Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

How to implement specific ID based privilege access through CPAM

Diwakar
Regular Contributor
Regular Contributor

We have onboarded few onprem windows server to CPAM and currently its being accessed via users own ids through JIT. We now have a requirement to access the onboarded servers through specific ids. For example, how to populate ids in below select ID so that end user can access the onboarded servers through other IDs along with their personal ids.

Diwakar_0-1722269748048.png

 

So, request experts to please guide on this implementation.

Thanks,

Diwakar.

 

 

29 REPLIES 29

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar,

Are you talking about the shareable accout, will that account be shareable across multiple users,
if thats the case, just create the account in target, Add those accounts in pam config,  run pambootstaps on the securoty system, it will get imported and it will get pam enabled.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Yes, Sudesh we want to use shareable account. I have some few more queries.

1. So where exactly that shared account has to be added in target?

2. Is that shared account to be added in below PAM config of Onprem connection?

Diwakar_0-1722415003145.png

3. If yes, then this PAM config doesn't include specific endpoint settings, if we add that shared account in this config will that not be bootstrapped for all servers? we want accounts to be bootstrapped for some specific servers only.

Thanks,

Diwakar.

Hello @Diwakar,

Yes, Sudesh we want to use shareable account. I have some few more queries.

1. So where exactly that shared account has to be added in target?
You need to check that from your infra team.

2. Is that shared account to be added in below PAM config of Onprem connection? Yes, it has be added.

sudeshjaiswal_0-1722418025499.png

 

3. If yes, then this PAM config doesn't include specific endpoint settings, if we add that shared account in this config will that not be bootstrapped for all servers? we want accounts to be bootstrapped for some specific servers only.


Update the EV query where those accounts have been created, so it will pick only those security systems.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Hi @sudeshjaiswal as suggested I tried to boot strap the with Onboarded Windows server security system after adding shared account to Onprem connection's PAM config but still shared account is not bootstrapped, and account is not showing under select ID option. 

Attaching PAM config for your reference, please suggest next.

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal /CPAM experts,

Can you please provide an update? We need this used case to be implemented on priority as a part of additional CPAM configuration.

Thanks,

Diwakar.

  1. Hello @Diwakar,

    Steps to Follow: 
  •  Create users in the target,
  • add them to the adminitrator group.
  • add those users in IDQUERY of the pam config under the external connection/connection. (PFA Screenshot below)

  • sudeshjaiswal_0-1723438366275.png
  • Save the connection.
  • Run the bootstarp job  on the provision connection.
    sudeshjaiswal_1-1723438432251.png

    Thanks.

     

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Thanks, Sudesh, I exactly did this and ran the bootstrap job again however shared account is still not showing under select ID option. Can we connect quickly whenever you are available for a short session?

Thanks,

Diwakar.

vikasjv
Saviynt Employee
Saviynt Employee

Hi Diwakar,

Could you please share the pamms logs while bootstrapping the instance?

Diwakar
Regular Contributor
Regular Contributor

Hi Vikas,

Sent to you the logs one to one over the message. Please check and advise further.

Thanks,

Diwakar.

Diwakar
Regular Contributor
Regular Contributor

@vikasjv @sudeshjaiswal Can you please suggest next?

Diwakar
Regular Contributor
Regular Contributor

@vikasjv @sudeshjaiswal Can you please update on the issue?

Hello @Diwakar,

Has the change password created for those accounts ?
Are those accounts visible under the endpoints?

Thanks.
If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal Change password task didn't create however I can see the accounts visible under the endpoint. Please suggest next.

Hello @Diwakar,

Under PAM CONFIG, Why the same account name is given everywhere.
Give the account name seperately and which is not required, you can remove it.
Also can you confirm which type of account you are trying to bootstrap is it credential or credentialless.

and also while running the bootstrap job, only select the security system of this endpoint.

"IDQueryCredentials": "acc.name in ('cadmin-iam-prod')",
      "IDQueryCredentialless": "acc.name in ('cadmin-iam-prod')",
      "IDQueryCredentiallessViewPwd": "acc.name in ('cadmin-iam-prod')",
      "IDQueryDomainCredentialless": "acc.name in('cadmin-iam-prod') ",
      "IDQueryDomainCredentials": "acc.name in ('cadmin-iam-prod')"

Thanks.,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal We want to use credential-less, in documentation this was PAM config given so wherever IDQuery is there I updated as the acc.name as cadmin-iam-prod (this is the account created to access as shared account.) Please provide the correct syntax which can be used as in my requirement.

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal I tried using below shareable accounts but still its didn't worked. Unable to see the below shared account in 'Select ID'

"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentialless": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentiallessViewPwd": "acc.name in ('cadmin-iam-prod')",
"IDQueryDomainCredentialless": "acc.name in('')",
"IDQueryDomainCredentials": "acc.name in ('')"
},

Please suggest further.

Hellop @Diwakar,

Can you validate the account name during the import? Please go to the admin page, locate the imported account, and ensure that the account name, including its case, matches exactly with the name in the PAM configuration file.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

@sudeshjaiswal I just validated the account, its matching with name as per PAM config file.

Diwakar_0-1724146354975.png

Please suggest next!

Thanks,

Diwakar.

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal @vikasjv Any further update on the issue? This is impacting our implementation.

vikasjv
Saviynt Employee
Saviynt Employee

Hi Diwakar,

I couldn't find logs.
Could you please share the logs via email?

Diwakar
Regular Contributor
Regular Contributor

Hi Vikas,

I have sent the logs over email, please check and let me know the next steps or can we connect for some time to troubleshoot the issue together?

Thanks.

Diwakar.

Hello @Diwakar,

From the screenshot you shared, I can see that it's an AD account, though you didn’t mention it explicitly in your previous post. Since it’s an AD account, you need to onboard the domain account to the Windows machines by making changes in the "PAM_CONFIG" under the "WINDOWS" section. Currently, "processADAccount" is set to "false"; it should be set to "true".

The domain connections looks good, and in most cases, the "sAMAccountName" column will be mapped to "name".
Finally, ensure that you only mention the account name in the "IDQueryDomainCredentialless" section.

json
"processADAccount": "true",
"sAMAccountNameColumnMapping": "name",
"domainConnections": "Active Directory PAM"

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Hi Sudesh,

Thanks, I tried changing the process AD account to 'true' and then ran the boot strap job but again its not showing. Below is modified PAM config.

"WINDOWS": {
"defaultCredentialConnection": {
"connectionName": "Windows_Master_Connection",
"changeConnectionCredentials": false,
"MSConnectorVersion": "WINDOWS/1.0"
},
"defaultSecuritySystemDetails": {
"securitySystemName": "new",
"workflow": "AOBAutoApproveWF",
"passwordPolicy": "PAM_Password_Policy"
},
"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentialless": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentiallessViewPwd": "acc.name in ('cadmin-iam-prod')",
"IDQueryDomainCredentialless": "acc.name in('')",
"IDQueryDomainCredentials": "acc.name in ('')"
},
"processADAccount": "true",
"sAMAccountNameColumnMapping": "name",
"reconciledAccountAction": "NONE",
"domainConnections": "Active Directory PAM",

Please suggest next.

Thanks,

Diwakar.

Diwakar
Regular Contributor
Regular Contributor

Hi @vikasjv @sudeshjaiswal Any further suggestion to fix this issue? I also noticed after changing "processADAccount": "true", from "false" that endpoint's PAM enabled option is getting disabled.

Can we connect as per your availability to work on this issue?

Thanks,

Diwakar.

Hello Diwakar,

Can you add those domainaccount in the 
"IDQueryDomainCredentialless": "acc.name in('')",
"IDQueryDomainCredentials": "acc.name in ('')"

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Hi @sudeshjaiswal ,

Previously I already tried as per below, but it still didn't work. Any further suggestion please!

Diwakar_0-1724834452914.png

Thanks,

Diwakar.

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal Any further suggestion? Let me know the next step please.

Thanks,

Diwakar.

Diwakar
Regular Contributor
Regular Contributor

@sudeshjaiswal Any further updates please?

Thanks,

Diwakar.

Hello @Diwakar,

Please log the support ticket for further troubleshooting.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".