Subscriber notification
The subscriber notification component, Functional.pam_subscriber_notification_plugin, allows Bravura Security Fabric to notify relevant subscribers, such as services, that an associated password is changing. Primarily this component is used for updating service account passwords on their respective service before or after performing the password change.
Subscribers to an account are automatically determined based on data gathered during auto discovery, and relevant information associated with the subscribers is populated into a table in the SQLite External Data Store. Once the subscriber data has been populated, the record must be reviewed before subscriber orchestration will be enabled for that account. This process can be done by humans, or can be automated depending on the requirements of the Bravura Security Fabric deployment.
Subscriber orchestration will only take place if all servers that house subscribers can be contacted when the randomization takes place. If any of the servers are unreachable then the password will n ot be randomized. This ensures that no services are left in an unusable state by Bravura Security Fabric .
The following plugin points, scripts, and tables control the logic that powers the subscriber notification component, and are automatically configured when the component is installed:
Calculation Logic –
PAMSA SUBSCRIBER NOTIFICATION – calls a plugin to give notifications of imminent service account password randomization to subscribers and receive orchestration information.
PSUPDATE POST – the
psupdate_post.pslscript is called by psupdate at the end of auto discovery after all other tasks are complete.
SQL Table – A table in the SQLite External Data Store called Subscribers contains the data that is used to determine which subscribers to notify of upcoming password randomization.
This component is usually installed with the subscriber scenario component, part of the Bravura Privilege Pattern. See Example: Onboard a Windows server with subscribers for details.
Subscriber notification plugin
You use a plugin or PSLang script to determine which discovered object that is using a managed account’s credential should be updated when the managed account’s password has been randomized. This allows you to control which objects on a discovered managed system should have credentials updated, to prevent un-authorized services, scheduled tasks, dcom objects and IIS objects from obtaining the new password. If the plugin is empty, password randomization will occur without any subscribers being notified.
To control what objects to update after a password randomization:
Click Manage the system > Privileged access > Options > Password randomization .
Type the name of the plugin in the field.
Click Update.
If the Bravura Privilege Pattern is used the plugin_sub scriber_notification.py plugin will be installed with it.
Requirements
See Writing plugins for general requirements.
Execution points
The plugin is run as part of the password change orchestration process, which occurs whenever a managed account password has been randomized by the Bravura Security Fabric instance. This includes product administrators randomizing passwords, the scheduled password randomizations, and password check-ins.
Input - local accounts
The plugin has access to the following KVGroup input for local accounts:
"orchestrationid" "<orchestration id>" = {
"target" "<target id>" ={
"ead_computer_attributes" "" = { # attributes discovered through auto discovery process
"sv_attributes" "" = {
"<attribute key>" = "<attribute value>"
...
}
"mv_attributes" "" = {
"<attribute key 1>" = "<attribute value 1>"
"<attribute key 1>" = "<attribute value 2>"
"<attribute key 2>" = "<attribute value 3>"
...
}
}
"ead_computer_attributes" "" = { # attributes listed
"<attribute key>" = "<attribute value>"
...
}
}
"account" "<account longid>" = {
"account" "" = {
"account" "" = {
"userid" = "<user id>"
"hostid" = "<target system id>" # Target system the account is on
"longid" = "<longid>"
"shortid" = "<shortid>"
"helpdesk" = "<TRUE|FALSE>"
"list" = "TRUE|FALSE"
"user" = "TRUE|FALSE"
"associated" = "TRUE|FALSE"
"invalid" = "TRUE|FALSE"
}
}
}
"subscribers" "" = {
"<target system id>" "" = { # ID of target system where the subscriber is on
"HostID" = "<target system id>"
"accountDomain" = ""
"description" = "<target system description>"
ead_computer_attributes" "" = {
"sv_attributes" "" = {
"<attribute key 1>" = "<attribute value>"
...
}
"mv_attributes" "" = {
"<attribute key 1>" = "<attribute value 1>"
"<attribute key 1>" = "<attribute value 2>"
"<attribute key 2>" = "<attribute value 3>"
...
}
}
"<subscriber 1 address>" "Service|Task|IIS|DCOM" = {
"rawaccount" = "<account id>" # Account ID as it appears on the subscriber
"attribute" "" = {
"<attribute>" = "<value>"
...
}
}
...
"<subscriber N address>" "Service|Task|IIS|DCOM" = {
"rawaccount" = "<account id>" # Account ID as it appears on the subscriber
"attribute" "" = {
"<attribute>" = "<value>"
...
}
}
}
}
"sessionid" = "<session id>"
} Input - Domain accounts
The plugin has access to the following KVGroup input for domain accounts:
"orchestrationid" "<orchestration id>" = {
"target" "<domain target id>" ={
"ead_computer_attributes" "" = { # attributes discovered through auto discovery process
"sv_attributes" "" = {
"<attribute key>" = "<attribute value>"
...
}
"mv_attributes" "" = {
"<attribute key 1>" = "<attribute value 1>"
"<attribute key 1>" = "<attribute value 2>"
"<attribute key 2>" = "<attribute value 3>"
...
}
}
"ead_computer_attributes" "" = { # attributes listed
"<attribute key>" = "<attribute value>"
...
}
}
"account" "<account longid>" = {
"account" "" = {
"account" "" = {
"userid" = "<user id>"
"hostid" = "<target system id>" # Target system the account is on
"longid" = "<longid>"
"shortid" = "<shortid>"
"helpdesk" = "<TRUE|FALSE>"
"list" = "TRUE|FALSE"
"user" = "TRUE|FALSE"
"associated" = "TRUE|FALSE"
"invalid" = "TRUE|FALSE"
}
}
}
"subscribers" "" = {
"<target system 1 id>" "" = { # ID of target system where the subscriber is on
"HostID" = "<target system id>"
"accountDomain" = "<domain of account>" # Format dependent on how it was targeted
"description" = "<target system description>"
ead_computer_attributes" "" = {
"sv_attributes" "" = {
"<attribute key 1>" = "<attribute value>"
...
}
"mv_attributes" "" = {
"<attribute key 1>" = "<attribute value 1>"
"<attribute key 1>" = "<attribute value 2>"
"<attribute key 2>" = "<attribute value 3>"
...
}
}
"<subscriber 1 address>" "Service|Task|IIS|DCOM" = {
"rawaccount" = "<account id>" # Account ID as it appears on the subscriber
"attribute" "" = {
"<attribute>" = "<value>"
...
}
}
...
"<subscriber N address>" "Service|Task|IIS|DCOM" = {
"rawaccount" = "<account id>" # Account ID as it appears on the subscriber
"attribute" "" = {
"<attribute>" = "<value>"
...
}
}
}
... # Repeat for each system that has a subscriber use the domain account
"<target system N id>" "" = { # ID of target system where the subscriber is on
...
}
}
"sessionid" = "<session id>"
} Output
The plugin expects the following return value:
"output" "plugin_subscribernotification" = {
"orchestrationid" "<orchestration id>" = {
"changePassword" = "<true|false>"
"infomsg" = "<message>"
"warnmsg" = "<message>"
"operations" = "<operation id>" = { # Used for dependencies
"operation" "<SERI|UPRS|ACHG>" = {
"attributes" "" = {
"restart" = "<true|false>"
"position" = "<pre|post>"
}
"resourcetype" = "<up_scmpass|up_taskpass|up_iispass|up_compass|up_cuspass>"
"resourceaddress" = "<subscriber addresss>" # Matches subscriber Id on managed system
"rawaccount" = "<raw account id>" # Matches how account is set in subscriber
"accountTarget" = "<target system id>" # Where the account exists on (used for domain accounts)
"accountID" = "<account id>"
}
"depends" "" = {
"dependency" = "<orchestration id>" # Empty KVG signifies no dependency
}
"target" = "<target system id>" # Where the subscriber is
}
...
}
"retval" = "0"
} Decommissioning subscribers
When tasks, services and other already discovered subscribers are removed from their targets, disable subscriber notification in Manage external data store > pam_pwd_randomization_subscriber , so that orchestration can complete successfully for the affected service account randomizations. Do not delete the subscriber, as it will be restored after the next discovery, even if it is not listed.