Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/14/2023 12:04 AM - edited 07/14/2023 12:06 AM
Hi all,
During bootstrap process master account password changed first time so, Is that possible to schedule change password for master accounts on periodic basis? If so can you please let me know the process.
07/17/2023 03:38 AM - edited 07/19/2023 03:19 AM
Hi @Pooja,
Thanks for posting your question.
Yes we can rotate the master account password periodically.
Please refer to the below article for the same.
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/G-Password-Management/Period...
Regards,
Vikas J V
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.
07/24/2023 03:03 AM
Hi
we have tried to run analytics(PAMEnabledAndPlatformServiceAccount) but it's not showing any master account from the connector instead it shows only firefighter ID which is credential and credential-less, the accounts we configured.
Can you please help how to make master account to be eligible for password rotation?.
07/24/2023 03:10 AM
Hi @Pooja ,
Please make sure that "changeConnectionCredentials": true in the Pam config and then configure the periodic password rotation jar and then it will rotate.
Please refer below article for the same.
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/G-Password-Management/Period...
Regards,
Vikas J V
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.
07/24/2023 05:03 AM - edited 07/24/2023 05:17 AM
Hi @vikasjv
Yes we have changeConnectionCredentials": true in the Pam config and during the intial bootstrap the password is changing - we see the password change task was generated and completed.
We have uploaded the Jar and made the required config of Password rotaion Job but the problem is that the after running the job the job was successfull but the password rotation task is not generating for both master account as well as shared accounts.
And when we tried to run the analytics PAMEnabledAndPlatformServiceAccount we are able to see only the shared (firefighterID) not any master account.
Also in the connection Enable_Service_Account_Management was set to TRUE
07/17/2023 07:15 AM - edited 07/17/2023 07:36 AM
Hi @Pooja ,
Thanks for reaching out. You may also refer to the following article in documentation portal with all the steps involved regarding Configuring PAM for On-Premises - Configuring PAM for On-Premises Workloads (saviyntcloud.com)
Regards,
Anitha.
07/24/2023 07:46 AM
@Pooja Has the out of the box control PAMEnabledAndPlatformServiceAccount been modified in any way in your environment? Also, when you execute the control, do you see any row where the credentialType value is shown as 'Master'?
Also, please note the "Total_No_DaysLastRotation" and "expire after" values. Change password task will get triggered only for the accounts where "Total_No_DaysLastRotation" is greater than "expire after".
Finally, please share the query you have in the control PAMEnabledAndPlatformServiceAccount
Thanks,
Nagesh K
07/24/2023 10:44 AM - edited 07/24/2023 10:46 AM
Hi @NageshK Thanks for your response, Out of the box control was not modified, and when i execute the control i don't see any value credentialtype as master. only sharable accounts are showing.
SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid', ac.NAME AS NAME,ac.accounttype AS accounttype,ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY AND ac.status IN (1,'Manually Provisioned') AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL) AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account') AND ac.ACCOUNTCONFIG LIKE '%ENABLED%') INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',IF(ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY inner join account_attributes accatt on accatt.ACCOUNTKEY = ac.ACCOUNTKEY and accatt.ATTRIBUTE_NAME = 'PRINCIPALSOURCE' AND ac.status IN (1,2,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ac.accounttype = 'Platform Service Account' AND (((ac.ACCOUNTCONFIG NOT LIKE '%ENABLED%' OR ac.ACCOUNTCONFIG IS NULL) AND accatt.ATTRIBUTE_VALUE = 'ActiveDirectory') OR (accatt.ATTRIBUTE_VALUE = 'Local')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT distinct ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER,epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN account_attributes acc_attr ON ac.accountkey = acc_attr.accountkey AND acc_attr.attribute_name = 'MEMBER_ENDPOINTKEY' INNER JOIN endpoints ep ON ac.ENDPOINTKEY = ep.endpointkey INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey WHERE ac.status IN (1,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG is NULL ) AND ( ac.accounttype = 'Platform Service Account' OR ac.ACCOUNTCONFIG LIKE '%ENABLED%' );
07/24/2023 03:26 PM
@Pooja Thanks for sharing the query. Yes, this is not bringing in the master accounts. We may probably have to use another analytic control for handling master accounts. I will get back with an appropriate query for that.
Thanks,
Nagesh K
07/27/2023 05:17 AM
Hi @NageshK we tried to modify the query and getting this error, so we tried to duplicate the PAMEnabledAndPlatformServiceAccount and changed the name in the new query and used the existing one from PAMEnabledAndPlatformServiceAccount still getting same issue, but we are not able to see this in our POC env, can you pls help with this
07/27/2023 06:03 AM - edited 07/27/2023 06:23 AM
In POC env (2022.0) we see options version 1 and version 2 , so we where able to create it under version 1. in version 23.7 we are not able to see this option and also getting above error, we also have enabled allow v1 based runtime controls enabled in global config . can you pls help to how to create this.
07/27/2023 06:57 AM
@Pooja I'm not able to replicate this issue. Do you have an escape character (\) before the $ in your query like below?
epp.PAMCONFIG ->> '\$.rotateKey' != 'false'
Thanks,
Nagesh K
07/27/2023 07:12 AM
@NageshK As discussed, the preview was working fine, but while creating the analytics we are gettign this error, same issue even with the ootb query.
08/01/2023 03:28 PM
08/07/2023 09:22 PM
we are able to create the analytics after replacing epp.PAMCONFIG ->> '\$.rotateKey' != 'false' with epp.PAMCONFIG NOT LIKE '%rotateKey%false'
08/07/2023 09:27 PM
@NageshK password rotation is not working, job was success and its not creating any task to change the password, and in log we see its executing password rotation job and without rotating the password of due accounts.
12/11/2023 01:38 AM
SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid', ac.NAME AS NAME,ac.accounttype AS accounttype,ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY AND ac.status IN (1,'Manually Provisioned') AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL) AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG like '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',IF(ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY inner join account_attributes accatt on accatt.ACCOUNTKEY = ac.ACCOUNTKEY and accatt.ATTRIBUTE_NAME = 'PRINCIPALSOURCE' AND ac.status IN (1,2,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ac.accounttype in ('Platform Service Account','Service Account','FIREFIGHTERID') AND (((ac.ACCOUNTCONFIG NOT LIKE '%ENABLED%' OR ac.ACCOUNTCONFIG IS NULL) AND accatt.ATTRIBUTE_VALUE = 'ActiveDirectory') OR (accatt.ATTRIBUTE_VALUE = 'Local')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG LIKE '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT distinct ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER,epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN account_attributes acc_attr ON ac.accountkey = acc_attr.accountkey AND acc_attr.attribute_name = 'MEMBER_ENDPOINTKEY' INNER JOIN endpoints ep ON ac.ENDPOINTKEY = ep.endpointkey INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG LIKE '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey WHERE ac.status IN (1,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG is NULL ) AND ( ac.accounttype in ('Platform Service Account','Service Account','FIREFIGHTERID'));