Symantec Privileged Access Management

Good day,
I have some request by a client which want to automate the onboarding flow of the accounts in PAM.

The first request is focused on the automatic onboarding of accounts after a scheduled discovery.
As far as I know, PAM not support an automatic onboarding after a discovery and I don't find any evidence of this configuration in the manual, but I would like to be sure about that.

The second request is focused on the import of accounts (+ credentials) via Bulk job.
For this request, I'm pretty sure (but I would like a confirm) that PAM not have a schedule bulk load avaialable and cannot be possible to import credential of accounts via file.
A possible solution is to use CLI remote tools or use API. Am I right?

To summarize:

- Does PAM solution can be automatically onboarding the accounts (particularly Windows local Administrator accounts) after the discovery process for multiple domains?

- Does PAM solution has any Bulk Account/Password Upload capability? If not, do you think that could be possible use CLI remote or API to import accounts credential?

Thanks for your advise.

Regards,
Andrea Gimmelli

The user accounts you are referring to, are they PAM Users (for logging on to PAM GUI) or Target Accounts?

In case of PAM Users, if you have configured the LDAP Group, at the specified interval PAM will check for changes and import new users or update users or delete users.

For target accounts, they can be discovered but need to be added to managed users manually as this involves how many license you have. If this is automatically adding target accounts and exceed your license limit then the standard users will not be able to logon to PAM.

------------------------------
Support Engineer 5
Broadcom
------------------------------

Original Message:
Sent: 10-11-2019 08:28 AM
From: Andrea Gimmelli
Subject: PAM - Onboarding and Bulk load integration of accounts

Good day,
I have some request by a client which want to automate the onboarding flow of the accounts in PAM.

The first request is focused on the automatic onboarding of accounts after a scheduled discovery.
As far as I know, PAM not support an automatic onboarding after a discovery and I don't find any evidence of this configuration in the manual, but I would like to be sure about that.

The second request is focused on the import of accounts (+ credentials) via Bulk job.
For this request, I'm pretty sure (but I would like a confirm) that PAM not have a schedule bulk load avaialable and cannot be possible to import credential of accounts via file.
A possible solution is to use CLI remote tools or use API. Am I right?

To summarize:

- Does PAM solution can be automatically onboarding the accounts (particularly Windows local Administrator accounts) after the discovery process for multiple domains?

- Does PAM solution has any Bulk Account/Password Upload capability? If not, do you think that could be possible use CLI remote or API to import accounts credential?

Thanks for your advise.

Regards,
Andrea Gimmelli

Hi Sung,

I have an query here . From your below statement it looks like PAM has user based license . Please correct if I am wrong

For target accounts, they can be discovered but need to be added to managed users manually as this involves how many license you have. If this is automatically adding target accounts and exceed your license limit then the standard users will not be able to logon to PAM.
Original Message:
Sent: 10-14-2019 07:18 PM
From: Sung Hoon Kim
Subject: PAM - Onboarding and Bulk load integration of accounts

The user accounts you are referring to, are they PAM Users (for logging on to PAM GUI) or Target Accounts?

In case of PAM Users, if you have configured the LDAP Group, at the specified interval PAM will check for changes and import new users or update users or delete users.

For target accounts, they can be discovered but need to be added to managed users manually as this involves how many license you have. If this is automatically adding target accounts and exceed your license limit then the standard users will not be able to logon to PAM.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 10-11-2019 08:28 AM
From: Andrea Gimmelli
Subject: PAM - Onboarding and Bulk load integration of accounts

Good day,
I have some request by a client which want to automate the onboarding flow of the accounts in PAM.

The first request is focused on the automatic onboarding of accounts after a scheduled discovery.
As far as I know, PAM not support an automatic onboarding after a discovery and I don't find any evidence of this configuration in the manual, but I would like to be sure about that.

The second request is focused on the import of accounts (+ credentials) via Bulk job.
For this request, I'm pretty sure (but I would like a confirm) that PAM not have a schedule bulk load avaialable and cannot be possible to import credential of accounts via file.
A possible solution is to use CLI remote tools or use API. Am I right?

To summarize:

- Does PAM solution can be automatically onboarding the accounts (particularly Windows local Administrator accounts) after the discovery process for multiple domains?

- Does PAM solution has any Bulk Account/Password Upload capability? If not, do you think that could be possible use CLI remote or API to import accounts credential?

Thanks for your advise.

Regards,
Andrea Gimmelli

Pankaj, PAM does not have user-based licenses. Licenses are device-based. Checking the Password Management flag for one device requires one Credential Management license. It doesn't matter how many target accounts you define for that device.
Original Message:
Sent: 11-05-2019 10:12 AM
From: Pankaj Kumar
Subject: PAM - Onboarding and Bulk load integration of accounts

Hi Sung,

I have an query here . From your below statement it looks like PAM has user based license . Please correct if I am wrong

For target accounts, they can be discovered but need to be added to managed users manually as this involves how many license you have. If this is automatically adding target accounts and exceed your license limit then the standard users will not be able to logon to PAM.
Original Message:
Sent: 10-14-2019 07:18 PM
From: Sung Hoon Kim
Subject: PAM - Onboarding and Bulk load integration of accounts

The user accounts you are referring to, are they PAM Users (for logging on to PAM GUI) or Target Accounts?

In case of PAM Users, if you have configured the LDAP Group, at the specified interval PAM will check for changes and import new users or update users or delete users.

For target accounts, they can be discovered but need to be added to managed users manually as this involves how many license you have. If this is automatically adding target accounts and exceed your license limit then the standard users will not be able to logon to PAM.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 10-11-2019 08:28 AM
From: Andrea Gimmelli
Subject: PAM - Onboarding and Bulk load integration of accounts

Good day,
I have some request by a client which want to automate the onboarding flow of the accounts in PAM.

The first request is focused on the automatic onboarding of accounts after a scheduled discovery.
As far as I know, PAM not support an automatic onboarding after a discovery and I don't find any evidence of this configuration in the manual, but I would like to be sure about that.

The second request is focused on the import of accounts (+ credentials) via Bulk job.
For this request, I'm pretty sure (but I would like a confirm) that PAM not have a schedule bulk load avaialable and cannot be possible to import credential of accounts via file.
A possible solution is to use CLI remote tools or use API. Am I right?

To summarize:

- Does PAM solution can be automatically onboarding the accounts (particularly Windows local Administrator accounts) after the discovery process for multiple domains?

- Does PAM solution has any Bulk Account/Password Upload capability? If not, do you think that could be possible use CLI remote or API to import accounts credential?

Thanks for your advise.

Regards,
Andrea Gimmelli

Andrea,

In the past I have developed powershell scripts that would automatically onboard Active Directory and local administrator accounts in PAM using the PAM API's... they aren't trivial scripts, but if you are good with powershell then its not overly difficult.  Powershell is ideal here simply because there are a lot of powerful tools specifically for working with windows servers and AD; the PAM api's are language agnostic.

PAM has native abilities to add devices (and groups), users (and groups), and policies via a CSV import.  However importing target applications and target accounts is not possible via the UI.  To do this you would need to use the CLI, either by using the clitools package, or by directly interacting with the Credential Management API that it uses (the CM API is not documented as an API, but it's easily translated from the CLI documentation).

Below are a couple of simple powershell scripts that demonstrate how to interact with the PAM API and CLI.  With this as a foundation, you can develop some really powerful stuff.

# This is a simple demo of the PAM API
# The script will prompt you for your api key, and will write out all users, devices, polices, and policy details to csv files.

$pamServer = "your.Pam.url.here"  # either FQDN or IP address

# This section is to prevent errors when connecting to a PAM system that uses a self signed certificate.
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
    Add-Type -TypeDefinition  @"
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public static class TrustEverything
    {
        private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
            SslPolicyErrors sslPolicyErrors) { return true; }
        public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
        public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
    }
"@
} [TrustEverything]::SetCallback()


# prompt for an API key
if (-not $apikey) {$apikey = Get-Credential -Message "Enter your API key"}

# run an API call to get all users
$results = Invoke-RestMethod -Uri "https://$pamServer/api.php/v1/users.json?limit=0&fields=*" -Method Get -Credential $apikey 
$results.users | Export-csv "$PSScriptRoot\users.csv" -NoTypeInformation -Force

# run an API call to get all devices
$results = Invoke-RestMethod -Uri "https://$pamServer/api.php/v1/devices.json?limit=0&fields=*" -Method Get -Credential $apikey 
$results.devices | Export-csv "$PSScriptRoot\devices.csv" -NoTypeInformation -Force

# run an API call to get all policies
$results = Invoke-RestMethod -Uri "https://$pamServer/api.php/v1/policies.json?limit=0&fields=*" -Method Get -Credential $apikey 
$results.policyAssociationInfos | Export-csv "$PSScriptRoot\policies.csv" -NoTypeInformation -Force

#run an API call to get detailed policy info
$policyDetails = @()
foreach ($policyId in $results.policyAssociationInfos.Array.associationID) {
    # get the detailed policy
    $policyDetail = Invoke-RestMethod -Uri "https://$pamServer/api.php/v1/policies.json/$policyId" -Method Get -Credential $apikey
    
    # run join on the arrays to make them strings
    $policyDetail.accessMethods = $policyDetail.accessMethods | ConvertTo-json -compress
    $policyDetail.services = $policyDetail.services | ConvertTo-json -compress
    $policyDetail.vpnServices = $policyDetail.vpnServices | ConvertTo-json -compress
    $policyDetail.targetAccounts = $policyDetail.targetAccounts | ConvertTo-json -compress

    # write the policyDetail to the $policyDetails array
    $policyDetails += $policyDetail
}
$policyDetails | Export-csv "$PSScriptRoot\policyDetails.csv" -NoTypeInformation -Force​

# This is a simple demo of the PAM CLI

$pamServer = "your.Pam.url.here"  # either FQDN or IP address

# This section is to prevent errors when connecting to a PAM system that uses a self signed certificate.
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
    Add-Type -TypeDefinition  @"
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public static class TrustEverything
    {
        private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
            SslPolicyErrors sslPolicyErrors) { return true; }
        public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
        public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
    }
"@
} [TrustEverything]::SetCallback()


# Create a request
$request = @{
    "adminUserID" = '<PAM USER NAME NOT API KEY>'
    "adminPassword" = '<PASSWORD>'
    "authentication" = "CSPM"               
    "cmdName" = "searchTargetAccount"    #see CLI documentation for a description of this command
    "TargetAccount.userName" = "<USERNAME TO SEARCH FOR>"   #this is an example of a parameter
}

#Run the api call
$results = Invoke-RestMethod -Method Get -Uri "https://$pamServer/cspm/servlet/adminCLI" -Body $request -TimeoutSec 30

#Parse the xml content from the results
$xml = $results.'cw.appMessage'.content.'#cdata-section'

#output the xml
$xml​

Original Message:
Sent: 10-11-2019 08:28 AM
From: Andrea Gimmelli
Subject: PAM - Onboarding and Bulk load integration of accounts

Good day,
I have some request by a client which want to automate the onboarding flow of the accounts in PAM.

The first request is focused on the automatic onboarding of accounts after a scheduled discovery.
As far as I know, PAM not support an automatic onboarding after a discovery and I don't find any evidence of this configuration in the manual, but I would like to be sure about that.

The second request is focused on the import of accounts (+ credentials) via Bulk job.
For this request, I'm pretty sure (but I would like a confirm) that PAM not have a schedule bulk load avaialable and cannot be possible to import credential of accounts via file.
A possible solution is to use CLI remote tools or use API. Am I right?

To summarize:

- Does PAM solution can be automatically onboarding the accounts (particularly Windows local Administrator accounts) after the discovery process for multiple domains?

- Does PAM solution has any Bulk Account/Password Upload capability? If not, do you think that could be possible use CLI remote or API to import accounts credential?

Thanks for your advise.

Regards,
Andrea Gimmelli