AnyIdentity source metadata retrieval
0 vote
Hello,
It would be great if attributes of a user account a from an identity source could be available for read-only viewing when acessing the properties of a PAMAccount in the web GUI (and RDM). Some examples properties pertaining to Windows local or Active Directory user accounts include:
- Last logon timestamp
- Password never expires
- Password expired
- Current Password age
- BadPasswordAttempts
- Account is locked status
I imagine that in order to achieve this, when configuring additional Account Properties in an AnyIdentity template there would be an option to make the respective property read-only (or some other way of restricting access to edit values manually on the derivative PAM accounts, as they should mirror the identity source).
These read-only properties could then be retrieved and populated during the account discovery, and additionaly refreshed during scheduled/on-demand heartbeat operations.
Please let me know if you would like any additional info.
Thanks
Joe
All Comments (5)
Hello,
Thank you for your feature request. I don't think we are that far from a such feature. It is already possible to populate that kind of properties during the account discovery. We could see what could be possible to do to keep those properties up to date during the heartbeat operation.
Is it something that you would like to use with an AnyIdentity provider that you already have or you would like a such feature for the Active Directory "built-in" provider ?
Best regards,
François Dubois
Hi François Dubois,
This is something I would like to be able to do with AnyIdentity templates, however it would also be very beneficial for the other built in templates.
Currently the builtin template works well for Active Directory providers, but the one for local machine users is not scalable, so I'm having to build an AnyIdentity template for those. In both cases, the source metadata visibility would be a great enhancement.
Please let me know if you would like more info.
Thanks
Joe
Hi Joe,
It is true that it would be beneficial for built in templates as well, but I can see it easily with AnyIdentity Provider. But it is true that we could improve our built-in provider as well.
For the local machines, I don't know if it can help you, but it has been migrated to AnyIdentity and available on GitHub. You could improve it to get more information on the account and have more metadata on your account. I will create a ticket on our side to see what can be done to keep that information up to date on the heartbeat.
Best regards,
François Dubois
Hi François,
Thanks, I have allready built an AnyIdentity template that will collect this information, but it doesnt make sense to populate this data into fields that can be edited when opening the PAMAccount in the web GUI. Thus the feature request for a read-only attribute for AnyIdentity Account property fields.
Secondly the metadata may become out of date fairly quickly, and I'm not sure how to update the properties of an existing PAMAccount during execution of the Heartbeat and/or Discovery Action scripts? Would it work to use the Devolutions Powershell cmdlet Update-DSPamAccount within an action script? Or is there a better way to achieve this?
Please let me kow if you would like additional information.
Joe
Hi Joe,
I totally agree that it makes sense to have read only fields. My point was more that you can get them for now, but you're right, they will not be read only.
For your second requests, it also makes sense. We will see how it could be implemented and create appropriate ticket on our side to build a such feature. You could use the powershell module to do an update for now, the cmdlet should allow you to do that. I don't see other way to achive that unfortunately.
Best regards,
François Dubois