Highlighted
Trusted Contributor.
Trusted Contributor.
273 views

Additional session request PAM Users | IDM | RestAPI

 

Hello All,.

 

Use case:-  PAM Users When Required any additional session (any specific server ) with normal or Super privileges they should able to request for this by using IDM workflow.

 

 

PAM command control User session prerequisite required for the session :-

 

  • Command (RDP or ssh rule)     
  • 2 groups
  1. The user group  (user name whom the policy will assign)
  2. Session group (what are the user privileges session will show to the user)
  •   Host group ( Host IP address )

 

Issue what we facing:-

Whenever users required additional session we need to modify 2 things.

  • Session Group (Additional User name )
  • Host group (additional servers Ip address)

With the help of Rest API when we trying to modify the group details is overwatering.

Old details are deleting.

 

Ex. Before API request group details       IDM/l1admin

                                                                        IDM/l2admin

    Sending new data                                    IDM/l3admin

           After api request group                  IDM/l3admin

 

Same issue we are facing host group also.

Kindly provide a solution if any way to achieve this use case.

@tdharris 

6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Are you trying to implement the automation yourself or are you using the NetIQ Identity Manager driver for PAM?

--
Norbert
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Hi team,

Yes, we are using IDM but for PAM Workflow integration we are using RestAPI.

we almost achieve but there are multiple manuals things so need advice for achieving this.
Highlighted
Micro Focus Expert
Micro Focus Expert

The Modify User Group API (/cmdctrl/Policy/usergroup/{key}) uses the HTTP PUT method.

The PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload.

So if you want to add a member, you need to retrieve the group's current state, update it and then send the whole object back.

 

--
Norbert
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

I already tried group synk and this part what u are mention earlier but not working.

 

1 group synk := we have to create a separate group for every user it's working but I required some other option.

second, it was not working at a time only one request is working get or put.

 

is it possible I Shire SR no for this so u support for this part.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Regarding the SR, please work with the Support Engineer and feel free to try for escalation as necessary or ask them to run it by me if they are able.
It's unusual to have to create a single cmdctrl rule for authorization for each and every specific user. Usually, there is some pattern for accessing privilege based on similar group membership such as "Database Administrators," or something along those lines. The idea behind governing privilege this way is that the effort of managing is reduced by creating rules/policies based on roles rather than the weight of governing user-by-user.
In mapping the external group, you can also use a syntax to point directly to the user and then you don't need to create or manage the group in the external LDAP directory. For example, instead of the FDN context of the LDAP group, you could simply put the DOMAIN\User directly in that field which should also authorize.
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

I work with the support I feel that they are not able to resolve this issue so they mail me that to contact with Microfocus PS team (which is paid ).

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.