Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/19/2023 11:08 AM
Hi Team,
Q1 :
We are trying to switch existing PAM enabled account from credential-less to credential using PAM_Config available in connection json. After running Bootstrap job, Saviynt is not changing these account status from credential-less to credential.
Is it possible to update existing account PAM config using Bootstrap Job?
Q2:
We have manually removed/deleted account config and account type(Firefighter ID) for existing PAM enabled account and tried to make this account as PAM-enabled using Bootstrap Job.
In this scenario when bootstrap job is run the expected result is to make that account as PAM enabled but Saviynt Bootstrap Job is not making this account as PAM enabled.
Could you please let us know how we can make this account as PAM enabled?
Thanks,
Umesh
04/21/2023 03:15 PM
@Dheeraj_Reddy @UVP Thanks for posting your question.
Once an account is PAM Enabled, no further processing will occur on it during subsequent bootstrap of the endpoint unless the existing Account Config is removed. In your scenario you removed it but still the account didn't get picked up. This will need an analysis of the logs. Please share the pamms and ecm logs for when the bootstrap was triggered.
Thanks,
Nagesh K
05/02/2023 12:54 PM
Hi Nagesh,
Due to some restriction, we can't update logs here but we have created fresh desk ticket -1621184 for this issue.
05/02/2023 02:38 PM - edited 05/02/2023 02:44 PM
@UVP Can you elaborate on how you are changing the PAM_CONFIG? In the meanwhile, you can also simply change the Access Type dropdown from Credentialless to Credential and click save. Once done, refresh the endpoint list page and click on "Select ID". You should be able to see the change then. And this approach should work for most of the targets except for Linux. Added the screenshot below for reference
Note: Please make sure that you do not have any active sessions on this account when you are changing this as it will impact the ongoing sessions. You can check for the active sessions in Control Center -> Manage PAM Sessions
05/03/2023 09:49 AM - edited 05/03/2023 09:50 AM
Thanks Nagesh.
The approach (Screenshot) which you mentioned is an Manual approach.
In our case we are changing PAM_Config at connection level and trying to make account as PAM enabled using Bootstrap Job
Observation: After removing account config and account type, we are able to bootstrap account as credential-less but not credentials.
Thanks,
Umesh
05/03/2023 10:09 AM
@UVP Thanks for the update. As requested, can you elaborate on how you made the changes to PAM_CONFIG?
Thanks,
Nagesh K
05/03/2023 10:40 AM
Hi Nagesh,
We did below steps :
Thanks,
Umesh