Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/13/2023 09:43 AM
Hi Team,
Our customer is experiencing an issue with the rotation of the PAM account password. Although the password rotation job runs properly, the password is not getting rotated. However, we don`t see any change password task created after the account expires. Upon reviewing the article, it seems we are also encountering the same problem when running the analytics report, as it is not fetching any data. Could you please suggest a solution for this issue?
10/17/2023 03:24 PM
@sksuresh2k30 : Are you using default analytics or custom analytics to identify password expired accounts?
10/18/2023 04:18 AM
Hi SK,
I`m using default one below
SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid', ac.NAME AS NAME,ac.accounttype AS accounttype,ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY AND ac.status IN (1,'Manually Provisioned') AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL) AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account') AND ac.ACCOUNTCONFIG LIKE '%ENABLED%') INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',IF(ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY inner join account_attributes accatt on accatt.ACCOUNTKEY = ac.ACCOUNTKEY and accatt.ATTRIBUTE_NAME = 'PRINCIPALSOURCE' AND ac.status IN (1,2,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ac.accounttype = 'Platform Service Account' AND (((ac.ACCOUNTCONFIG NOT LIKE '%ENABLED%' OR ac.ACCOUNTCONFIG IS NULL) AND accatt.ATTRIBUTE_VALUE = 'ActiveDirectory') OR (accatt.ATTRIBUTE_VALUE = 'Local')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT distinct ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER,epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN account_attributes acc_attr ON ac.accountkey = acc_attr.accountkey AND acc_attr.attribute_name = 'MEMBER_ENDPOINTKEY' INNER JOIN endpoints ep ON ac.ENDPOINTKEY = ep.endpointkey INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey WHERE ac.status IN (1,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG is NULL ) AND ( ac.accounttype = 'Platform Service Account' OR ac.ACCOUNTCONFIG LIKE '%ENABLED%' );
10/18/2023 07:21 AM
@sksuresh2k30 : If this default analytics is not giving any result then I would assume respective accounts are not matching the criteria. Did you do basic validations like below
10/20/2023 09:13 AM
Hi SK,
Thank you for your response. I would like to provide some feedback. The password rotation job appears to be working well. The change password task was created and completed successfully, and it seems that the password has been rotated on Saviynt's side. However, the password is not being provisioned to the target (Windows), and there is an issue with the server connection.
{
"Connection": "AD",
"encryptionMechanism": "Encrypted",
"CONSOLE": {
"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('NOTINUSE')",
"IDQueryCredentialless": "acc.name in ('ADUCAdmin01','ADUCAdmin02','ADUCHelpDesk01')"
},
"maxCredlessSessionRequestTime": "36000",
"maxIDRequestableTime": "36000",
"maxCredSessionRequestTime": "36000",
"endpointAttributeMappings": [
{
"column": "accessquery",
"value": "where users.USERNAME is not null",
"feature": "endpointAccessQuery"
},
{
"column": "allowChangePassword_sqlquery",
"value": "",
"feature": "allowChangepasswordquery"
},
{
"column": "customproperty43",
"value": "PAMServiceAccountEnterpriseRoleUAC",
"feature": "accountVisibilityControl"
}
],
"endpointPamConfig": {
"maxConcurrentSession": "50",
"maxSessionLimitInSec": "",
"maxSessionWarnPeriodInSec": "",
"maxInActiveTimeInSec": "",
"maxInActiveWarnPeriodInSec": "",
"maxReqExpWarnPeriodInSec": ""
},
"accountVisibilityConfig": {
"accountCustomProperty": "customproperty55",
"accountMappingConfig": [{
"accountPattern": "app-*",
"mappingData": "",
"override": "false"
}, {
"accountPattern": "app_saviynt",
"mappingData": "role2",
"override": "false"
}]
}
}
}