OTP API users
Users with the OTP Trustees privilege can create OTP API users who have the permission to retrieve managed account passwords from the Bravura Security Fabric vault and use them to execute scripts and command-line programs using runwithpass/pamutil .
OTP trustees have access to the PAMUtil: Create OTP API User pre-defined request.
To create an OTP API user, at least one account is onboarded by an account trustee, or a vault account is created by a vault trustee
See Application accounts for more information about runwithpass/pamutil .
Create an OTP API user
Log in to Front-end (PSF) as a user from a OTP API Trustee group
Click the PAMUtil: Create OTP API User PDR.
Select a team.
Click Next .
Enter a PAM OTP Account Description.
Select one or more managed accounts.
Click Submit.
Bravura Security Fabric notifies authorizers to review the request if required.
Click the View request link at the top of the page to view the status of the request.
Once created, OTP trustees would be able to request access to the OTP API user account.
See Example: Create an OTP API user for a detailed example.
API automation for creating an OTP API user
Once the API has been configured (See ”SOAP API” in Bravura Security Fabric Remote API (api.pdf) and your script has been authenticated to the API (Login or LoginEx API calls), the WF API calls can be used to create an API request.
Use the WFPDRSubmit function to create a workflow request and submit the request for publishing.
When submitting a request, use ”CREATE_PAMUTIL_API_USER” as the PDR ID. At a minimum, the request requires the following attributes:
attrkey | value |
|---|---|
MS_TEAM | The team the OTP API user account will be assigned to. |
OTP_ACCOUNT_DESCRIPTION | The description of the OTP API user account. |
SELECT_MULTI_MA | The GUID(s) of the managed account(s) the OTP API user will have access to. |
MS_ID | This is an arbitrary value attribute. |
MS_NAME | This is an arbitrary value attribute. |
MS_NAME and MS_ID attributes are required but their values are not important. In the future versions of the product, those attributes will not be required.
CREATE_PAMUTIL_API_USER batch request sample:
"MS_TEAM","OTP_ACCOUNT_DESCRIPTION","SELECT_MULTI_MA","MS_ID","MS_NAME" "TEAM-000000","sample otp api user","AA3AC9A7-6CAB-48A2-B1B7-1B804A256539,30F91A85-6C36-4C6F-90A1-81C60D692575","x","x"