Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Saviynt CPAM - Azure Instance

ashok-security
New Contributor
New Contributor

Hi,

I need to build just in time access for privileged account to get added to roles in Azure AD. Can someone provide details on how to setup and what are the custom configurations needed on the saviynt side and their ETA to get App Launcher added to my tenant.

Thanks

Ashok

2 REPLIES 2

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @ashok-security ,

Please refer this article, https://forums.saviynt.com/t5/privileged-access-management/looking-for-documentation-steps-to-enable... 

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

NageshK
Saviynt Employee
Saviynt Employee

@ashok-security Thanks for posting your question. Please find below the doc portal link that talks about the process of setting up Remote App. Make sure that you open a ticket to get the infra created. 

https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v24x/page/Content/A-Overview/Remote-App-Suppor...

As for the onboarding of Azure AD Accounts for PAM, this has to be done manually. Please follow the below steps:

  1. Users who need to access Azure Console through App Launcher will require a separate account in Azure AD (Vs the standard account that might be used for other app integrations) as the credentials to this account will be vaulted and users will not know what the pwd is after being vaulted

  2. If you already have Azure AD EP, SS and Conn that you are using for IGA use cases, leave it be and create a new Azure AD EP, SS and Conn for PAM(please note that you need two Conns here. one of type Azure AD for recon and another of type REST for provisioning). Refer to this new endpoint as PAM Endpoint and the existing one (if you have) as IGA Endpoint

  3. In the Azure AD connection add the following in PAM_CONFIG. Leave the values as-is. The only value we would be using from here is the EncryptionMechanism
      {
    "Connection":"Azure",
    "EVQuery":"ev.customproperty40=''",
    "whiteListedIPs":"",
    "encryptionMechanism":"Encrypted",
    "CONSOLE":{
    "shareableAccounts":{
    "IDQueryCredentials":"acc.name in ('')",
    "IDQueryCredentialless":"acc.name in ('')"
    },
    "maxIDRequestableTime":"10000",
    "maxCredSessionRequestTime":"10000",
    "maxCredlessSessionRequestTime":"10000",
    "maxConcurrentSession":"2",
    "endpointAttributeMappings": [
    {
    "column": "accessquery",
    "value": "",
    "feature": "endpointAccessQuery"
    },
    {
    "column": "allowChangePassword_sqlquery",
    "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
    "feature": "allowChangepasswordquery"
    },
    {
    "column": "customproperty43",
    "value": "PAMDefaultUserAccountAccessControl",
    "feature": "accountVisibilityControl"
    }
    ]
    }
    }
  4. Do not add any user-account correlation rule for the PAM Endpoint. Perform the account and access import on PAM Endpoint. Once done, manually correlate the privilege accounts (created in step 1) to the Users in EIC

  5. Manually PAM Enable the Azure AD Endpoint by navigating to the PAM Attributes tab of the endpoint and provide values as folows
    - Toggle PAM Enabled button to ON
    - Change Resource Type dropdown to "CONSOLE"
    - Add following json in Configuration :  {"maxInActiveTimeInSec":"30","maxReqExpWarnPeriodInSec":"11","maxSessionLimitInSec":"600","maxInActiveWarnPeriodInSec":"10","maxConcurrentSession":"51","maxSessionWarnPeriodInSec":"10"}
    - Click on the update button
  6. Navigate to Admin -> identity Repo-> Accounts and download the Azure AD privilege accounts to a csv

  7. Add Account Config column to the csv and populate the required Account Config value. Once done, upload the accounts back to EIC. 
    sample account config : 
    {\"defaultrequestabletimeforidinsecs\":\"10000\",\"defaultrequestabletimeinsecs\":\"10000\",\"maxrequestabletimeinsecs\":\"10000\",\"diffbetweenrequests\":\"\",\"authenticationType\":\"\",\"maxrequestabletimeforidinsecs\":\"10000\",\"Saviynt-Status\":{\"pamState\":\"NEW\",\"pamType\":\"CREDENTIAL\",\"errorDetails\":\"\",\"justInTime\":\"\"}}
  8. Depending on the number of privilege accounts, you can either use UI or trigger a change password task API via postman. If doing manually, just navigate to the account, click EDIT on account config and toggle the "PAM Enabled" button. For the API, see the details at the end 

  9. Once change password is successful, the priv accounts will be PAM Enabled and will start showing up in the UI

  10. Now create Firefighter Roles for each of the Azure AD roles you want the users to submit access for. And assign the Azure AD Role entitlement to the FireFighter roles

  11. Once you get the Remote App infra details, update them in the Global config -> PAM and also execute an enhanced query to assign azure ad app launcher to the pam endpoint

    Query to be used : select epp.endpoints_properties_key as endpoints_properties__PRIMARYKEY, (select apptypekey from applicationtype where NAME = 'Azure') as endpoints_properties__APPTYPEKEY from endpoints_properties epp where epp.endpointkey = <mention the Azure AD endpointkey value>

  12. Create a custom account visibility control and mention it in the endpoint's CustomProperty43 so that end users will only see their own priv account in the UI whie submitting access request to Azure Console (App launcher)

  13. Now, End users will have to submit 2 access requests from PAM UI as follows
    - Request time based access to the FireFighter Role 
    - Request App Launcher access by selecting the priv account associated to the user


Create change pwd task for accounts through API:

POST call to :    {{base-url}}/ECM/api/v5/createtask  with Request body as :

{
"username": "admin",
"accountname":"{{accountName}}",
"endpointname":"AzureADSaviyntTenant",
"tasktype":"CHANGEPASSWORD",
"assignmenttype":"ACCOUNTS",
"comments":"Change Pwd in Bulk"
}

You can provide accountName as an input through csv file. 

Thanks

Nagesh K