Support custom attributes in PAM import

Hello,

This may be possible with some enhancements to the AnyIdentity template capabilities, as described in https://forum.devolutions.net/topics/40093/anyidentity-source-metadata-retrieval

Thanks
Joe

Hello Simon,

Thank you for your suggestion. I assume here that you would like to have more attribute for Active Directory Provider. Am I right ? The attribute that you would like to import, would you like them in a read-only mode or would you like to be able to edit them ? If it can help, as mentionned by another user in previous message, you can get more attributes with AnyIdentity provider. They are not updated for now, we have to work on that, but you can get all attributes that you want. I'm taking note of your feedback and will see what could be done.

Best regards,

Hello Simon,

Thank you for your suggestion. I assume here that you would like to have more attribute for Active Directory Provider. Am I right ? The attribute that you would like to import, would you like them in a read-only mode or would you like to be able to edit them ? If it can help, as mentionned by another user in previous message, you can get more attributes with AnyIdentity provider. They are not updated for now, we have to work on that, but you can get all attributes that you want. I'm taking note of your feedback and will see what could be done.

Best regards,

Hello,
Yes. We would like to import the attribute otherPager as read-only. I understand that this attribute is not very interesting for most customers, that why specifying custom would do.

Regards,
Simon

Hello Simon,

Thank you for your answer. I understand your need, we will see what could be done.

Best regards,

Hello Simon,

Thank you for your answer. I understand your need, we will see what could be done.

Best regards,

Hello again,
In addition to this, it would be nice to have the option to exclude disabled accounts from being imported into the PAM vaults.

Regards,
Simon

Hello Simon,

Thank you for your suggestion. I'm taking note of your last request, we will see what could be done.

Best regards,

Thank you. I understand that this might only be an issue in deployments with large batch imports of accounts. Another related function that might be considered more useful would be if the Check sync status and Reset password would tell the user if the account was disabled. Today they throw an ambiguous error and becomes out of sync. Thanks!

Hello Simon,

Thank you for your suggestion. I'm taking note of your last request, we will see what could be done.

Best regards,

Hello Simon,

Thank you for your feedback. Just to be sure, what you would like is to improve the error message to inform the user that it failed because the account is disabled or you would like to see in the account list if an account is disabled on the provider ? Improving the message should be something possible, we could investigate if we could catch that situation and improve it.

Best regards,

Hello,
Well both since the features aren't mutually exclusive imo. First off, it would be nice to have the option to exclude disabled accounts during scan. Since I suspect this feature might be on low demand from customers and require GUI changes, it might now get much attention. Improving the error message would be another way to "catch" this issue, but not as good since it isn't preventive. This speaks perhaps to a broader customer base since accounts can be disabled post-import, and this doesn't require any changes in the GUI.

I hope my English makes sense.

Best Regards.
Simon

Hello Simon,

Thank you for your feedback. Just to be sure, what you would like is to improve the error message to inform the user that it failed because the account is disabled or you would like to see in the account list if an account is disabled on the provider ? Improving the message should be something possible, we could investigate if we could catch that situation and improve it.

Best regards,

Hi Simon,

Other customers want us to ENABLE/DISABLE the accounts as part of the checkout process, I'd prefer to properly manage the situation and say that password validation cannot be performed.

For sure, we'd prefer for the PAM is considered the Single Source Of Truth, and maybe we have a skew to design features that way. We will for sure work in that area. We cannot have a kind of backdoor attack when a malicious actor creates a disabled account and its completely ignored by our tools.

Hi,
Ok fair enough. I've talked this over with my team and reached the following understanding. The feature to skip disabled accounts during scan, import or when we set permissions isn't really critical for us. We can build our own mechanism to skip these with a scripted approach, as long as they can be identified in the scan results.

What bring me to the next point, which is that the ms-DS-User-Account-Disabled attribute is not included in the scan results. What we also would like, going back to the original request, is being able to define at least one custom attributes (e.g. otherPager, in our case) that could also be included in the scan results.

Regards,
Simon

Hi Simon,

Other customers want us to ENABLE/DISABLE the accounts as part of the checkout process, I'd prefer to properly manage the situation and say that password validation cannot be performed.

For sure, we'd prefer for the PAM is considered the Single Source Of Truth, and maybe we have a skew to design features that way. We will for sure work in that area. We cannot have a kind of backdoor attack when a malicious actor creates a disabled account and its completely ignored by our tools.

Hi,
Is this something that could be included in a future release? :)

Regards,
Simon

Hello,

Yes, but we've been unable to deliver an important PAM feature for our coming release, and it's added to what seemed an already full plan for the release after.

I will see what can be done to address this.

Best regards,

Hello,

Yes, but we've been unable to deliver an important PAM feature for our coming release, and it's added to what seemed an already full plan for the release after.

I will see what can be done to address this.

Best regards,

@Maurice Côté
Hello Maurice, just wanted to check if this have moved in any direction? We are using a pretty complicated workaround now to get hold on account attributes that we are missing from the import.

Hello Simon,

Unfortunately, we have not made progress on that. It is still in our backlog, though.

Best regards,

Hi Simon,

I will submit the request again to the portfolio committee. Accounts are now full fledged RDM Entities and support hundreds of fields.

Our objective would be to keep this request as simple as possible, we use the “rocks / pebbles / sand” system at that level, so if we can keep it "pebble" size, it would help greatly in getting it done.

We could offer to map a named field like you want, but to our CUSTOM_FIELD_X attributes, would it be sufficient?

e.g. CUSTOM_FIELD_1 : otherPager

My concern is WHERE you want to consume that information: in the PAM discovery dashboard, or simply in RDM. The latter would be easier.

Please let me know

Hi Simon,

I will submit the request again to the portfolio committee. Accounts are now full fledged RDM Entities and support hundreds of fields.

Our objective would be to keep this request as simple as possible, we use the “rocks / pebbles / sand” system at that level, so if we can keep it "pebble" size, it would help greatly in getting it done.

We could offer to map a named field like you want, but to our CUSTOM_FIELD_X attributes, would it be sufficient?

e.g. CUSTOM_FIELD_1 : otherPager

My concern is WHERE you want to consume that information: in the PAM discovery dashboard, or simply in RDM. The latter would be easier.

Please let me know

@Maurice Côté
Hello,
This would be consumed by a PS script running locally on the DVLS host, accessing the ScanResults

Regards,
Simon