Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How to integrate DBs to enable both IGA and PAM use cases

Saathvik
All-Star
All-Star
Team,
 
We are trying to do integration with databases for both IGA and PAM uses which are listed below
 
IGA Use Cases:
  • Request new account(human/service account) on databases which will be created locally on database
  • Deprovision of account(human/service account) on certain conditions
  • Request entitlement access
  • Revoke Entitlement access
  • Change password functionality of database account
  • Reconcile existing accounts (human/service account) and entitlements from Database
PAM Use Cases:
  • Vault the credentials of new database accounts(human/service account) that are created through Saviynt
  • Vault the credentials of any existing database accounts(human/service account) that are available before integrating with Saviynt
  • Automatic rotation of database accounts password on periodic basis based on password policy
  • Able to check out the password

We already did integrate one database successfully and tested IGA use cases. But looking for some guidance on how to enable mentioned PAM features for the same database. We tried to follow documentation: https://saviynt.freshdesk.com/support/solutions/articles/43000608745-configuring-pam-for-on-premises though the use case doesn't match entirely but we tried to make config changes that are applicable for our use case. But we are not successful in achieving it.

To enable PAM use case we did following steps

  1. Created an On-Prem type Connection, Security System & Endpoint
  2. Created a Master connection for respective type of DB
  3. Configured PAM_Config on  On-Prem type connection and below is the config we used
  4. PAM_Config: {
      "Connection": "On-Premise",
      "encryptionMechanism": "ENCRYPTED",
      "EVQuery": "",
      "DB": {
        "defaultCredentialConnection": {
          "connectionNameByDbTypes": {
            "mysql": "",
            "PostGres": "Test-Master-Connection",
            "oracle": "",
            "sqlserver": ""
          },
          "changeConnectionCredentials": false
        },
        "defaultSecuritySystemDetails": {
          "securitySystemName": "new",
          "workflow": "AutoApproval",
          "passwordPolicy": "PasswordPolicy"
        },
        "shareableAccounts": {
          "IDQueryCredentials": "acc.name like ('dp%')",
          "IDQueryCredentialless": "acc.name in ('')"
        },
        "maxCredSessionRequestTime": "10",
        "maxCredlessSessionRequestTime": "10",
        "maxIDRequestableTime": "100",
        "skipOpenPorts": "true",
        "endpointAttributeMappings": [
          {
            "column": "accessquery",
            "value": "",
            "feature": "endpointAccessQuery"
          },
          {
            "column": "allowChangePassword_sqlquery",
            "value": "",
            "feature": "allowChangepasswordquery"
          },
          {
            "column": "customproperty43",
            "value": "PAMDefaultUserAccountAccessControl",
            "feature": "accountVisibilityControl"
          }
        ],
        "endpointPamConfig": {
          "maxConcurrentSession": "10"
        },
        "accountVisibilityConfig": {
          "accountCustomProperty": "customproperty55",
          "accountMappingConfig": [
            {
              "accountPattern": "*",
              "mappingData": "",
              "override": "false"
            }
          ]
        }
      }
    }
  5. Updated already created Database security system Connection to use On-Prem Connection
  6. Ran PAM bootstrap process on database security system

After doing all this we don't see that database endpoint is enabled for PAM and respective accounts under it with matching condition as per IDQueryCredentials are being vaulted.

Can anyone able to assist us?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
4 REPLIES 4

Belwyn
Saviynt Employee
Saviynt Employee

Hi @Saathvik 

 

Thank you for reach out to us, 

In your PAM config you are missing "EVQuery": "", valueThis is where you mark the entitlement that has to be imported and bootstrapped. 

To bootstrap a target workload here's the flow:

1. Platform to connect to (On-Prem)

2. Create your Master Connection

3. Import entitlements (Each entitlements are a On-Prem server)

4. Mark the entitlement that needs to be bootstrapped/Onboarded in customerproper40 have the value like "PAM_Bootstrap" (Eg: "EVQuery":"ev.customproperty40='PAM_Bootstrap'", )

5. Create a Job with Import Type as Pambootstrap: -> Now here's in this step where you will have your marked entitlements converted into an Endpoint and account of that server will be imported into the newly created endpoint(new endpoint creation are defined in the PAM Config). 

6. Once all the accounts are imported to Saviynt in the new endpoint created. Accounts that have been mentioned under the "shareableAccounts" block in PAM config will be vaulted. 

 

Let us know if this helps,
Thanks & Regards, 
Belwyn.

Belwyn,

Thanks for your response but problem here is Databases we are trying to integrate are not an entitlement type because we already integrated them as per IGA integration(Like creation of SS, Endpoint, Connection etc and configured them accordingly to achieve IGA use cases). So in this case we cannot use EVQuery to bootstrap them.

I already opened an FD ticket for this use case and I got some response from which I am currently validating once I am done with it. I will post the solution here

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Belwyn
Saviynt Employee
Saviynt Employee

In that case i would suggest you to follow the below On-Prem infra onboarding flow: 

Step: 1 Prerequisites Ref: https://saviynt.freshdesk.com/en/support/solutions/articles/43000646445-onboarding-on-premise-worklo... under -> "Configuring an On-Premise Connection"

Step: 2 Run the below API with server details. 

curl --location -g --request POST '{{host}}/ECM/api/v5/pamBootstrap' \
--data-raw '{
    "customproperty2": "ab::cd::de::fg",
    "customproperty3": "SAMPLEDOMAIN",
    "customproperty4": "35.223.220.167",
    "customproperty12": "35.223.220.167",
    "customproperty14": "unix",
    "customproperty15": "14.0",
    "customproperty16": "Ubuntu",
    "customproperty35": "22",
    "entitlement_value": "devqaunixmachine",
    "entitlementID": "6432555066648041605",
    "securitySystemName": "ON_PREM_LOCAL",
    "endpointName": "ON_PREM_LOCAL",
    "entitlementName": "Instance",
    "connectionType": "On-Premise",
    "customproperty40": "pam-onprem",
    "endpointBootstrap" : true
}'

Ref: https://documenter.getpostman.com/view/6171505/U16bvotf#bdffa19d-18c2-4ccd-9ed6-ce196fa0df58 

Step:3 Have the shareable accounts configured in PAM_Config, under PAM_Config in connection created in step 1.

Note: if you already have a SS, endpoint and connections created make sure that all the other configuration such as entitlement type creation are done for the existing setup. 

 
Let us know if this helps,
Regards, 
Belwyn.

Just to update the ticket approach we took is fine but there was some issue in our environment related to bootstrap process. Support team has to restart PAMMS pods to resolve our issue also they pointed out that service account password policy is missing while creation of endpoint which was also causing the issue.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.