 Kudos
Copyright © 2024 Khoros, LLC