Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

CPAM setup with Azure

AnithaMavurapu
New Contributor III
New Contributor III

Hello Everyone,

If you have configured CPAM setup with Azure, could you please provide/share "PAM config" JSON and any reference links or process steps would be appreciated. Thanks in advance....

Thanks,                                                                                                                                                                               Anitha Mavurapu

30 REPLIES 30

NageshK
Saviynt Employee
Saviynt Employee

@AnithaMavurapu Thanks for posting your question. As of today, automated bootstrapping (onboarding azure workloads using the bootstrap job) is not supported. However, they can be onboarded as onprem workloads using the onprem onboarding approach. In this case users will find the workloads under New Privileged Access -> Onprem Tile instead of the Azure tile. Here is the article that explains the process for Onprem onboarding 

https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/On...

 Thanks,

Nagesh K

Hi Nagesh, Thanks for your reply. Could you please elaborate on, on-premise procedure to connect to Azure, how can I make target endpoint as Azure through the on-premise(windows) approach. 

Thanks in advance.

Hi Nagesh,

There is a customer requirement to onboard the Azure workload using CPAM. Please confirm if this functionality is available through the design console.

NageshK
Saviynt Employee
Saviynt Employee

@AnithaMavurapu In this approach, you do not need to connect to the azure platform. Azure workloads will be considered as an on-prem workload so the only detail required to onboard them are the details present in the master-unix and master-windows connections. 

Once you create the On-prem connection, security system and endpoint and configure them, you are good to trigger the bootstrap using the csv file. 

Thanks,

Nagesh K

Hi Nagesh, Thanks for your reply.

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

As discussed in today's CPAM office hours, Here are the questions we need your help with. Could you please look into these below questions and provide us the detailed  information.

  • Is CSV file is a standard format?; the upload process will read info and make Saviynt API calls to create a connector and start using SC2.0 client to move forward from there. Could you please confirm. 
  • If credentials fail, bootstrap fails. Error message should indicate cause of failure. Troubleshooting would be to update credentials in the connector; and retry. 
  • Import process saves credentials in the vault. Master credentials are rotated and new credentials are saved in vault. Local account or domain joined account should work.  
  • For LM account, Ex 3 VMs, 1 account, password account is rotated for each VM; so it appears a local machine account is created. For domain joined account, the process may be different. 
  • Help us untangle the passwords question, provide clarification, guidance 
  • Provide clarifications on what accounts we need, what is required?
  • how is Rotation scheduled by a configurable setting. PWD requirements and scheduling for this?
  • what are Azure aware VMs ?

Thanks

Anitha Mavurapu

NageshK
Saviynt Employee
Saviynt Employee

@AnithaMavurapu please find below responses inline 

  1. Is CSV file is a standard format?; the upload process will read info and make Saviynt API calls to create a connector and start using SC2.0 client to move forward from there. Could you please confirm.
    1. [NK] Yes, as mentioned in the SME call, csv file has a specific format and a sample file along with screenshot is given in the documentation here : Discovering and Onboarding On-Premises Workloads
  2. If credentials fail, bootstrap fails. Error message should indicate cause of failure. Troubleshooting would be to update credentials in the connector; and retry.
    1. [NK] Yes, ad mentioned in the SME call, bootstrap errors are captured in the "Error Description" field of "PAM Attributes" tab of an Endpoint. We also have an out of the box analytic control "Bootstrap failed endpoints" which can be modified to include the column "PAM_ERROR_DESCRIPTION" from the table endpoints_properties. And that will give you the list of failed endpoints along with the error description
  3. Import process saves credentials in the vault. Master credentials are rotated and new credentials are saved in vault. Local account or domain joined account should work.
    1. [NK] As mentioned in the SME call, for Windows you can use either Local or Domain account as the master account. However, for linux only local accounts are supported. And yes, at the end of the bootstrap process, master credentials (you can also call them as connection credentials) will get rotated and vaulted
  4. For LM account, Ex 3 VMs, 1 account, password account is rotated for each VM; so it appears a local machine account is created. For domain joined account, the process may be different.
    1. [NK] This question is not clear. please elaborate
  5. Help us untangle the passwords question, provide clarification, guidance
    1. [NK] What is the question for which you need clarification?
  6. Provide clarifications on what accounts we need, what is required?
    1. [NK] again, no context and no details about what the question is
  7. how is Rotation scheduled by a configurable setting. PWD requirements and scheduling for this?
    1. [NK] Periodic password rotation is achieved via an external jar job. Please go through this article for details : https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/G-Password-Management/Period...
  8. what are Azure aware VMs ?
    1. [NK] Are you referring to Azure Aware plug-ins?

Thanks,

Nagesh K

Meehan
New Contributor
New Contributor

Hi Nagesh, 

Anitha is OOO today so I thought I would provide some clarity on the items you had questions on. Please see below for our questions and provide your answers as soon as possible. If needed, please call me for further clarity needed today (see email signature for number). 

4. Is it correct for Local Machines, ex. 3 VMs - that 1 account is created and the password account is rotated for each VM?  And if so, how does the Local Machine process then differ or is the same as the Domain Joined  setup? i.e. what does Local Machines and Domain Joined need in order to be setup for CPAM - accounts, access, etc. ?

4a. Please explain/provide clarity on how the passwords are rotated for Local Machines and Domain Joined. 

4b. What accounts are needed to setup the VMs and how is that account(s) setup? 

 

Thank you, 

Nora Meehan 

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

I am not sure and confused how are we getting or communicating between VM and the Azure APP?
Could you Please help me understand How VM's are gets workloads from Azure Apps?, is there any additional configurations need to be done on the VM's.

Thanks

Anitha Mavurapu

NageshK
Saviynt Employee
Saviynt Employee

@AnithaMavurapu As discussed in SME office hours call, the use case here is to onboard VMs hosted in Azure and not the Azure Apps. Once you have the prerequisites available, you should be able to start onboarding them using the csv method outlines in the onprem onboarding article. 

Thanks,

Nagesh K

Thanks for the response Nagesh....

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

What kind of accounts need to be created for shareable accounts, Could you please be more specific on available/desired shareable accounts?. I am assuming it should be domain accounts and what kind of permissions it should have?. Thanks in advance….

 

    "shareableAccounts": {

      "IDQueryCredentials": "acc.name in ('winadmin')",

      "IDQueryCredentialless": "acc.name in ('maintadmin','cpamadmin')",

      "IDQueryDomainCredentialless": "acc.name in ('ADuser1','ADuser2')",

      "IDQueryDomainCredentials": "acc.name in ('ADSharedUser5','ADSharedUser22)"

    },

 

Thanks

Anitha Mavurapu

NageshK
Saviynt Employee
Saviynt Employee

@AnithaMavurapu 

the first two entries (IDQueryCredentials, IDQueryCredentialless) represent the local accounts on the servers. And the next two entries (IDQueryDomainCredentials, IDQueryDomainCredentialless) represent the domain accounts associated with the windows servers. And the permissions that these accounts should have will be defined by the customer as per the requirement.
When end users use the shared accounts to access the windows VMs, do they need admin access to the server or power user access or some custom access? This has to be defined by the customer as per their requirement. 
 
Thanks,
Nagesh K

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

Here are the questions from our customer:

  1. The Saviynt and the process of connecting to this specific virtual machine it will rotate the password on the virtual machine and update the vault.
  2. We would like to go through the process and document the process of adding credentials to the vault.
  3. The shareable accounts will provide the new sessions for these virtual machines.
  4. User logs into the Saviynt portal and asks login to this virtual machine when they do that, they are logging in with shareable account to the machine, not a new session created?
  5. I have to provide you with shareable accounts to login to servers (that is to create the sessions). As an example, the server that’s being deployed out in Azure belongs to Azure ecosystem it does not belong to our active directory, I am surprised that I need to go build the accounts in Azure to provide for user session login. I do not have approval at this time to build active directory accounts for the server that we are talking about today. Will this limit the users to get on their devices.
  6. Let’s put it this way, that particular shareable option that something we could periodically open up to all organization users, so I have to give you 1000’s of new unique shareable accounts? So, users don’t share sessions does they get into the boxes?

Thanks

Anitha Mavurapu

Hi Nagesh,

Below is the "PAM_Config" from on-premise connection to onboard the Windows Azure workloads to Saviynt.

1. Could you please support us with the JSON which are shown in bold. Are they required or not in this use case - on-prem windows Azure Workloads onboarding.

2. Is it okay if we take care of password rotation of master account as a separate use case and do it later ["changeConnectionCredentials": false].

3. As discussed in CPAM SME call yesterday, updated sharable accounts section to blank due to  JIT access requirement.

PAM_Config:

  "Connection": "On-Premise",

  "encryptionMechanism": "ENCRYPTED",

  "EVQuery": "",

  "WINDOWS": {

    "defaultCredentialConnection": {

      "connectionName": "Windows_Master_Connection_Azure",

      "changeConnectionCredentials": false,

      "MSConnectorVersion": "WINDOWS/1.0"

    },

    "defaultSecuritySystemDetails": {

      "securitySystemName": " On-Premise_Azure",

      "workflow": "AOBAutoApproveWF",

      "passwordPolicy": ""

    },

    "shareableAccounts": {

      "IDQueryCredentials": "",

      "IDQueryCredentialless": "",

      "IDQueryDomainCredentialless": " ",

      "IDQueryDomainCredentials": ""

    },

    "processADAccount": false,

    "sAMAccountNameColumnMapping": "",

    "reconciledAccountAction": "NONE",

    "domainConnections": "",

    "maxCredSessionRequestTime": "36000",

    "maxCredlessSessionRequestTime": "36000",

    "maxIDRequestableTime": "2592000",

    "endpointAttributeMappings": [

{

        "column": "accessquery",

        "value": "where users.USERNAME is not null",

"feature": "endpointAccessQuery"

},

{

        "column": "allowChangePassword_sqlquery",

        "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",

        "feature": "allowChangepasswordquery"

      },

      {

        "column": "customproperty43",

        "value": "PAMDefaultUserAccountAccessControl",

        "feature": "accountVisibilityControl"

      }

    ],

    "endpointPamConfig": {

"maxConcurrentSession": "50"

    },

    "accountVisibilityConfig": {

      "accountCustomProperty": "customproperty55",

      "accountMappingConfig": [

        {

          "accountPattern": "cpamuser*",

          "mappingData": "roletest1",

          "override": "false"

        },

        {

          "accountPattern": "cpamuser1,cpamuser2",

          "mappingData": "roletest2",

          "override": "false"

        }

      ]

    }

  }

}

Thanks in Advance

Anitha Mavurapu

Hi Nagesh,

Could you please explain once again above PAM_Config JSON which are shown in bold.

Thanks

Anitha

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

During our working session with customer we have attempted to complete On-prem windows server/VM bootstrapping process, our CPAM Master Connection for On-Prem windows was failing with "500 internal error" first and after doing few changes it failed with 401 error. 401 implies unauthorized error, could you please support with setting up right permissions and make a successful connection. 

Error says empty password in the log, but password was actually provided before making a test connection.

Thanks

Anitha Mavurapu

Please find the below error screenshot:

AnithaMavurapu_0-1688394118958.png

 

did you select credential vault connection and also did you check save in vault while storing the password initally?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

AnithaMavurapu
New Contributor III
New Contributor III

Yes Saathvik, I did select 'Credential Vault Connection' and did check 'Save In Vault' option initially.

Thanks,

Anitha

NageshK
Saviynt Employee
Saviynt Employee

@AnithaMavurapu Please verify the following:

  1. Master windows connection name should not have any spaces. Use underscores or dashes instead of spaces. If this is the issue, fix it and after fixing, un-select the vault dropdown and reselect it. This will help reflect the new connection name in the Vault Config part of the connection
  2. When password is provided in the master connection and you are about to click on "save and test", please make sure the check box for "save in vault" is selected
  3. Make sure that you select the vault dropdown only after providing proper name to the connection. 

Thanks

Nagesh K

Hi Nagesh,

As discussed and updated in today's CPAM SME call, created new windows Master connection which is successful now (FYI - I did tried changing the name in the old connection without any spaces but still it failed so did created new connection).

Thanks

Anitha

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

 
Master Connection is Successful selecting "Select Connector Version: Name :: version", Master connection failed selecting "Select Connector Version: WINDOWS::1.0". Where "Select Connector Version: WINDOWS::1.0" is one of the mandatory parameters as mentioned below in Saviynt document. Could you please let us know how can we make this Master connection successful selecting "WINDOWS::1.0". Thanks in advance.....
 
AnithaMavurapu_0-1689006227697.jpeg
 

 

AnithaMavurapu_3-1689006303258.png

Thanks

Anitha

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

As requested in today's CPAM SME call and last call, could you please provide more details of below bold session from the PAM_Config JSON. Thanks in advance...

PAM_Config:

{

  "Connection": "On-Premise",

  "encryptionMechanism": "ENCRYPTED",

  "EVQuery": "",

  "WINDOWS": {

    "defaultCredentialConnection": {

      "connectionName": "CPAM-MasterConnection-ActiveDirectory",

      "changeConnectionCredentials": false,

      "MSConnectorVersion": "WINDOWS/1.0"

    },

    "defaultSecuritySystemDetails": {

      "securitySystemName": " On-Premise_Azure",

      "workflow": "AOBAutoApproveWF",

     "passwordPolicy": ""

    },

    "shareableAccounts": {

      "IDQueryCredentials": "",

      "IDQueryCredentialless": "",

      "IDQueryDomainCredentialless": " ",

      "IDQueryDomainCredentials": ""

    },

    "processADAccount": false,

    "sAMAccountNameColumnMapping": "",

    "reconciledAccountAction": "NONE",

    "domainConnections": "",

    "maxCredSessionRequestTime": "36000",

    "maxCredlessSessionRequestTime": "36000",

    "maxIDRequestableTime": "2592000",

    "endpointAttributeMappings": [

{

        "column": "accessquery",

        "value": "where users.USERNAME is not null",

"feature": "endpointAccessQuery"

},

{

        "column": "allowChangePassword_sqlquery",

        "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",

        "feature": "allowChangepasswordquery"

      },

      {

        "column": "customproperty43",

        "value": "PAMDefaultUserAccountAccessControl",

        "feature": "accountVisibilityControl"

      }

    ],

"endpointPamConfig": {

"maxConcurrentSession": "50"

    },

    "accountVisibilityConfig": {

      "accountCustomProperty": "customproperty55",

      "accountMappingConfig": [

        {

          "accountPattern": "cpamuser*",

          "mappingData": "roletest1",

          "override": "false"

        },

        {

          "accountPattern": "cpamuser1,cpamuser2",

          "mappingData": "roletest2",

          "override": "false"

        }

      ]

    }

  }

}

 

Thanks

Anitha

 

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

Could you please provide the details of below JSON (part of PAM_JSON). To which accounts does this password policy applies?. 

 "defaultSecuritySystemDetails": {
"securitySystemName": "Onpremise-Windows-CPAM",
"workflow": "AOBAutoApproveWF_CPAM",
"passwordPolicy": "AOBApplicationPasswordPolicy-CPAM"
}, 

 

Thanks

Anitha

This password policy get applied to any account that is available on that particular endpoint


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

AnithaMavurapu
New Contributor III
New Contributor III

Thanks for the response Saathvik.

AnithaMavurapu
New Contributor III
New Contributor III

Hi Nagesh,

Are there any differences between Windows versions and how they interact/behave with Saviynt for bootstrapping? i.e. any differences with bootstrapping process with Windows version 10 vs. Windows version 2022?. And from the below format what is osversion and osname?

 

ipv4dns_nameportososversionosname
***.**.*.*******************WINDOWS??

 

Thanks

Anitha

NageshK
Saviynt Employee
Saviynt Employee

Hi @AnithaMavurapu 

For the details on the PAM_CONFIG parameters for WINDOWs, please see the Table in the section "Configuring 'PAM_Config' for Windows Workloads" of the article https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/Co.... The table explains all the parameters that you see in the PAM_CONFIG for Windows  

 

Regarding the Windows servers, EIC supports only the windows servers 2012 and above. And Bootstrapping process is same for all such windows servers.
Windows 10 is not supported. 

For the values to be populated, please see the below screenshot. This is available in the onprem onboarding article of the doc portal : https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/Di...

NageshK_0-1689106564987.png

Thanks

Nagesh K

AnithaMavurapu
New Contributor III
New Contributor III

Thanks for you Response Nagesh.

Thanks

Anitha