We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

How to restrict accounts visibility to user to show only his own account/s under respective endpoint

sk
All-Star
All-Star

Team,

As part of Privileged Access Request when user tries to get an access to an account under endpoints to which he has visibility then he should only be able to see accounts that are correlated to him.

Use Case:

  • We have enabled DB integration for both IGA and PAM
  • So when user requests a new account on a database endpoint an account gets created on Database(xx-username) and respective account's password is vaulted in Saviynt
  • Now to get the credentials user has to go through Privileged Access Request when he tries that he should only see his own account under respective endpoint(xx-username) not any other users accounts 

To achieve this I went through documentation: https://saviynt.freshdesk.com/support/solutions/articles/43000673853-upgrading-to-release-v2021-0-4 where I found below settings in PAM_Config, Out of these I find  accountVisibilityConfig is relative to my use case but that logic depends on role / entitlement. But in my use case user is not part of any entitlement that only belongs to him. so I won't be able to utilize it. I even tried accountVisibilityControl under endpointAttributeMappings by modifying the query in analytics: PAMDefaultUserAccountAccessControl with no luck, I used below queries to achieve this

select acc.accountkey as 'id', acc.name as 'name' from accounts acc inner join user_accounts ua on acc. accountkey=ua.accountkey where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and ua.userkey=${loggedInUser} -- This case I got error loggedInUser not found

select acc.accountkey as 'id', acc.name as 'name' from accounts acc inner join user_accounts ua on acc. accountkey=ua.accountkey where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and ua.userkey=${userkey} -- This case I got error userkey not found.

Basically internally when saviynt is calling this runtime analytics I believe it is only passing one variable which is endpointkey.

 

"endpointAttributeMappings": [
      {
        "column": "accessquery",
        "value": "where users.USERNAME is not null",
        "feature": "endpointAccessQuery"
      },
      {
        "column": "allowChangePassword_sqlquery",
        "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
        "feature": "allowChangepasswordquery"
      },
      {
        "column": "customproperty43",
        "value": "PAMDefaultUserAccountAccessControl",
        "feature": "accountVisibilityControl"
      }
    ]

"accountVisibilityConfig": {
      "accountCustomProperty": "customproperty55",
      "accountMappingConfig": [
        {
          "accountPattern": "cpamuser*",
          "mappingData": "role1",
          "override": "false"
        },
        {
          "accountPattern": "cpamuser1,cpamuser2",
          "mappingData": "role2",
          "override": "false"
        }
      ]
    }

 Can someone help on how to achieve this?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
20 REPLIES 20

sk
All-Star
All-Star

Team anyone has any thoughts how to achieve above requirement?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

I also found another documentation: https://saviynt.freshdesk.com/support/solutions/articles/43000639314-manage-accounts where it talks about using accountAccessQuery in PAM_CONFIG to control the visibility of accounts for a user. But I didn't find details about this config anywhere.

Can someone provide some insight on how to utilize it?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

Please use ua.username = ${username} in your query and it should work

Thanks Nagesh for the reply, Since username column is available in user_accounts table which is referred as ua, To get the username column I have modified the query to include users table and used below query 

select acc.accountkey as 'id', acc.name as 'name' from accounts acc inner join user_accounts ua on acc. accountkey=ua.accountkey inner join users u on ua.userkey=u.userkey where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and u.username = '${username}';

When I used this query I am not getting any error but it says no account found though it suppose to find an account. I ran this query in data analyzer by replacing variable and getting expected output. But I logged in with the same user and try to look accounts its says no accounts

com.saviynt.pam.exception.PAMException: No Accounts Found From Analytics Response

Can you please let me know if there is anything I am missing?

Also since accountVisibilityControl config I am not able to achieve, I even tried use below config and after bootstrap I can see account I used in accountpattern has CP55 updated with SAV_ROLE given in mapping data but still restriction didn't happen all users were able to see that particular account.

"accountVisibilityConfig": {
      "accountCustomProperty": "customproperty55",
      "accountMappingConfig": [
        {
          "accountPattern": "<accountname>*",
          "mappingData": "<sav_role>",
          "override": "false"
        }
      ]
    }

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

SK,

If the accounts are aleady associated wth users, I dont think accountVisibilityConfig will be needed. Please verify if Endpoint's customproperty43 has the right analytic control you are trying. If not, update the property and run delta endpoint sync. If the query works in data analyzer with proper parameters, it should work with the control too.   

Yes Nagesh, I can confirm that cp43 of endpoint has right analytics control with the query I listed in previous comment. In data analyzer I am getting right output but there I had to replace variables with actual values I am expecting


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

I see your query has an issue towards the end where it has single quotes around the variable ${username}. Please remove that and try. Also, if you are creating a new analytic contorl, it should be of type "Runtime Analytics". You will see this option when you click on "Create New Analytics"

I can try to remove single quotes around username but its string value so not sure without quotes if it works. I will try and let you know. 

Also currently there is an issue with creating new Runtime analytics in our environment need to open ticket with support. So for now I am just using existing analytics instead of creating new one


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Thanks Nagesh, After removing the quotes around username variable it worked.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

Hi @sk  

Could you please let us know where you used below query and how did you setup this :

select acc.accountkey as 'id', acc.name as 'name' from accounts acc inner join user_accounts ua on acc. accountkey=ua.accountkey inner join users u on ua.userkey=u.userkey where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and u.username = ${username};

 

Our Requirement : We need to restrict accounts visibility to user to show only his own account/s under respective endpoint

Thanks,

Umesh

You have to use below configuration in PAM_CONFIG of your respective connection

"endpointAttributeMappings": [
      {
        "column": "accessquery",
        "value": "where users.USERNAME is not null",
        "feature": "endpointAccessQuery"
      },
      {
        "column": "allowChangePassword_sqlquery",
        "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
        "feature": "allowChangepasswordquery"
      },
      {
        "column": "customproperty43",
        "value": "PAMDefaultUserAccountAccessControl", -- this is the analytics name which you can use different one where I used the mentioned logic
        "feature": "accountVisibilityControl"
      }
    ]

And on respective endpoint cp43 populate the analytics name you created. Which should help you control the visibility. For details refer here: https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v2022x/page/Content/L-Manage-Accounts/Account-... 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

Thanks @sk  Let me try this .

UVP
New Contributor II
New Contributor II

Hi Saathvik, @NageshK @Dheeraj_Reddy 

We performed below steps and getting 400 error Code.

Steps: 

1. Created Custom Analytical report with below query:

select acc.accountkey as 'id', acc.name as 'name' from accounts acc inner join user_accounts ua on acc. accountkey=ua.accountkey inner join users u on ua.userkey=u.userkey where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and u.username = ${username};

Note: Validated this query in Data Analyzer for user User and it's working fine.

2. Changed PAM_Config as below :

{
"Connection": "Okta",
"encryptionMechanism": "Encrypted",
"CONSOLE": {
"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('')",
"IDQueryCredentialless": "acc.name like ('adm_%')"
},
"endpointAttributeMappings": [
{
"column": "accessquery",
"value": "where users.USERNAME is not null",
"feature": "endpointAccessQuery"
},
{
"column": "allowChangePassword_sqlquery",
"value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
"feature": "allowChangepasswordquery"
},
{
"column": "customproperty43",
"value": "PrivilegedUserAccountAccess",
"feature": "accountVisibilityControl"
}],
"endpointPamConfig": {
"maxConcurrentSession": "51",
"maxSessionLimitInSec": "28801",
"maxSessionWarnPeriodInSec": "1801",
"maxInActiveTimeInSec": "181",
"maxInActiveWarnPeriodInSec": "61",
"maxReqExpWarnPeriodInSec": "901"
},
"maxConcurrentSession": "51",
"maxSessionLimitInSec": "28801",
"maxSessionWarnPeriodInSec": "1801",
"maxInActiveTimeInSec": "1810",
"maxInActiveWarnPeriodInSec": "61",
"maxReqExpWarnPeriodInSec": "901",
"maxIDRequestableTime": "10000",
"maxCredSessionRequestTime": "100000",
"maxCredlessSessionRequestTime": "100000"
}
}

 

3. After running PAM Bootstrap Job, we are seeing endpoint CP43 got updated with Analytical Report Name (i.e. PrivilegedUserAccountAccess)

4. Login with user having Privilege account, Requested for credential less access session and getting below error:{"timestamp":"2023-04-03T22:38:22.983+00:00","status":400,"error":"ACCOUNTS.ANALYTICS.RETRIEVAL.FAILED","exception":"com.saviynt.pam.exception.PAMException","message":"Invalid Request sent to AnalyticsAccountsVisibility."}" 

UP_0-1680562289126.png

Let us know if you ever faced this issue or we are missing any step here.

Thanks,

Umesh

UVP
New Contributor II
New Contributor II

Hi SK, @sk  Any update on this.

What is the type of analytics you created? Can you share the analytics configuration screenshot?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

Hi Saathvik, @Dheeraj_Reddy 

We have created custom 'Runtime analytical report' , please check below screenshot for the same:

UP_0-1680631107603.pngUP_1-1680631140981.png

Let us know if we are missing anything here.

Thanks,

jezzanuena
Regular Contributor
Regular Contributor

Hi @sk may I know how did you make the accounts PAM enabled? We've been trying to do this but it didn't work.

What type of accounts you are trying to make PAM Enabled and what is the version of Saviynt you are using? If you can detail your use case then I can try to address it


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

sk
All-Star
All-Star

Configuration of analytics doesn't looks good. Looks like it created as V2 analytics in backend.

When you create analytics by selecting as Runtime don't select Save Data then only it picks the right type of analytics. Also Execution Type is very important that only comes when you don't select save data

sk_0-1680633405785.png

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

Hi Saathvik, 

This is working now ,Thanks for your help.

Thanks,

Umesh