Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/17/2023 07:43 AM
Hello Everyone,
If you have configured CPAM setup with Azure, could you please provide/share "PAM config" JSON and any reference links or process steps would be appreciated. Thanks in advance....
Thanks, Anitha Mavurapu
Solved! Go to Solution.
04/24/2023 06:24 AM
@AnithaMavurapu Thanks for posting your question. As of today, automated bootstrapping (onboarding azure workloads using the bootstrap job) is not supported. However, they can be onboarded as onprem workloads using the onprem onboarding approach. In this case users will find the workloads under New Privileged Access -> Onprem Tile instead of the Azure tile. Here is the article that explains the process for Onprem onboarding
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/On...
Thanks,
Nagesh K
04/24/2023 08:30 PM
Hi Nagesh, Thanks for your reply. Could you please elaborate on, on-premise procedure to connect to Azure, how can I make target endpoint as Azure through the on-premise(windows) approach.
Thanks in advance.
09/26/2023 09:54 AM
Hi Nagesh,
There is a customer requirement to onboard the Azure workload using CPAM. Please confirm if this functionality is available through the design console.
04/27/2023 07:23 AM
@AnithaMavurapu In this approach, you do not need to connect to the azure platform. Azure workloads will be considered as an on-prem workload so the only detail required to onboard them are the details present in the master-unix and master-windows connections.
Once you create the On-prem connection, security system and endpoint and configure them, you are good to trigger the bootstrap using the csv file.
Thanks,
Nagesh K
05/08/2023 06:55 AM
Hi Nagesh, Thanks for your reply.
05/25/2023 11:22 AM
Hi Nagesh,
As discussed in today's CPAM office hours, Here are the questions we need your help with. Could you please look into these below questions and provide us the detailed information.
Thanks
Anitha Mavurapu
05/26/2023 01:29 PM
@AnithaMavurapu please find below responses inline
Thanks,
Nagesh K
05/30/2023 09:09 AM
Hi Nagesh,
Anitha is OOO today so I thought I would provide some clarity on the items you had questions on. Please see below for our questions and provide your answers as soon as possible. If needed, please call me for further clarity needed today (see email signature for number).
4. Is it correct for Local Machines, ex. 3 VMs - that 1 account is created and the password account is rotated for each VM? And if so, how does the Local Machine process then differ or is the same as the Domain Joined setup? i.e. what does Local Machines and Domain Joined need in order to be setup for CPAM - accounts, access, etc. ?
4a. Please explain/provide clarity on how the passwords are rotated for Local Machines and Domain Joined.
4b. What accounts are needed to setup the VMs and how is that account(s) setup?
Thank you,
Nora Meehan
06/26/2023 06:56 AM
Hi Nagesh,
I am not sure and confused how are we getting or communicating between VM and the Azure APP?
Could you Please help me understand How VM's are gets workloads from Azure Apps?, is there any additional configurations need to be done on the VM's.
Thanks
Anitha Mavurapu
06/26/2023 09:11 AM
@AnithaMavurapu As discussed in SME office hours call, the use case here is to onboard VMs hosted in Azure and not the Azure Apps. Once you have the prerequisites available, you should be able to start onboarding them using the csv method outlines in the onprem onboarding article.
Thanks,
Nagesh K
06/27/2023 06:06 AM
Thanks for the response Nagesh....
06/28/2023 06:19 AM
Hi Nagesh,
What kind of accounts need to be created for shareable accounts, Could you please be more specific on available/desired shareable accounts?. I am assuming it should be domain accounts and what kind of permissions it should have?. Thanks in advance….
"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('winadmin')",
"IDQueryCredentialless": "acc.name in ('maintadmin','cpamadmin')",
"IDQueryDomainCredentialless": "acc.name in ('ADuser1','ADuser2')",
"IDQueryDomainCredentials": "acc.name in ('ADSharedUser5','ADSharedUser22)"
},
Thanks
Anitha Mavurapu
06/28/2023 07:04 AM
06/29/2023 07:09 AM
Hi Nagesh,
Here are the questions from our customer:
Thanks
Anitha Mavurapu
06/30/2023 08:03 AM
Hi Nagesh,
Below is the "PAM_Config" from on-premise connection to onboard the Windows Azure workloads to Saviynt.
1. Could you please support us with the JSON which are shown in bold. Are they required or not in this use case - on-prem windows Azure Workloads onboarding.
2. Is it okay if we take care of password rotation of master account as a separate use case and do it later ["changeConnectionCredentials": false].
3. As discussed in CPAM SME call yesterday, updated sharable accounts section to blank due to JIT access requirement.
PAM_Config:
"Connection": "On-Premise",
"encryptionMechanism": "ENCRYPTED",
"EVQuery": "",
"WINDOWS": {
"defaultCredentialConnection": {
"connectionName": "Windows_Master_Connection_Azure",
"changeConnectionCredentials": false,
"MSConnectorVersion": "WINDOWS/1.0"
},
"defaultSecuritySystemDetails": {
"securitySystemName": " On-Premise_Azure",
"workflow": "AOBAutoApproveWF",
"passwordPolicy": ""
},
"shareableAccounts": {
"IDQueryCredentials": "",
"IDQueryCredentialless": "",
"IDQueryDomainCredentialless": " ",
"IDQueryDomainCredentials": ""
},
"processADAccount": false,
"sAMAccountNameColumnMapping": "",
"reconciledAccountAction": "NONE",
"domainConnections": "",
"maxCredSessionRequestTime": "36000",
"maxCredlessSessionRequestTime": "36000",
"maxIDRequestableTime": "2592000",
"endpointAttributeMappings": [
{
"column": "accessquery",
"value": "where users.USERNAME is not null",
"feature": "endpointAccessQuery"
},
{
"column": "allowChangePassword_sqlquery",
"value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
"feature": "allowChangepasswordquery"
},
{
"column": "customproperty43",
"value": "PAMDefaultUserAccountAccessControl",
"feature": "accountVisibilityControl"
}
],
"endpointPamConfig": {
"maxConcurrentSession": "50"
},
"accountVisibilityConfig": {
"accountCustomProperty": "customproperty55",
"accountMappingConfig": [
{
"accountPattern": "cpamuser*",
"mappingData": "roletest1",
"override": "false"
},
{
"accountPattern": "cpamuser1,cpamuser2",
"mappingData": "roletest2",
"override": "false"
}
]
}
}
}
Thanks in Advance
Anitha Mavurapu
07/06/2023 11:11 AM
Hi Nagesh,
Could you please explain once again above PAM_Config JSON which are shown in bold.
Thanks
Anitha
07/03/2023 06:57 AM
Hi Nagesh,
During our working session with customer we have attempted to complete On-prem windows server/VM bootstrapping process, our CPAM Master Connection for On-Prem windows was failing with "500 internal error" first and after doing few changes it failed with 401 error. 401 implies unauthorized error, could you please support with setting up right permissions and make a successful connection.
Error says empty password in the log, but password was actually provided before making a test connection.
Thanks
Anitha Mavurapu
07/03/2023 07:22 AM - edited 07/03/2023 07:23 AM
Please find the below error screenshot:
07/05/2023 12:26 PM
did you select credential vault connection and also did you check save in vault while storing the password initally?
07/05/2023 12:49 PM
Yes Saathvik, I did select 'Credential Vault Connection' and did check 'Save In Vault' option initially.
Thanks,
Anitha
07/05/2023 01:13 PM
@AnithaMavurapu Please verify the following:
Thanks
Nagesh K
07/06/2023 11:04 AM
Hi Nagesh,
As discussed and updated in today's CPAM SME call, created new windows Master connection which is successful now (FYI - I did tried changing the name in the old connection without any spaces but still it failed so did created new connection).
Thanks
Anitha
07/10/2023 09:31 AM
Hi Nagesh,
Thanks
Anitha
07/10/2023 09:45 AM
Hi Nagesh,
As requested in today's CPAM SME call and last call, could you please provide more details of below bold session from the PAM_Config JSON. Thanks in advance...
PAM_Config:
{
"Connection": "On-Premise",
"encryptionMechanism": "ENCRYPTED",
"EVQuery": "",
"WINDOWS": {
"defaultCredentialConnection": {
"connectionName": "CPAM-MasterConnection-ActiveDirectory",
"changeConnectionCredentials": false,
"MSConnectorVersion": "WINDOWS/1.0"
},
"defaultSecuritySystemDetails": {
"securitySystemName": " On-Premise_Azure",
"workflow": "AOBAutoApproveWF",
"passwordPolicy": ""
},
"shareableAccounts": {
"IDQueryCredentials": "",
"IDQueryCredentialless": "",
"IDQueryDomainCredentialless": " ",
"IDQueryDomainCredentials": ""
},
"processADAccount": false,
"sAMAccountNameColumnMapping": "",
"reconciledAccountAction": "NONE",
"domainConnections": "",
"maxCredSessionRequestTime": "36000",
"maxCredlessSessionRequestTime": "36000",
"maxIDRequestableTime": "2592000",
"endpointAttributeMappings": [
{
"column": "accessquery",
"value": "where users.USERNAME is not null",
"feature": "endpointAccessQuery"
},
{
"column": "allowChangePassword_sqlquery",
"value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
"feature": "allowChangepasswordquery"
},
{
"column": "customproperty43",
"value": "PAMDefaultUserAccountAccessControl",
"feature": "accountVisibilityControl"
}
],
"endpointPamConfig": {
"maxConcurrentSession": "50"
},
"accountVisibilityConfig": {
"accountCustomProperty": "customproperty55",
"accountMappingConfig": [
{
"accountPattern": "cpamuser*",
"mappingData": "roletest1",
"override": "false"
},
{
"accountPattern": "cpamuser1,cpamuser2",
"mappingData": "roletest2",
"override": "false"
}
]
}
}
}
Thanks
Anitha
07/11/2023 05:03 AM - edited 07/11/2023 05:14 AM
Hi Nagesh,
Could you please provide the details of below JSON (part of PAM_JSON). To which accounts does this password policy applies?.
"defaultSecuritySystemDetails": {
"securitySystemName": "Onpremise-Windows-CPAM",
"workflow": "AOBAutoApproveWF_CPAM",
"passwordPolicy": "AOBApplicationPasswordPolicy-CPAM"
},
Thanks
Anitha
07/11/2023 07:30 AM
This password policy get applied to any account that is available on that particular endpoint
07/11/2023 09:22 AM
Thanks for the response Saathvik.
07/11/2023 05:45 AM
Hi Nagesh,
Are there any differences between Windows versions and how they interact/behave with Saviynt for bootstrapping? i.e. any differences with bootstrapping process with Windows version 10 vs. Windows version 2022?. And from the below format what is osversion and osname?
ipv4 | dns_name | port | os | osversion | osname |
***.**.*.** | ************* | **** | WINDOWS | ? | ? |
Thanks
Anitha
07/11/2023 01:17 PM
Hi @AnithaMavurapu
For the details on the PAM_CONFIG parameters for WINDOWs, please see the Table in the section "Configuring 'PAM_Config' for Windows Workloads" of the article https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/Co.... The table explains all the parameters that you see in the PAM_CONFIG for Windows
Regarding the Windows servers, EIC supports only the windows servers 2012 and above. And Bootstrapping process is same for all such windows servers.
Windows 10 is not supported.
For the values to be populated, please see the below screenshot. This is available in the onprem onboarding article of the doc portal : https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/Di...
Thanks
Nagesh K
07/13/2023 04:27 AM
Thanks for you Response Nagesh.
Thanks
Anitha