and more in a single search tool across platforms. Read the announcement here. |
04/13/2023 12:23 PM - edited 04/13/2023 01:03 PM
Hello,
We have an implementation that requires no shared accounts be used. Is there a way to bootstrap endpoints that doesn't use shared local/domain accounts and only uses unique domain accounts as the privileged access method?
So instead of user's using a CPAM shared domain account, the requirement is that the user's have unique CPAM managed domain accounts used to access endpoints.
We need to bring these endpoints under PAM protection and accessed through the designated admin accounts.
Solved! Go to Solution.
04/13/2023 01:33 PM
Hi jdfranco, can you please let us know for which endpoints are you trying to achieve this use case. Do you want this domain account for AD endpoints or windows endpoints.
04/13/2023 01:39 PM
These would be windows server endpoints
04/17/2023 03:05 PM
@jdfranco Yes, this is possible. One of the common examples is the usage of a- (a dash) accounts in Active Directory. These are personal accounts unique to each user and are usually assigned to the server admins
Before looking at how to implement this use case, here is an important aspect to verify :
Having such naming convention makes it easier to implement this use case
Here is how it has to be implemented:
modified query would look like this (modified part in bold)
select acc.accountkey as 'id', acc.name as 'name' from accounts acc where acc.endpointkey = ${endpointkey} and acc.accountconfig like '%\"pamState\"%ENABLED%' and acc.accountkey = IF('null'=${accountkey}, acc.accountkey, ${accountkey}) UNION select acc1.accountkey as 'id', acc1.NAME as 'name' from accounts acc1 inner join account_attributes accattrb on acc1.ACCOUNTKEY = accattrb.ACCOUNTKEY where accattrb.ATTRIBUTE_NAME = 'MEMBER_ENDPOINTKEY' and accattrb.ATTRIBUTE_VALUE = ${endpointkey} and acc1.accountconfig like '%\"pamState\"%ENABLED%' and (CONCAT('a-', ${username}) = acc.name and acc1.accountkey = IF('null'=${accountkey}, acc1.accountkey, ${accountkey});
Thanks,
Nagesh K