Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

How to leverage Custom Attribute in REST Connection JSON to hide static sensitive data

nimitdave
Saviynt Employee
Saviynt Employee

on ‎08/22/2023 06:23 AM - edited on ‎04/03/2024 01:49 PM by Saviynt Employee

Use Case

Because of security concerns, sensitive data like passwords etc. should not be displayed in plain text in Import/Provisioning JSON. Also these JSONs with the sensitive data may get displayed in logs, job summary etc. This article describes a solution to store sensitive data in encrypted format while configuring the REST connector.

Pre-requisites

Target REST APIs should be working fine from postman tool.

Import JSONs should be working fine with the desired credential attributes hardcoded in the JSONs

Applicable Version(s)

ALL

Solution

  • Storing sensitive/user-defined data in the ConnectionJSON on REST Connector helps in this scenario as the Connection JSON gets encrypted/hashed once the JSON is updated and the connection is saved.
  • The password can be declared as shown below (here as “importPassword”) and user defined attributes (here as serverName, assetName, randKey1, randKey2, randKey3) in the Connection JSON.
  • Password declaration was used for Exchange over REST Connector, where the client did not want to display the Password in the Import JSONs :
Sample Connection JSON:

{

"authentications": {

"acctAuth": {

"authType": "Basic",

"url": "SAMPLEURL",

"httpMethod": "POST",

"httpParams": {},

"httpHeaders": {},

"httpContentType": "text/html",

"properties": {

"userName": "test.testing@saviynt.com",

"password": "Hello@123"

},

"expiryError": "ExpiredAuthenticationToken",

"authError": [

"InvalidAuthenticationToken",

"AuthenticationFailed"

],

"timeOutError": "Read timed out",

"errorPath": "error.code",

"maxRefreshTryCount": 5,

"tokenResponsePath": "access_token",

"tokenType": "Basic",

"accessToken": "Basic bmlzaGFyLmJhYnVAc2",

"importPassword": "$@v!ynt@2020",

"serverName": "xkbbkk12345",

"assetName": "BMEP@testserv",

"randKey1": "123456qweqwe",

"randKey2": "12asdasd3456",

"randKey3": "123asfasfasfa"

}

}

}

  • Above defined variables, be used in any provisioning / Import JSON as shown below with format being
    ${connection.<attributename>}

Sample Update Account JSON:

{

   "dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",

   "responseColsToPropsMap": {

     "displayName": "call1.message.user.name~#~char"

  },

   "call": [

    {

       "name": "Role",

       "connection": "acctAuth",

       "url": "SAMPLEURL/data/${account.accountID}",

       "httpMethod": "PUT",

      "httpParams": "{\"user\": {\"name\": \"${connection.importPassword}\"},{\"server\": \"${connection.serverName}\"},{\"name\": \"${connection.assetName}\"},{\"keyval\": \"${connection.randKey1}\"}}",

       "httpHeaders": {

         "Authorization": "${access_token}",

         "Accept": "application/json"

      },

       "httpContentType": "application/json",

       "successResponses": {

         "statusCode": [

          200,

          201

        ]

      }

    }

  ]

}

 

Sample ImportAccountEntJSON For Exchange Over REST:

{

  "globalSettings": {

     "dateFormat": "yyyy-MM-dd HH:mm:ss"

  },

   "accountParams": {

     "createUsers": false,

     "adminName": "admin",

     "processingType": "SequentialAndIterative",

     "statusAndThresholdConfig": {

      "accountNotInImportAction": "Suspend",

       "accountThresholdValue": 100

    },

     "connection": "acctAuth",

     "call": {

       "call1": {

         "callOrder": 0,

         "stageNumber": 0,

         "http": {

           "url": "<<SAMPLEURL>>",

           "httpHeaders": {

             "Authorization": "${access_token}"

          },

           "httpContentType": "application/x-www-form-urlencoded",

           "httpMethod": "POST",

           "httpParams": {

             "Script": "\\$pass=convertto-securestring ${connection.importPassword} -asplaintext -force; \\$mycred=new-object -typename System.Management.Automation.PSCredential -argumentlist 'xxxxxx\\\\mrsaviyntdev',\\$pass; \\$Session=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://SAMPLE/PowerShell/ -Authentication Kerberos -Credential \\$mycred; \\$ses=Import-PSSession \\$Session -DisableNameChecking -AllowClobber; Get-RemoteMailbox -identity 'TEST' |Select ExchangeGuid,SamAccountName,UserPrincipalName,WhenMailboxCreated,AddressListMembership,Alias,DisplayName,PrimarySmtpAddress,RecipientType,RecipientTypeDetails,WindowsEmailAddress,GrantSendOnBehalfTo,Name,DistinguishedName,Guid,EmailAddressPolicyEnabled,AccountDisabled"

          }

        },

         "listField": "",

        "keyField": "name",

         "statusConfig": {

           "active": "False",

           "inactive": "True"

        },

         "colsToPropsMap": {

                          "name": "SamAccountName~#~char",

                          "created_on": "WhenMailboxCreated~#~datetime",

                          "displayname": "DisplayName~#~char",

                          "accountID": "UserPrincipalName~#~char",

                          "accounttype": "RecipientType~#~char",

                          "description": "Name~#~char",

                           "status": "AccountDisabled~#~char",

                          "comments": "DistinguishedName~#~char",

                          "customproperty1": "UserPrincipalName~#~char",

                          "customproperty2 ": "AddressListMembership~#~char ",

                          "customproperty3": "RecipientTypeDetails~#~char",

                          "customproperty4": "WindowsEmailAddress~#~char",

                          "customproperty5": "GrantSendOnBehalfTo~#~char",

                          "customproperty6": "Alias~#~char",

                          "customproperty7": "Guid~#~char",

                          "customproperty8": "ExchangeGuid~#~char",

                          "customproperty9": "WhenMailboxCreated~#~char",

                          "customproperty10": "EmailAddressPolicyEnabled~#~char",    

                          "customproperty11": "PrimarySmtpAddress~#~char"

        }

      }

    }

  }

}

References

https://docs.saviyntcloud.com/bundle/REST-v55x/page/Content/Developers-Handbook.htm

 

0 Kudos
Version history
Last update:
‎04/03/2024 01:49 PM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC