Commander
Commander
830 views

Additional session request PAM Users | IDM | RestAPI

 

Hello All,.

 

Use case:-  PAM Users When Required any additional session (any specific server ) with normal or Super privileges they should able to request for this by using IDM workflow.

 

 

PAM command control User session prerequisite required for the session :-

 

  • Command (RDP or ssh rule)     
  • 2 groups
  1. The user group  (user name whom the policy will assign)
  2. Session group (what are the user privileges session will show to the user)
  •   Host group ( Host IP address )

 

Issue what we facing:-

Whenever users required additional session we need to modify 2 things.

  • Session Group (Additional User name )
  • Host group (additional servers Ip address)

With the help of Rest API when we trying to modify the group details is overwatering.

Old details are deleting.

 

Ex. Before API request group details       IDM/l1admin

                                                                        IDM/l2admin

    Sending new data                                    IDM/l3admin

           After api request group                  IDM/l3admin

 

Same issue we are facing host group also.

Kindly provide a solution if any way to achieve this use case.

@tdharris 

7 Replies
Micro Focus Expert
Micro Focus Expert

Are you trying to implement the automation yourself or are you using the NetIQ Identity Manager driver for PAM?

--
Norbert
0 Likes
Commander
Commander

Hi team,

Yes, we are using IDM but for PAM Workflow integration we are using RestAPI.

we almost achieve but there are multiple manuals things so need advice for achieving this.
Micro Focus Expert
Micro Focus Expert

The Modify User Group API (/cmdctrl/Policy/usergroup/{key}) uses the HTTP PUT method.

The PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload.

So if you want to add a member, you need to retrieve the group's current state, update it and then send the whole object back.

 

--
Norbert
0 Likes
Commander
Commander

I already tried group synk and this part what u are mention earlier but not working.

 

1 group synk := we have to create a separate group for every user it's working but I required some other option.

second, it was not working at a time only one request is working get or put.

 

is it possible I Shire SR no for this so u support for this part.

0 Likes
Micro Focus Expert
Micro Focus Expert

Regarding the SR, please work with the Support Engineer and feel free to try for escalation as necessary or ask them to run it by me if they are able.
It's unusual to have to create a single cmdctrl rule for authorization for each and every specific user. Usually, there is some pattern for accessing privilege based on similar group membership such as "Database Administrators," or something along those lines. The idea behind governing privilege this way is that the effort of managing is reduced by creating rules/policies based on roles rather than the weight of governing user-by-user.
In mapping the external group, you can also use a syntax to point directly to the user and then you don't need to create or manage the group in the external LDAP directory. For example, instead of the FDN context of the LDAP group, you could simply put the DOMAIN\User directly in that field which should also authorize.
0 Likes
Commander
Commander

I work with the support I feel that they are not able to resolve this issue so they mail me that to contact with Microfocus PS team (which is paid ).

 

 

0 Likes
Micro Focus Expert
Micro Focus Expert

@klasen is right here. I went through and tried the REST API myself using the REST API Explorer we have just to verify the behavior ("/rest_api" or navigate to it by selecting the top-right > Rest API). I'll walk through what I did in case you find it helpful.

I created a new "test" group and I made a GET "/rest/cmdctrl/Policies" to find the "key" or this newly created user group, which I found to be "6" in my environment. I added a couple users to that group (user1, user2) in the PAM Administration Command Control Console just so there was some state there already.

I fetched the current state of this group using GET "/rest/cmdctrl/Policy/usergroup/{key}" where "{key}" was "6" and I could verify from not only the expected format to use in my PUT, but also the current state or list of users in that group already.

I then added another user to that list, "user3" and updated using the PUT "/rest/cmdctrl/Policy/usergroup/{key}" using the following body data:

Note: I am keeping the retrieved "UserList" state from my GET above and simply appending a "user3" value into that list.

{
    "UserGroup": {
        "UserList": {
            "User": [
                { "value": "user1" },
                { "value": "user2" },
                { "value": "user3" }
            ]
        }
    }
}

The above seemed to work for me fine, I was able to add a user to the Command Control User Group using the REST API.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.