[PAM] Format of the "Group.permissions" parameter for the CLI command "updateGroup"

book

Article ID: 196526

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

According to the documentation for the "Group.permissions" parameter for the CLI command "updateGroup" is "Array list object of filters, or XML encoded ArrayList of filters. If not set, the filters are cleared."

Is there any sample of the Group.permissions?
The concern is that if this parameter is omitted when calling the command, all the existing filters will be wiped out.

Environment

Release : 3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

There is no sample for "Group.permissions" but you can use "addFilter" command to update the Target Group.

 

In the following sample, the "<permission> does not return any value so you cannot rely on this to get the Group.permissions.

capam_command.bat capam=capam.test.local adminUserID=test adminPassword=******** cmdName=searchGroup Group.name="AWS API Proxy Access Accounts"


<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><Group><description>Target accounts that can access the AWS Proxy API</description><dynamic>true</dynamic><filters>[]</filters><name>AWS API Proxy Access Accounts</name><permissions>[]</permissions><type>target</type><readOnly>false</readOnly><hash>WuPVKk/ue4IMHDZu/s68OH0U4SE=</hash><createTime>1591309213000</createTime><createDate>Thu Jun 04 22:20:13 UTC 2020</createDate><updateDate>Thu Jun 04 22:20:13 UTC 2020</updateDate><extensionType></extensionType><createUser>super</createUser><updateTime>1591309213000</updateTime><updateUser>super</updateUser><ID>1000</ID></Group></cr.result><cr.result><Group><description>AWS proxy clients that can retrieve AWS Proxy target accounts.</description><dynamic>true</dynamic><filters>[]</filters><name>AWS API Proxy Clients</name><permissions>[]</permissions><type>requestor</type><readOnly>false</readOnly><hash>a1V2xLhXz2P6ZazrwLk2qnIugOE=</hash><createTime>1591309213000</createTime><createDate>Thu Jun 04 22:20:13 UTC 2020</createDate><updateDate>Thu Jun 04 22:20:13 UTC 2020</updateDate><extensionType></extensionType><createUser>super</createUser><updateTime>1591309213000</updateTime><updateUser>super</updateUser><ID>1001</ID></Group></cr.result></CommandResult>

 

In this demo, following is configured.

1. Device

Name/Address/Location/Description/Operating System

Training AD/win01.training.local///Windows 2016

2. Target Application

Application Name/Application Type/Host Name/Device Name

Training.Local AD/Active Directory/win01.training.local/Training AD

3. Target Accounts

Account Name/Application Name/Application Type/Host Name/Device Name/Account Type/Owner User Name/Verified/Action

Administrator/Training.Local AD/Active Directory/win01.training.local/Training AD/Privileged//check//

winadmin1/Training.Local AD/Active Directory/win01.training.local/Training AD/Privileged//check//

winadmin2/Training.Local AD/Active Directory/win01.training.local/Training AD/Privileged//check//

 

4. Target Group

Name/Type/Description

Training Target Account Group/Static//

In this Target Group, as it is required to have at least 1 filter set, I have the following.

 

 

First, get the GroupID of this Target Group.

capam_command.bat capam=capam.test.local adminUserID=test adminPassword=******** cmdName=searchGroup Group.name="Training Target Account Group"

The Group ID is "4001"

 

There are 3 types of filters.

1. Target Servers

2. Target Applications

3. Target Accounts

 

#1. addFilter for Target Servers

capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter Group.ID=4001 Filter.objectClassId=c.cw.m.ts Filter.attribute=hostName Filter.type=equals Filter.expression=win01.training.local

You can see the Host has been added.

You can confirm this from the "SHOW" button.

 

#2. addFilter for Target Application

Note! In case if command parameters are not being recognized on Windows environment, try wrapping individual parameters with double quote. This becomes necessary when there is a space in the value. If this is not done properly then the Filter.expression may be added with truncated value resulting in unexpected results.

capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter "Group.ID=4001" "Filter.objectClassId=c.cw.m.tp" "Filter.attribute=name" "Filter.type=equals" "Filter.expression=Training.Local AD"

Bad sample.

Good sample

 

#3. addFilter for Target Accounts

capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter Group.ID=4001 Filter.objectClassId=c.cw.m.ac Filter.attribute=userName Filter.type=equals Filter.expression=winadmin2

 

Sample for Request Group:

capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter  "Group.ID=1001" "Filter.objectClassId=c.cw.m.rs" "Filter.attribute=Attribute.descriptor1" "Filter.type=equals" "Filter.expression=AWS API Proxy Client"

 

capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter "Group.ID=1001" "Filter.objectClassId=c.cw.m.sc" "Filter.attribute=name" "Filter.type=equals" "Filter.expression=index.pl" "GKCallback.gkrequest=true"

Attachments

Powered by Wolken Software