Saviynt Forums

UVP · ‎04/19/2023

Hi Team,

Q1 :

We are trying to switch existing PAM enabled account from credential-less to credential using PAM_Config available in connection json. After running Bootstrap job, Saviynt is not changing these account status from credential-less to credential.

Is it possible to update existing account PAM config using Bootstrap Job?

Q2:

We have manually removed/deleted account config and account type(Firefighter ID) for existing PAM enabled account and tried to make this account as PAM-enabled using Bootstrap Job.

In this scenario when bootstrap job is run the expected result is to make that account as PAM enabled but Saviynt Bootstrap Job is not making this account as PAM enabled.

Could you please let us know how we can make this account as PAM enabled?

Thanks,

Umesh

NageshK · ‎04/21/2023

@Dheeraj_Reddy @UVP Thanks for posting your question.

Once an account is PAM Enabled, no further processing will occur on it during subsequent bootstrap of the endpoint unless the existing Account Config is removed. In your scenario you removed it but still the account didn't get picked up. This will need an analysis of the logs. Please share the pamms and ecm logs for when the bootstrap was triggered.

Thanks,

Nagesh K

UVP · ‎05/02/2023

Hi Nagesh,

Due to some restriction, we can't update logs here but we have created fresh desk ticket -1621184 for this issue.

FYI - we tried below steps and it's not working for us.

1. Delete the account config of the desired account(s), Clear the Account type

2. Change the PAM_CONFIG of the endpoint to reflect which account is being considered as credential

3. Run the bootstrap job again

Observation: After removing account config and account type, we are able to bootstrap account as credential-less but not credentials.

let us know if you need more information on this.

Thanks,

Umesh

NageshK · ‎05/02/2023

@UVP Can you elaborate on how you are changing the PAM_CONFIG? In the meanwhile, you can also simply change the Access Type dropdown from Credentialless to Credential and click save. Once done, refresh the endpoint list page and click on "Select ID". You should be able to see the change then. And this approach should work for most of the targets except for Linux. Added the screenshot below for reference

Note: Please make sure that you do not have any active sessions on this account when you are changing this as it will impact the ongoing sessions. You can check for the active sessions in Control Center -> Manage PAM Sessions

UVP · ‎05/03/2023

Thanks Nagesh.

The approach (Screenshot) which you mentioned is an Manual approach.

In our case we are changing PAM_Config at connection level and trying to make account as PAM enabled using Bootstrap Job

Observation: After removing account config and account type, we are able to bootstrap account as credential-less but not credentials.

Thanks,

Umesh

NageshK · ‎05/03/2023

@UVP Thanks for the update. As requested, can you elaborate on how you made the changes to PAM_CONFIG?

Thanks,

Nagesh K

UVP · ‎05/03/2023

Hi Nagesh,

We did below steps :

1. Account 'A' is PAM enabled and set as credential less

2. We have deleted account config and account type for this 'A' user account

3. Changed PAM_Config in connection object and set this account as credential one

Note: Switched account 'A' from 'IDQueryCredentialless' to 'IDQueryCredentials'

-----

"shareableAccounts":
"IDQueryCredentials": "acc.name in ('A' )",
"IDQueryCredentialless": "acc.name in ('')"

-----

4. Ran Bootstrap Job

5. Account 'A' did not set as PAM enabled and change password task did not triggered for this account

Observation: After removing account config and account type, we are able to bootstrap account as credential-less but not credentials.

Thanks,

Umesh

Saviynt Forums

Unable to change Account config for PAM enabled account using Bootstrap Job