Additional session request PAM Users | IDM | RestAPI - Micro Focus Community

Mishra · ‎2020-09-04

Hello All,.

Use case:- PAM Users When Required any additional session (any specific server ) with normal or Super privileges they should able to request for this by using IDM workflow.

PAM command control User session prerequisite required for the session :-

Command (RDP or ssh rule)
2 groups

The user group (user name whom the policy will assign)
Session group (what are the user privileges session will show to the user)

Host group ( Host IP address )

Issue what we facing:-

Whenever users required additional session we need to modify 2 things.

Session Group (Additional User name )
Host group (additional servers Ip address)

With the help of Rest API when we trying to modify the group details is overwatering.

Old details are deleting.

Ex. Before API request group details IDM/l1admin

IDM/l2admin

Sending new data IDM/l3admin

After api request group IDM/l3admin

Same issue we are facing host group also.

Kindly provide a solution if any way to achieve this use case.

@tdharris

klasen · ‎2020-09-04

Are you trying to implement the automation yourself or are you using the NetIQ Identity Manager driver for PAM?

--
Norbert

Mishra · ‎2020-09-04

Hi team,

Yes, we are using IDM but for PAM Workflow integration we are using RestAPI.

we almost achieve but there are multiple manuals things so need advice for achieving this.

klasen · ‎2020-09-04

The Modify User Group API (/cmdctrl/Policy/usergroup/{key}) uses the HTTP PUT method.

The PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload.

So if you want to add a member, you need to retrieve the group's current state, update it and then send the whole object back.

--
Norbert

Mishra · ‎2020-09-04

I already tried group synk and this part what u are mention earlier but not working.

1 group synk := we have to create a separate group for every user it's working but I required some other option.

second, it was not working at a time only one request is working get or put.

is it possible I Shire SR no for this so u support for this part.

tdharris · ‎2020-09-17

Regarding the SR, please work with the Support Engineer and feel free to try for escalation as necessary or ask them to run it by me if they are able.
It's unusual to have to create a single cmdctrl rule for authorization for each and every specific user. Usually, there is some pattern for accessing privilege based on similar group membership such as "Database Administrators," or something along those lines. The idea behind governing privilege this way is that the effort of managing is reduced by creating rules/policies based on roles rather than the weight of governing user-by-user.
In mapping the external group, you can also use a syntax to point directly to the user and then you don't need to create or manage the group in the external LDAP directory. For example, instead of the FDN context of the LDAP group, you could simply put the DOMAIN\User directly in that field which should also authorize.

Mishra · ‎2020-09-30

I work with the support I feel that they are not able to resolve this issue so they mail me that to contact with Microfocus PS team (which is paid ).

tdharris · ‎2020-10-01

@klasen is right here. I went through and tried the REST API myself using the REST API Explorer we have just to verify the behavior ("/rest_api" or navigate to it by selecting the top-right > Rest API). I'll walk through what I did in case you find it helpful.

I created a new "test" group and I made a GET "/rest/cmdctrl/Policies" to find the "key" or this newly created user group, which I found to be "6" in my environment. I added a couple users to that group (user1, user2) in the PAM Administration Command Control Console just so there was some state there already.

I fetched the current state of this group using GET "/rest/cmdctrl/Policy/usergroup/{key}" where "{key}" was "6" and I could verify from not only the expected format to use in my PUT, but also the current state or list of users in that group already.

I then added another user to that list, "user3" and updated using the PUT "/rest/cmdctrl/Policy/usergroup/{key}" using the following body data:

Note: I am keeping the retrieved "UserList" state from my GET above and simply appending a "user3" value into that list.

{
    "UserGroup": {
        "UserList": {
            "User": [
                { "value": "user1" },
                { "value": "user2" },
                { "value": "user3" }
            ]
        }
    }
}

The above seemed to work for me fine, I was able to add a user to the Command Control User Group using the REST API.