Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

What Delegated Permissions are needed for AD Connections (CPAM)

amyers
New Contributor
New Contributor

For CPAM, in creating an Active Directory connection, what are the delegated permissions required for the "master" account to be able to rotate privileged accounts in Active Directory?

It obviously will need "reset passwords" access to the accounts, and potentially full read/write access, but I want to know exactly what permissions the master account should have to manage a given account. That way we don't give it more permissions than needed.

5 REPLIES 5

NageshK
Saviynt Employee
Saviynt Employee

@amyers Thanks for posting your question. Please follow the below doc portal article to understand how to provide the least amount of privileges based on the use cases. 

https://docs.saviyntcloud.com/bundle/AD-v23x/page/Content/Preparing-for-Integration.htm#Managing

Thanks,

Nagesh K

amyers
New Contributor
New Contributor

Hi @NageshK ,

Just to confirm, is the workflow defined in that document the same that will be used for CPAM?

I see that the document references integrating AD with EIC, and I want to make sure that there isn't something different that needs to be done for CPAM.

Reading through the documentation in general, sometimes I find it hard to tell when something is referring to EIC integration or CPAM integration. If I am using both EIC and CPAM, do they share AD integrations?

NageshK
Saviynt Employee
Saviynt Employee

@amyers EIC is the Saviynt Platform containing multiple products/modules like IGA, CPAM, AAG, TPAG and VAM. And Connectors are part of the core framework which are used by all products/modules

By default, when you are implementing both IGA and CPAM, the underlying connector will be the same. However, there might be very few cases based on an Organization's custom requirements where they can chose to create a new connection. But this will also increase the efforts in maintaining those connections

ex: An org has an existing AD Conn (ADConn1) which brings in all AD Accounts during Account import. However they want to segregate the a- accounts (which are highly privileged) into a new Endpoint. They then create another AD Conn (ADConn2) which will filter and bring in only a- accounts. 

While this is good from segregation point of view, it will bring in additional challenges like educating users that there are two different endpoints to submit access requests, maintaining the additional connection and the import job schedule, etc.  

Thanks

Nagesh K

amyers
New Contributor
New Contributor

Hi @NageshK ,

 

One other thing that is not mentioned in the documentation;

Is there anything specific needed to rotate a password that is a member of a Protected Group in AD? We have some accounts pulled in from AD that are part of Domain Admins. When we try to provision the accounts, we get LDAP error 53.

However, if we remove them from Domain Admins, the same accounts can be provisioned correctly and have their password managed.

Clearly there is something about membership to Domain Admins that is causing the accounts to not be provisioned, and the documentation does not mention this.

 

Can you assist?

NageshK
Saviynt Employee
Saviynt Employee

@amyers can you share the logs for the time when the change pwd is failing? Also, are you using SSL connection? 

Thanks,

Nagesh K