Skip to main content

Example: Configure import rules to onboard, update and offboard systems and accounts

By default, import rules do not affect systems and accounts managed through self service management. However, import rules can be used to configure resource attributes generally set through self service management to onboard, update and offboard systems and accounts.

The following resource attributes can be set by managed systems import rules:

  • Attributes of a resource

    • Resource Team

The following resource attributes can be set by managed accounts import rules:

  • Personal privileged owner

    • Privileged access owner

  • Password Reset/Randomization

    • Allow override

    • Allow randomization

  • PAM Account Disclosure Attributes

    • Direct connection

    • Copy password

    • Download file

    • View password

  • Attributes for the PAM OTP accounts

    • Teams to be permitted to view PAM OTP Account

    • OTP Accounts

  • Attributes of a resource

    • Resource Team

  • PAM Account Sessmon Attributes

    • Clipboard

    • Keystroke

    • Screenshot

Sample import rules

Sample rules are available to be installed as components:

  • Scenario.pam_sample_import_rules

  • Data.pam_importrule_acct_onboard_admin

  • Data.pam_importrule_set_policy

  • Data.pam_importrule_sys_onboard_winnt

  • Data.pam_importrule_tgt_import_non_critical

They can be found in the <instance> \ samples \ idmlib \ component \ directory.

RefBuild.pam_team_management must be installed before installing samples.

Once installed, the following rules are available:

  • Target systems: IMPORT_NON_CRITICAL – enabled by default and imports non-critical systems

  • Managed systems:

    • ONBOARD_WINNT – enabled by default and manages all Windows NT systems listed from the demo.local domain

    • OFFBOARD_OFFLINE_SYS – enabled by default and offboards systems that cannot be contacted for 40 days or more

  • Managed accounts:

    • MANAGE_ADMINS – disabled by default, but when enabled will manage all ”admin” accounts

    • OFFBOARD_OFFLINE_ACCT – enabled by default and offboards accounts on systems that cannot be contacted for 30 days or more

By default, the sample rules are configured with dummy data to:

  • run against demo.local

  • assign team_winnt as the resource team

  • enable session recording

  • disclose a direct connection (remote desktop) upon check-out

Update the import rules as required.

Configure import rules to set resource attributes

To use import rules to set management resource attributes:

  1. Create and configure import rules .

  2. Select an import rule.

  3. Under the General tab, set resource attribute values to be assigned upon match.

  4. Run the import rule, either manually or through discovery.

    By default, import rules will not overwrite existing resource attribute values if they have already been set.

Configure import rules to update resource attributes

Resource attributes that have already been set through self service management pre-defined requests are not updated by import rules by default. To allow import rules to overwrite set values, enable IMPORT ACCOUNT RESATTR OVERWRITE and/or IMPORT SYSTEM RESATTR OVERWRITE for managed accounts and systems respectively. These system variables are found at Manage the system > Maintenance > System variables.

In this section: