Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

How to notify users about their privileged account credentials has been rotated

sk
All-Star
All-Star

Team,

We have a use case where users will request database privileged accounts in Saviynt. As part of account creation we are populating a CP value which we are using to identify the accounts that needs to be bootstrapped/vaulted .

Once vaulted we are also rotating the password at regular interval automatically based on password policy. Now once account credentials are rotated we want to notify the user.

To achieve this we tried to use task completion email with action as Change Password ?

But problem we are noticing is that these change password tasks didn't have user data exposed unlike regular change password tasks. Instead by default we are always seeing default admin user details when use ${user.xx} variable to get user details.

Now how can we notify users about their account credentials have been rotated?

Below are variables that are exposed for email template and respective data when change password task is generated through PAM process (bootstrap or automatic rotation)

tasktype = Change Password
manager = null
accountOwners = []
randompassword = xxxxx
entitlement = []
users = systemadmin
requestor = systemadmin
out = java.io.PrintWriter@51bece8d
account_password = xxxxx
task = com.saviynt.ecm.task.ArsTasks : xxx
accountname = dpsxkxxx Updated Password - xxxxx
requestid = AutoGenerated
endpointDisplayName = Test-PostgresDB-xxxxx
account_name = dpsxkxxx
baseUrlForEmail = https://release-n-xxxxx/ECM
user = systemadmin
taskaction = Change Password
account = dpsxkxxx

Below are variables that are exposed for email template and respective data when change password task is generated through regular change password process(UI)

tasktype = Change Password
manager = E9005xxx
accountOwners = []
randompassword = xxxxx
entitlement = []
users = E900xxxx
requestor = E9xxxxxx
out = java.io.PrintWriter@68d2fdfe
account_password = xxxxx
task = com.saviynt.ecm.task.ArsTasks : xxxx
accountname = dpsxkxxx Updated Password - xxxxxx
requestid = AutoGenerated
endpointDisplayName = Test-PostgresDB-xxxxx
account_name = dpsxkxxx
requestormanager = E900xxxx
baseUrlForEmail = https://release-n-xxxxxx/ECM
user = E900xxxx
taskaction = Change Password
account = dpsxkxxxx

Below are variables that are exposed for email template and respective data when change password task is generated through regular change password process(API)

tasktype = Change Password
manager = E9005xxx
accountOwners = []
randompassword = xxxx
entitlement = []
users = E900xxxx
requestor = xxxx
out = java.io.PrintWriter@502e2c23
account_password = xxxxx
task = com.saviynt.ecm.task.ArsTasks : xxxx
accountname = dpsxkxxx Updated Password - xxxxx
requestid = AutoGenerated
endpointDisplayName = Test-PostgresDB-xxxxx
account_name = dpsxkxxx
requestormanager = E900xxx
baseUrlForEmail = https://release-n-xxxx/ECM
user = E900xxxx
taskaction = Change Password
account = dpsxkxxx

If you look at the data that is coming in different way PAM Process, Change Password from UI and Change Password from API, Only PAM process is not giving the user details

Note: We know we can use analytics as a workaround to identify any changes happened after last run date and notify. But we want to avoid because Task completion email is default feature which should work and it works fine with regular change passwords only issue is with PAM process. So trying to understand if this is bug or there is a different way to implement this.

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
7 REPLIES 7

NageshK
Saviynt Employee
Saviynt Employee

@sk Thanks for posting the question. When you say PAM Process, are you referring to the extension jar used for periodic password rotation? If yes, this will require an update on the jar and in the analytic control as well if we are not fetching user name in the existing one. 

Thanks,

Nagesh K

@NageshK : Thanks for responding, If I understand correctly it requires enhancement to achieve this right?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

Are you able to resolve this?

@Dheeraj_Reddy 

No, based on response it looks like an enhancement but waiting for confirmation from @NageshK .

For now we are thinking of using analytics to notify as a workaround.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

Hi Nagesh,

Do we have any Saviynt document/link for periodic password rotation.

If yes, please share that. Thanks,

 

@Dheeraj_Reddy 

Here is the link for Periodic password rotation process: https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v2022x/page/Content/G-Password-Management/Peri...


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

sk
All-Star
All-Star

We got confirmation from our FD ticket that this is not currently supported and hence we opened an IDEA# https://ideas.saviynt.com/ideas/EIC-I-4366.

@UVP,  @Dheeraj_Reddy : If you guys are also on same boat please upvote the IDEA


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.