Andrea,
In the past I have developed powershell scripts that would automatically onboard Active Directory and local administrator accounts in PAM using the PAM API's... they aren't trivial scripts, but if you are good with powershell then its not overly difficult. Powershell is ideal here simply because there are a lot of powerful tools specifically for working with windows servers and AD; the PAM api's are language agnostic.
PAM has native abilities to add devices (and groups), users (and groups), and policies via a CSV import. However importing target applications and target accounts is not possible via the UI. To do this you would need to use the CLI, either by using the clitools package, or by directly interacting with the Credential Management API that it uses (the CM API is not documented as an API, but it's easily translated from the CLI documentation).
Below are a couple of simple powershell scripts that demonstrate how to interact with the PAM API and CLI. With this as a foundation, you can develop some really powerful stuff.
$pamServer = "your.Pam.url.here"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
if (-not $apikey) {$apikey = Get-Credential -Message "Enter your API key"}
$results = Invoke-RestMethod -Uri "https:
$results.users | Export-csv "$PSScriptRoot\users.csv" -NoTypeInformation -Force
$results = Invoke-RestMethod -Uri "https:
$results.devices | Export-csv "$PSScriptRoot\devices.csv" -NoTypeInformation -Force
$results = Invoke-RestMethod -Uri "https:
$results.policyAssociationInfos | Export-csv "$PSScriptRoot\policies.csv" -NoTypeInformation -Force
$policyDetails = @()
foreach ($policyId in $results.policyAssociationInfos.Array.associationID) {
$policyDetail = Invoke-RestMethod -Uri "https:
$policyDetail.accessMethods = $policyDetail.accessMethods | ConvertTo-json -compress
$policyDetail.services = $policyDetail.services | ConvertTo-json -compress
$policyDetail.vpnServices = $policyDetail.vpnServices | ConvertTo-json -compress
$policyDetail.targetAccounts = $policyDetail.targetAccounts | ConvertTo-json -compress
$policyDetails += $policyDetail
}
$policyDetails | Export-csv "$PSScriptRoot\policyDetails.csv" -NoTypeInformation -Force
$pamServer = "your.Pam.url.here"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
$request = @{
"adminUserID" = '<PAM USER NAME NOT API KEY>'
"adminPassword" = '<PASSWORD>'
"authentication" = "CSPM"
"cmdName" = "searchTargetAccount"
"TargetAccount.userName" = "<USERNAME TO SEARCH FOR>"
}
$results = Invoke-RestMethod -Method Get -Uri "https:
$xml = $results.'cw.appMessage'.content.'#cdata-section'
$xml
Original Message:
Sent: 10-11-2019 08:28 AM
From: Andrea Gimmelli
Subject: PAM - Onboarding and Bulk load integration of accounts
Good day,
I have some request by a client which want to automate the onboarding flow of the accounts in PAM.
The first request is focused on the automatic onboarding of accounts after a scheduled discovery.
As far as I know, PAM not support an automatic onboarding after a discovery and I don't find any evidence of this configuration in the manual, but I would like to be sure about that.
The second request is focused on the import of accounts (+ credentials) via Bulk job.
For this request, I'm pretty sure (but I would like a confirm) that PAM not have a schedule bulk load avaialable and cannot be possible to import credential of accounts via file.
A possible solution is to use CLI remote tools or use API. Am I right?
To summarize:
- Does PAM solution can be automatically onboarding the accounts (particularly Windows local Administrator accounts) after the discovery process for multiple domains?
- Does PAM solution has any Bulk Account/Password Upload capability? If not, do you think that could be possible use CLI remote or API to import accounts credential?
Thanks for your advise.
Regards,
Andrea Gimmelli