Saviynt Forums

Diwakar · ‎07/29/2024

We have onboarded few onprem windows server to CPAM and currently its being accessed via users own ids through JIT. We now have a requirement to access the onboarded servers through specific ids. For example, how to populate ids in below select ID so that end user can access the onboarded servers through other IDs along with their personal ids.

So, request experts to please guide on this implementation.

Thanks,

Diwakar.

sudeshjaiswal · ‎07/30/2024

Hello @Diwakar,

Are you talking about the shareable accout, will that account be shareable across multiple users,
if thats the case, just create the account in target, Add those accounts in pam config, run pambootstaps on the securoty system, it will get imported and it will get pam enabled.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎07/31/2024

Yes, Sudesh we want to use shareable account. I have some few more queries.

1. So where exactly that shared account has to be added in target?

2. Is that shared account to be added in below PAM config of Onprem connection?

3. If yes, then this PAM config doesn't include specific endpoint settings, if we add that shared account in this config will that not be bootstrapped for all servers? we want accounts to be bootstrapped for some specific servers only.

Thanks,

Diwakar.

sudeshjaiswal · ‎07/31/2024

Hello @Diwakar,

Yes, Sudesh we want to use shareable account. I have some few more queries.

1. So where exactly that shared account has to be added in target?
You need to check that from your infra team.

2. Is that shared account to be added in below PAM config of Onprem connection? Yes, it has be added.

3. If yes, then this PAM config doesn't include specific endpoint settings, if we add that shared account in this config will that not be bootstrapped for all servers? we want accounts to be bootstrapped for some specific servers only.

Update the EV query where those accounts have been created, so it will pick only those security systems.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/08/2024

Hi @sudeshjaiswal as suggested I tried to boot strap the with Onboarded Windows server security system after adding shared account to Onprem connection's PAM config but still shared account is not bootstrapped, and account is not showing under select ID option.

Attaching PAM config for your reference, please suggest next.

Diwakar · ‎08/09/2024

@sudeshjaiswal /CPAM experts,

Can you please provide an update? We need this used case to be implemented on priority as a part of additional CPAM configuration.

Thanks,

Diwakar.

sudeshjaiswal · ‎08/11/2024

Hello @Diwakar,

Steps to Follow:

Create users in the target,
add them to the adminitrator group.
add those users in IDQUERY of the pam config under the external connection/connection. (PFA Screenshot below)
Save the connection.
Run the bootstarp job on the provision connection.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/12/2024

Thanks, Sudesh, I exactly did this and ran the bootstrap job again however shared account is still not showing under select ID option. Can we connect quickly whenever you are available for a short session?

Thanks,

Diwakar.

vikasjv · ‎08/12/2024

Hi Diwakar,

Could you please share the pamms logs while bootstrapping the instance?

Diwakar · ‎08/12/2024

Hi Vikas,

Sent to you the logs one to one over the message. Please check and advise further.

Thanks,

Diwakar.

Diwakar · ‎08/13/2024

@vikasjv @sudeshjaiswal Can you please suggest next?

Diwakar · ‎08/16/2024

@vikasjv @sudeshjaiswal Can you please update on the issue?

sudeshjaiswal · ‎08/16/2024

Hello @Diwakar,

Has the change password created for those accounts ?

Are those accounts visible under the endpoints?

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/16/2024

@sudeshjaiswal Change password task didn't create however I can see the accounts visible under the endpoint. Please suggest next.

sudeshjaiswal · ‎08/16/2024

Hello @Diwakar,

Under PAM CONFIG, Why the same account name is given everywhere.
Give the account name seperately and which is not required, you can remove it.
Also can you confirm which type of account you are trying to bootstrap is it credential or credentialless.

and also while running the bootstrap job, only select the security system of this endpoint.

"IDQueryCredentials": "acc.name in ('cadmin-iam-prod')",
      "IDQueryCredentialless": "acc.name in ('cadmin-iam-prod')",
      "IDQueryCredentiallessViewPwd": "acc.name in ('cadmin-iam-prod')",
      "IDQueryDomainCredentialless": "acc.name in('cadmin-iam-prod') ",
      "IDQueryDomainCredentials": "acc.name in ('cadmin-iam-prod')"

Thanks.,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/16/2024

@sudeshjaiswal We want to use credential-less, in documentation this was PAM config given so wherever IDQuery is there I updated as the acc.name as cadmin-iam-prod (this is the account created to access as shared account.) Please provide the correct syntax which can be used as in my requirement.

Diwakar · ‎08/18/2024

@sudeshjaiswal I tried using below shareable accounts but still its didn't worked. Unable to see the below shared account in 'Select ID'

"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentialless": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentiallessViewPwd": "acc.name in ('cadmin-iam-prod')",
"IDQueryDomainCredentialless": "acc.name in('')",
"IDQueryDomainCredentials": "acc.name in ('')"
},

Please suggest further.

sudeshjaiswal · ‎08/19/2024

Hellop @Diwakar,

Can you validate the account name during the import? Please go to the admin page, locate the imported account, and ensure that the account name, including its case, matches exactly with the name in the PAM configuration file.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/20/2024

@sudeshjaiswal I just validated the account, its matching with name as per PAM config file.

Please suggest next!

Thanks,

Diwakar.

Diwakar · ‎08/21/2024

@sudeshjaiswal @vikasjv Any further update on the issue? This is impacting our implementation.

vikasjv · ‎08/22/2024

Hi Diwakar,

I couldn't find logs.
Could you please share the logs via email?

Diwakar · ‎08/22/2024

Hi Vikas,

I have sent the logs over email, please check and let me know the next steps or can we connect for some time to troubleshoot the issue together?

Thanks.

Diwakar.

sudeshjaiswal · ‎08/22/2024

Hello @Diwakar,

From the screenshot you shared, I can see that it's an AD account, though you didn’t mention it explicitly in your previous post. Since it’s an AD account, you need to onboard the domain account to the Windows machines by making changes in the "PAM_CONFIG" under the "WINDOWS" section. Currently, "processADAccount" is set to "false"; it should be set to "true".

The domain connections looks good, and in most cases, the "sAMAccountName" column will be mapped to "name".
Finally, ensure that you only mention the account name in the "IDQueryDomainCredentialless" section.

json
"processADAccount": "true",
"sAMAccountNameColumnMapping": "name",
"domainConnections": "Active Directory PAM"

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/22/2024

Hi Sudesh,

Thanks, I tried changing the process AD account to 'true' and then ran the boot strap job but again its not showing. Below is modified PAM config.

"WINDOWS": {
"defaultCredentialConnection": {
"connectionName": "Windows_Master_Connection",
"changeConnectionCredentials": false,
"MSConnectorVersion": "WINDOWS/1.0"
},
"defaultSecuritySystemDetails": {
"securitySystemName": "new",
"workflow": "AOBAutoApproveWF",
"passwordPolicy": "PAM_Password_Policy"
},
"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentialless": "acc.name in ('cadmin-iam-prod')",
"IDQueryCredentiallessViewPwd": "acc.name in ('cadmin-iam-prod')",
"IDQueryDomainCredentialless": "acc.name in('')",
"IDQueryDomainCredentials": "acc.name in ('')"
},
"processADAccount": "true",
"sAMAccountNameColumnMapping": "name",
"reconciledAccountAction": "NONE",
"domainConnections": "Active Directory PAM",

Please suggest next.

Thanks,

Diwakar.

Diwakar · ‎08/26/2024

Hi @vikasjv @sudeshjaiswal Any further suggestion to fix this issue? I also noticed after changing "processADAccount": "true", from "false" that endpoint's PAM enabled option is getting disabled.

Can we connect as per your availability to work on this issue?

Thanks,

Diwakar.

sudeshjaiswal · ‎08/28/2024

Hello Diwakar,

Can you add those domainaccount in the
"IDQueryDomainCredentialless": "acc.name in('')",
"IDQueryDomainCredentials": "acc.name in ('')"

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎08/28/2024

Hi @sudeshjaiswal ,

Previously I already tried as per below, but it still didn't work. Any further suggestion please!

Thanks,

Diwakar.

Diwakar · ‎08/30/2024

@sudeshjaiswal Any further suggestion? Let me know the next step please.

Thanks,

Diwakar.

Diwakar · ‎09/02/2024

@sudeshjaiswal Any further updates please?

Thanks,

Diwakar.

sudeshjaiswal · ‎09/04/2024

Hello @Diwakar,

Please log the support ticket for further troubleshooting.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Saviynt Forums

How to implement specific ID based privilege access through CPAM