Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  REST API object for target account "owner user name"

    Posted Mar 27, 2020 02:08 PM
    Edited by Chris Scott Mar 27, 2020 02:10 PM
    Hello,

    My intent is to use the REST API to create a target account with a owner user name.

    What I am struggling with is finding the right attribute to set the Target Account Owner User Name (in the Password TAB).  

    My thought is there would be a link with the SCIM user - but I'm just not finding where the link between the SCIM User and and Target account is established.

    We do use this property for account governance.

    Thanks

    Chris Scott


  • 2.  RE: REST API object for target account "owner user name"
    Best Answer

    Broadcom Employee
    Posted Mar 27, 2020 08:20 PM

    Chris

     

    You should look at CLI commands instead of API's to manage accounts and target accounts. The API's that are available relate to user accounts and not target accounts. That is why you are not seeing the link to  SCIM user.  See this link to the CLI

     

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/addtargetaccount.html

     

    While using the CLI you should remember the Target Account Owner User Name can only be set to an existing CA PAM user  that already has the Credential Manger rights to manage that Target account.

     

    Joe


    Original Message


  • 3.  RE: REST API object for target account "owner user name"

    Posted Mar 31, 2020 06:56 PM
    Edited by Chris Scott Mar 31, 2020 06:57 PM
    Joe,

    listTagetAccounts gives the output below.  There does appear to be xml attributes uoid and uoname, but I cannot seem to find a cli cmd attribute to change those.

    Any suggestions?
     <cr.result>
    -<c.cw.m.tacs>
    <ts.id>1428</ts.id>
    <ta.id>2002</ta.id>
    <bm.id>2002</bm.id>
    <hn>10.0.0.0</hn>
    <dn>Identity Suite C++ Connector Server 1</dn>
    <di>1021</di>
    <na>name</na>
    <ty>Generic</ty>
    <un>admin</un>
    <um>true</um>
    <as>false</as>
    <cat>false</cat>
    <pv>false</pv>
    <cou>0</cou>
    <cid/>
    <autoConnectEnabled>true</autoConnectEnabled>
    <tapcd>null</tapcd>
    <tapma>0</tapma>
    <taped>null</taped>
    <tapcac>false</tapcac>
    <tapcpn>null</tapcpn>
    <uoid>2114001</uoid>
    <uoname>cred_owner</uoname>
    <ag>false</ag>
    <pvp>1000</pvp>
    </c.cw.m.tacs>
    </cr.result>

    Original Message


  • 4.  RE: REST API object for target account "owner user name"

    Broadcom Employee
    Posted Mar 31, 2020 08:44 PM

    Chris

    So the  basic command looks like this

     

    capam_command

    capam=capamServer

    adminUserID=admin

    cmdName=updateTargetAccount

    TargetAccount.ID=12

    TargetServer.hostName=myhostname.mydomain.com

    TargetApplication.name=myApplication

    TargetAccount.userName=sysop1

    TargetAccount.password='sys0p!@2'

    TargetAccount.cacheBehavior=useServerFirst

    TargetAccount.cacheDuration=17

    I would try with a value something like

     

    TargetAccount.ownerID=######

    TargetAccount.credentialOwner=XXXXXXXX

     

    Unfortunately, this level of experience is outside my ability. I have only test specific commands for errors and troubleshooting but I would assume if a services engineer sees this they may be able to give you a specific answer.

    sorry I could not answer this
    Joe


    Original Message


  • 5.  RE: REST API object for target account "owner user name"

    Broadcom Employee
    Posted Mar 31, 2020 11:48 PM
    Hello Chris, the attribute is TargetAccount.ownerUserId , and this corresponds to the "uoid" that you see in the listTargetAccounts. A better way to get a user ID may be the "searchUser" command, like
    cmdName=searchUser User.userID=rp123456
    or
    cmdName=searchUser User.firstName=Ralf User.lastName=Prigl

    The output of the searchUser command will include an ID, e.g. "<ID>1025</ID>. To set the target account owner to this user, you would set TargetAccount.ownerUserId=1025.

    Note that the parameter names are case sensitive, e.g. TargetAccount.ownerUserID with a capital D at the end will NOT work.
    Original Message


  • 6.  RE: REST API object for target account "owner user name"

    Posted Apr 01, 2020 02:34 PM
    That did the trick - thanks
    Original Message


  • 7.  RE: REST API object for target account "owner user name"

    Posted Apr 01, 2020 02:56 PM
    ./capam_command.bat capam=pam.company.local UserID=super AdminPassword=xxxxxxxx
    cmdName=addTargetAccount TargetApplication.ID=xxxx TargetAccount.userName=db2xxxxx TargetAccount.password=_generate_pass_
    TargetAccount.ownerUserId=xxxxxxxx Attribute.useOtherAccountToChangePassword=true Attribute.verifyThroughOtherAccount=false
    Attribute.otherAccount=xxxx Attribute.passwordChangeMethod=DO_NOT_USE_SUDO Attribute.protocol=SSH2_PASSWORD_AUTH
    TargetAccount.synchronize=true Attribute.descriptor1="PAM managed credential"

    Getting the correct UserID made the difference.
    Original Message