[PAM] Format of the "Group.permissions" parameter for the CLI command "updateGroup"
According to the documentation for the "Group.permissions" parameter for the CLI command "updateGroup" is "Array list object of filters, or XML encoded ArrayList of filters. If not set, the filters are cleared."
Is there any sample of the Group.permissions?
The concern is that if this parameter is omitted when calling the command, all the existing filters will be wiped out.
Release : 3.x
Component : PRIVILEGED ACCESS MANAGEMENT
There is no sample for "Group.permissions" but you can use "addFilter" command to update the Target Group.
In the following sample, the "<permission> does not return any value so you cannot rely on this to get the Group.permissions.
capam_command.bat capam=capam.test.local adminUserID=test adminPassword=******** cmdName=searchGroup Group.name="AWS API Proxy Access Accounts"
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><Group><description>Target accounts that can access the AWS Proxy API</description><dynamic>true</dynamic><filters>[]</filters><name>AWS API Proxy Access Accounts</name><permissions>[]</permissions><type>target</type><readOnly>false</readOnly><hash>WuPVKk/ue4IMHDZu/s68OH0U4SE=</hash><createTime>1591309213000</createTime><createDate>Thu Jun 04 22:20:13 UTC 2020</createDate><updateDate>Thu Jun 04 22:20:13 UTC 2020</updateDate><extensionType></extensionType><createUser>super</createUser><updateTime>1591309213000</updateTime><updateUser>super</updateUser><ID>1000</ID></Group></cr.result><cr.result><Group><description>AWS proxy clients that can retrieve AWS Proxy target accounts.</description><dynamic>true</dynamic><filters>[]</filters><name>AWS API Proxy Clients</name><permissions>[]</permissions><type>requestor</type><readOnly>false</readOnly><hash>a1V2xLhXz2P6ZazrwLk2qnIugOE=</hash><createTime>1591309213000</createTime><createDate>Thu Jun 04 22:20:13 UTC 2020</createDate><updateDate>Thu Jun 04 22:20:13 UTC 2020</updateDate><extensionType></extensionType><createUser>super</createUser><updateTime>1591309213000</updateTime><updateUser>super</updateUser><ID>1001</ID></Group></cr.result></CommandResult>
In this demo, following is configured.
1. Device
Name/Address/Location/Description/Operating System
Training AD/win01.training.local///Windows 2016
2. Target Application
Application Name/Application Type/Host Name/Device Name
Training.Local AD/Active Directory/win01.training.local/Training AD
3. Target Accounts
Account Name/Application Name/Application Type/Host Name/Device Name/Account Type/Owner User Name/Verified/Action
Administrator/Training.Local AD/Active Directory/win01.training.local/Training AD/Privileged//check//
winadmin1/Training.Local AD/Active Directory/win01.training.local/Training AD/Privileged//check//
winadmin2/Training.Local AD/Active Directory/win01.training.local/Training AD/Privileged//check//
4. Target Group
Name/Type/Description
Training Target Account Group/Static//
In this Target Group, as it is required to have at least 1 filter set, I have the following.
First, get the GroupID of this Target Group.
capam_command.bat capam=capam.test.local adminUserID=test adminPassword=******** cmdName=searchGroup Group.name="Training Target Account Group"
The Group ID is "4001"
There are 3 types of filters.
1. Target Servers
2. Target Applications
3. Target Accounts
#1. addFilter for Target Servers
capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter Group.ID=4001 Filter.objectClassId=c.cw.m.ts Filter.attribute=hostName Filter.type=equals Filter.expression=win01.training.local
You can see the Host has been added.
You can confirm this from the "SHOW" button.
#2. addFilter for Target Application
Note! In case if command parameters are not being recognized on Windows environment, try wrapping individual parameters with double quote. This becomes necessary when there is a space in the value. If this is not done properly then the Filter.expression may be added with truncated value resulting in unexpected results.
capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter "Group.ID=4001" "Filter.objectClassId=c.cw.m.tp" "Filter.attribute=name" "Filter.type=equals" "Filter.expression=Training.Local AD"
Bad sample.
Good sample
#3. addFilter for Target Accounts
capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter Group.ID=4001 Filter.objectClassId=c.cw.m.ac Filter.attribute=userName Filter.type=equals Filter.expression=winadmin2
Sample for Request Group:
capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter "Group.ID=1001" "Filter.objectClassId=c.cw.m.rs" "Filter.attribute=Attribute.descriptor1" "Filter.type=equals" "Filter.expression=AWS API Proxy Client"
capam_command.bat capam=capam.training.local adminUserId=super adminPassword=****** cmdName=addFilter "Group.ID=1001" "Filter.objectClassId=c.cw.m.sc" "Filter.attribute=name" "Filter.type=equals" "Filter.expression=index.pl" "GKCallback.gkrequest=true"