Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to extract the PIDs onboarded for each application in CPAM

NaveenBattini
New Contributor
New Contributor

‎05/10/2023 01:16 AM

Hi All,

Could someone please suggest us how to extract the PIDs onboarded for each application in CPAM

Labels:
0 Kudos
9 REPLIES 9

NageshK
Saviynt Employee
Saviynt Employee

‎05/10/2023 07:27 AM

@NaveenBattini Thanks for posting your question. Can you clarify on what PID you are referring to? Are you referring to the Endpoint Key that is assigned for each endpoint (application) getting created on Saviynt side? Or is it some metadata that exists on the target and gets imported to Saviynt during Account/Access Import?

Thanks,

Nagesh K

0 Kudos

NaveenBattini
New Contributor
New Contributor
In response to NageshK

‎05/10/2023 08:34 PM

Hi Nagesh, 

Thank you for responding to my query.

To provide more clarity, we have 2 things to be noted:

1. Once we onboard endpoints on to CPAM, accounts will be bootstrapped on to CPAM where we need a query to pull the accounts which are enabled and used by the application teams and Infra teams excluding the default accounts/Ids which will create at the time of server provisioning.

2. Customer is requesting to pull the accounts/IDs used by the internal application teams.

Please let us know is this feasible in CPAM to pull the reports for the above 2 points. It would be great if you customize the query and share with us to pull the reports.

Thanks,

Naveen B.

0 Kudos

sk
All-Star
All-Star
In response to NaveenBattini

‎05/11/2023 07:31 AM

You might have defined in your PAM_CONFIG what IDs to be bootstrapped right? What is the condition you have used? Can you please share it? Specially these two parameters

"IDQueryCredentials": "acc.name in ('')",

"IDQueryCredentialless": "acc.name in ('')"


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

NaveenBattini
New Contributor
New Contributor
In response to sk

‎05/11/2023 10:50 PM

Hi Saathiv,

As suggested by product team, we have updated dummy values to this attribute under pam_config as bulk uploading is not progressing if we leave this field empty and moreover since the customer environment has more than 1000+ endpoints it wasn't feasible to update individual endpoints at the time of onboarding. 

"IDQueryCredentials": "acc.name in ('cpamuser1')",
"IDQueryCredentialless": "acc.name in ('cpamuser2')"

Now the environment is already in-live and supporting 1000+ endpoints. Hence, we are looking to extract the report for accounts/IDs which are enabled and used by application teams and other teams (excluding default ones).

Thanks,

Naveen B.

0 Kudos

sk
All-Star
All-Star
In response to NaveenBattini

‎05/12/2023 06:07 AM

If you are using below config then only cpamuser1 & cpamuser2 IDs will be PAM_ENABLED in all respective endpoints.

"IDQueryCredentials": "acc.name in ('cpamuser1')",
"IDQueryCredentialless": "acc.name in ('cpamuser2')"

 

Anyway you can use below query to identify the accounts that are enabled for PAM

SELECT a.ACCOUNTKEY,
a.NAME AS ACCOUNTNAME,
a.ACCOUNTCONFIG,
e.ENDPOINTNAME,
ua.USERKEY,
u.USERNAME,
u.SYSTEMUSERNAME,
u.EMAIL
FROM ACCOUNTS a
INNER JOIN ENDPOINTS e ON a.ENDPOINTKEY =e.ENDPOINTKEY
INNER JOIN endpoints_properties AS ep ON e.ENDPOINTKEY=ep.ENDPOINTKEY
AND ep.PAM_STATE='ENABLED'
AND a.ACCOUNTCONFIG like '%"pamState":"ENABLED"%'
AND (a.STATUS= '1'
OR a.STATUS = 'Manually Provisioned')
LEFT JOIN USER_ACCOUNTS ua ON a.ACCOUNTKEY = ua.ACCOUNTKEY
LEFT JOIN USERS u ON ua.USERKEY=u.USERKEY;


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

NaveenBattini
New Contributor
New Contributor
In response to sk

‎05/15/2023 10:10 PM

Hi Saathvik,

Since we had more than 1000+ endpoints in the client environment we were unbale to change PAM config for every individual applications/target endpoints as recommended by Saviynt team.

We have tried the above query and the report shows only 450+ endpoints as per the query but we have onboarded more than 1000+ which includes Unix, Windows, Database, SAAS applications, AWS EC2 instances and NW devices. Could you please share us the customize query to get complete assets list and IDs which are configured to respective endpoints.

Please let us know if you need any other information.

Thanks,
Naveen B.

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎05/17/2023 06:53 AM

@NaveenBattini You have two analytic controls out of the box to get this information 

1. PAM controlled Endpoints : This will give you the list of all PAM Enabled Endpoints 

2. PAMEnabledAndPlatformServiceAccount: This will give you the list of all PAM Enabled accounts including platform service accounts that are not pam enabled. But once you generate the report and download excel/csv you can easily filter out platform service accounts  using the account type column

Please try these and let us know how it goes. 

Thanks,

Nagesh K

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎05/17/2023 07:17 AM

@NaveenBattini actually, this control "PAMEnabledAndPlatformServiceAccount" will list only those accounts for which pwd rotation is enabled. For some endpoints you may have added rotatKey property as false to indicate that pwd should not get rotated for accounts of such endpoints. 

If you have not used the generic cred vault feature so far, you will be good to use the control. Either way, I will provide you another query to use which will consider every pam enabled account. Also, do you need JIT accounts to be included as well in your report?

Thanks,

Nagesh K

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎05/17/2023 07:35 AM

@NaveenBattini please try the below query for the fetching the list of all priv accounts (excludes JIT accounts)

SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid', ac.NAME AS 'Account Name',ac.accounttype AS 'Account Type', ep.ENDPOINTNAME AS 'EndpointName', ep.DISPLAYNAME AS 'Endpoint Display Name', epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY AND ep.status = 1 AND ac.status IN (1,'Manually Provisioned') AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '') AND ac.ACCOUNTCONFIG LIKE '%"pamState":"ENABLED"%') AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%') INNER JOIN endpoints_properties epp ON ep.ENDPOINTKEY = epp.ENDPOINTKEY;

Thanks

Nagesh K

0 Kudos
Copyright © 2024 Khoros, LLC