We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

JIT in linux not working

lonetlove
New Contributor
New Contributor

Hi all,

I attempt to connect to a Linux server via JIT. 

Upon approval, my task is stuck at pending.

I went in to check the logs. However, it seem that the previous UnixDeprovisioningService is not doing its job after JIT session ended. This result in the below error where it found account that exist in the linux which result in the pending task.

2024-02-01T18:25:11+08:00-ecm-worker-provisoning.UnixProvisioningService-quartzScheduler_Worker-5-DEBUG-Accounts exists and is active accountname - CXXXX
2024-02-01T18:25:11+08:00-ecm-worker-provisoning.UnixProvisioningService-quartzScheduler_Worker-5-ERROR-Error while creating account - CXXXX removing tasks from the list
2024-02-01T18:25:11+08:00-ecm-worker-services.ArsTaskService-quartzScheduler_Worker-5-DEBUG-accTaskMap - [CXXXX:[]]
2024-02-01T18:25:07+08:00-ecm-worker-services.ArsTaskService-quartzScheduler_Worker-5-DEBUG-accTasksMap [CXXXX:[com.saviynt.ecm.task.ArsTasks : 164862]]
2024-02-01T18:25:07+08:00-ecm-worker-pam.PamService-quartzScheduler_Worker-5-DEBUG-account: CXXXX is JIT - true
2024-02-01T18:25:07+08:00-ecm-worker-pam.PamService-quartzScheduler_Worker-5-DEBUG-After PAMJITAccountTasks Filtering:: pamJITAccTaskMap - [C108272:[com.saviynt.ecm.task.ArsTasks : 164862]] #### accTaskMap - [:]
2024-02-01T18:25:07+08:00-ecm-worker-services.ArsTaskService-quartzScheduler_Worker-5-DEBUG-Calling createAccountUnix with Sec System - ON-PREMISE-UNIX-OBW and tasklist - [CXXXX:[com.saviynt.ecm.task.ArsTasks : 164862]]
2024-02-01T18:25:03+08:00-ecm-worker-firefighter.FirefighterService-quartzScheduler_Worker-4-DEBUG-Account - CXXXX is PAM Enabled, using Service Account Password Policy

Is there anyway I can trigger for such deprovision task to remove the JIT account from the connected linux system without going into the linux host directly?

please advise.

Thanks a million.

4 REPLIES 4

DixshantValecha
Saviynt Employee
Saviynt Employee

Hi @lonetlove,

We are checking on your request and we will keep you posted.

DixshantValecha
Saviynt Employee
Saviynt Employee

Hi @lonetlove,

We kindly request additional details regarding your use case and the rationale behind the removal of the account .

Understanding the context and purpose behind this action will allow us to better address your needs.

Your insights into the specific circumstances surrounding this request will greatly assist us in providing the most appropriate and efficient solution.

lonetlove
New Contributor
New Contributor

Hi @DixshantValecha ,

Thanks for helping out.

Correct me if I am wrong in my understanding for JIT.

Just-in-time account is created on the flight where it uses Saviynt ID (username) to create using PROVISION_ACCOUNT_COMMAND JSON and revoke using DEPROVISION_ACCOUNT_COMMAND JSON.

I saw tasks is created like with "Task Type: Emergency Access Instance Grant Access" and "Task Type: Emergency Access Instance Revoke Access".

It is always stuck in pending state.

Apologies I am new to this and trying to fix the JIT process. My team actually went in and manually remove the JIT account (Saviynt username), this then will allow the JIT account to be successfully created. However, the revocation of account is not perform by the deprovision task that affect the next JIT account to be created.

Can advise on what I can do to try out or correct me if my understanding is wrong.

Will the task owner matter to execute the task?

DixshantValecha
Saviynt Employee
Saviynt Employee

Hi @lonetlove,

Please ensure that the task is not in an ERROR state before proceeding. In the event that it is, you may initiate the WSretry job for the security system. This action will re-trigger all tasks within the specified security system, including the de-provision task.