Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/23/2022 07:27 AM
We already did integrate one database successfully and tested IGA use cases. But looking for some guidance on how to enable mentioned PAM features for the same database. We tried to follow documentation: https://saviynt.freshdesk.com/support/solutions/articles/43000608745-configuring-pam-for-on-premises though the use case doesn't match entirely but we tried to make config changes that are applicable for our use case. But we are not successful in achieving it.
To enable PAM use case we did following steps
After doing all this we don't see that database endpoint is enabled for PAM and respective accounts under it with matching condition as per IDQueryCredentials are being vaulted.
Can anyone able to assist us?
Solved! Go to Solution.
08/29/2022 01:12 AM
Hi @Saathvik
Thank you for reach out to us,
In your PAM config you are missing "EVQuery": "", value. This is where you mark the entitlement that has to be imported and bootstrapped.
To bootstrap a target workload here's the flow:
1. Platform to connect to (On-Prem)
2. Create your Master Connection
3. Import entitlements (Each entitlements are a On-Prem server)
4. Mark the entitlement that needs to be bootstrapped/Onboarded in customerproper40 have the value like "PAM_Bootstrap" (Eg: "EVQuery":"ev.customproperty40='PAM_Bootstrap'", )
5. Create a Job with Import Type as Pambootstrap: -> Now here's in this step where you will have your marked entitlements converted into an Endpoint and account of that server will be imported into the newly created endpoint(new endpoint creation are defined in the PAM Config).
6. Once all the accounts are imported to Saviynt in the new endpoint created. Accounts that have been mentioned under the "shareableAccounts" block in PAM config will be vaulted.
08/29/2022 06:28 AM
Belwyn,
Thanks for your response but problem here is Databases we are trying to integrate are not an entitlement type because we already integrated them as per IGA integration(Like creation of SS, Endpoint, Connection etc and configured them accordingly to achieve IGA use cases). So in this case we cannot use EVQuery to bootstrap them.
I already opened an FD ticket for this use case and I got some response from which I am currently validating once I am done with it. I will post the solution here
08/31/2022 11:28 PM - edited 08/31/2022 11:32 PM
In that case i would suggest you to follow the below On-Prem infra onboarding flow:
Step: 1 Prerequisites Ref: https://saviynt.freshdesk.com/en/support/solutions/articles/43000646445-onboarding-on-premise-worklo... under -> "Configuring an On-Premise Connection"
Step: 2 Run the below API with server details.
curl --location -g --request POST '{{host}}/ECM/api/v5/pamBootstrap' \ --data-raw '{ "customproperty2": "ab::cd::de::fg", "customproperty3": "SAMPLEDOMAIN", "customproperty4": "35.223.220.167", "customproperty12": "35.223.220.167", "customproperty14": "unix", "customproperty15": "14.0", "customproperty16": "Ubuntu", "customproperty35": "22", "entitlement_value": "devqaunixmachine", "entitlementID": "6432555066648041605", "securitySystemName": "ON_PREM_LOCAL", "endpointName": "ON_PREM_LOCAL", "entitlementName": "Instance", "connectionType": "On-Premise", "customproperty40": "pam-onprem", "endpointBootstrap" : true }'
Ref: https://documenter.getpostman.com/view/6171505/U16bvotf#bdffa19d-18c2-4ccd-9ed6-ce196fa0df58
Step:3 Have the shareable accounts configured in PAM_Config, under PAM_Config in connection created in step 1.
Note: if you already have a SS, endpoint and connections created make sure that all the other configuration such as entitlement type creation are done for the existing setup.
11/18/2022 03:11 PM
Just to update the ticket approach we took is fine but there was some issue in our environment related to bootstrap process. Support team has to restart PAMMS pods to resolve our issue also they pointed out that service account password policy is missing while creation of endpoint which was also causing the issue.