Click HERE to see how Saviynt Intelligence is transforming the industry. |
02/01/2024 02:47 AM
Hi all,
I attempt to connect to a Linux server via JIT.
Upon approval, my task is stuck at pending.
I went in to check the logs. However, it seem that the previous UnixDeprovisioningService is not doing its job after JIT session ended. This result in the below error where it found account that exist in the linux which result in the pending task.
2024-02-01T18:25:11+08:00-ecm-worker-provisoning.UnixProvisioningService-quartzScheduler_Worker-5-DEBUG-Accounts exists and is active accountname - CXXXX
2024-02-01T18:25:11+08:00-ecm-worker-provisoning.UnixProvisioningService-quartzScheduler_Worker-5-ERROR-Error while creating account - CXXXX removing tasks from the list
2024-02-01T18:25:11+08:00-ecm-worker-services.ArsTaskService-quartzScheduler_Worker-5-DEBUG-accTaskMap - [CXXXX:[]]
2024-02-01T18:25:07+08:00-ecm-worker-services.ArsTaskService-quartzScheduler_Worker-5-DEBUG-accTasksMap [CXXXX:[com.saviynt.ecm.task.ArsTasks : 164862]]
2024-02-01T18:25:07+08:00-ecm-worker-pam.PamService-quartzScheduler_Worker-5-DEBUG-account: CXXXX is JIT - true
2024-02-01T18:25:07+08:00-ecm-worker-pam.PamService-quartzScheduler_Worker-5-DEBUG-After PAMJITAccountTasks Filtering:: pamJITAccTaskMap - [C108272:[com.saviynt.ecm.task.ArsTasks : 164862]] #### accTaskMap - [:]
2024-02-01T18:25:07+08:00-ecm-worker-services.ArsTaskService-quartzScheduler_Worker-5-DEBUG-Calling createAccountUnix with Sec System - ON-PREMISE-UNIX-OBW and tasklist - [CXXXX:[com.saviynt.ecm.task.ArsTasks : 164862]]
2024-02-01T18:25:03+08:00-ecm-worker-firefighter.FirefighterService-quartzScheduler_Worker-4-DEBUG-Account - CXXXX is PAM Enabled, using Service Account Password Policy
Is there anyway I can trigger for such deprovision task to remove the JIT account from the connected linux system without going into the linux host directly?
please advise.
Thanks a million.
02/05/2024 12:45 AM
Hi @lonetlove,
We are checking on your request and we will keep you posted.
02/05/2024 03:27 AM - edited 02/05/2024 03:27 AM
Hi @lonetlove,
We kindly request additional details regarding your use case and the rationale behind the removal of the account .
Understanding the context and purpose behind this action will allow us to better address your needs.
Your insights into the specific circumstances surrounding this request will greatly assist us in providing the most appropriate and efficient solution.
02/05/2024 05:27 AM - edited 02/05/2024 05:30 AM
Hi @DixshantValecha ,
Thanks for helping out.
Correct me if I am wrong in my understanding for JIT.
Just-in-time account is created on the flight where it uses Saviynt ID (username) to create using PROVISION_ACCOUNT_COMMAND JSON and revoke using DEPROVISION_ACCOUNT_COMMAND JSON.
I saw tasks is created like with "Task Type: Emergency Access Instance Grant Access" and "Task Type: Emergency Access Instance Revoke Access".
It is always stuck in pending state.
Apologies I am new to this and trying to fix the JIT process. My team actually went in and manually remove the JIT account (Saviynt username), this then will allow the JIT account to be successfully created. However, the revocation of account is not perform by the deprovision task that affect the next JIT account to be created.
Can advise on what I can do to try out or correct me if my understanding is wrong.
Will the task owner matter to execute the task?
02/18/2024 10:05 PM
Hi @lonetlove,
Please ensure that the task is not in an ERROR state before proceeding. In the event that it is, you may initiate the WSretry job for the security system. This action will re-trigger all tasks within the specified security system, including the de-provision task.