Win32 Console Script
Connector name |
|
Connector type | Executable and PSLang script |
Type (UI field value) | Win32 Console Script |
Target system versions supported / tested | Applications that include a Windows console-mode program. |
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
Installation / setup | Account management operations are implemented using a PSLang script to provide details for interaction between Bravura Security Fabric and the target application. |
The following Bravura Security Fabric operations are supported by the connector for Win32 console scripts (agtdos):
get server information
user verify password
user change password
administrator reset password
administrator reset+expire password
expire password
unexpire password
administrator verify password
verify+reset password
enable account
disable account
check account enabled
lock account
unlock account check account lock
expire account
check account expiry
unexpire account
create account
delete account
add user to group
delete user from group
add group to group
remove group from group
create group
delete group
move contexts
rename account
update attributes
run command
list account attributes
update cached credentials
List:
accounts
attributes
groups
groups SID
members
computer objects
service accounts
members of built-in administrators group
For a full list and explanation of each connector operation, see Connector operations.
Preparation
Writing a script
{INTERNAL} Not the same for Powershell, SOAP, Python, XML
Account management operations are implemented using a PSLang script to provide details for interaction between Bravura Security Fabric and the target application. The connector reads a script file with one or more functions defined in it. The connector refers to functions that you implement in the script by name and executes the appropriate function for each agent operation. You can write custom scripts which must be added in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory. Official, shipped scripts are included in the agent directory, and use a scripted platform definition file (.con) to call one of the binary agents. The official scripts are designed to work "out of the box", but can be modified to suit your requirements.
See more information on how to create a PSLANG script or modify a sample script.
Some sample scripts are provided in the samples directory. If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.
Any sample script should be modified to fit your environment and prevent security exploits. The following Win32 Console scripts are available in the samples directory:
agtdos-simple.pslagtdos-complete.pslThese scripts can be used with targets if required to maintain any list of users or groups.
Configuring a target system administrator
In some cases, Bravura Security Fabric uses a designated account (for example, psadmin) on the Win32 console script target system to perform operations.
Ensure that the designated account can log into the application from the Bravura Security Fabric server, and that the account has the necessary privileges to set passwords and manage accounts.
Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .
Otherwise, when a designated account is not required, the administrator credentials can be left blank.
Targeting an application
For each application that uses a Windows console-mode program to manage accounts, add a target (Manage the system >Resources >Target systems):
The Type is Win32 Console Script .
The Address in Bravura Security Fabric is the name of the PSLang script file you created earlier . Ensure that the script is located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.
The Administrator ID and Password are the login ID and password for the target system administrator you configured earlier. If the target does not require administrative credentials, the Administrator ID and Password can be left blank.
The full list of target system parameters is explained here.
You can extend the address wizard by adding address line elements using the addressattrs function, as explained in PSLang Scripts for agtdos agttelnet agtssh . This is useful when creating a scripted target system with a scripted platform definition file.
Creating a template account
Consult the documentation included with your specific application to learn how to create an account to use as a template in Bravura Identity . You can then add account attributes to determine how new accounts should be created based on the template account’s parameters.
Bravura Security Fabric still requires a template account, even though attributes may or may not be copied from the template account, for example, if the configured action for all account attributes is Set.
Creating account attributes
The attributes that define accounts are unique to specific applications; you must therefore create your own set of account attributes. You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module account attributes menu. See Account attributes for more information.
Managing groups
If group management functions are supported by your application, you can configure Bravura Security Fabric’s workflow engine to manage group membership on your targets. You can also map profile attributes to group attributes on the target so that users can select groups when making a request; however, this method is currently incompatible with group management through Bravura Security Fabric ’s workflow configuration. Changes made in one method are not updated in the other.
For more information about account attributes and managed groups, see Groups.
Listing computer objects
In order to load computer objects to the Bravura Security Fabric database, the output from a Win32 console script must be properly formatted. The script will load computers from agtdos-servers.csv. This file is by default shipped with Bravura Security Fabric .
The agtdos-workstations.csv script was also shipped with Connector Pack 4.5 or earlier.
For Bravura Security Fabric 12.0.0 and later, the output must be in SQLite table format. It is written to the <target id>.db file in <instance>\psconfig\ and must include the following:
agtdos discobj table output for computer objectsstableid | type | longid | shortid | displayid | sd |
|---|---|---|---|---|---|
<GUID> | COMP | <GUID> | <computer name> | <computer name> |
agtdos discobjattr table output for computer objectsstableid | type | attrkey | attrval | seqno |
|---|---|---|---|---|
<GUID> | COMP | @disabled | 0 | 0 |
<GUID> | COMP | @deleted | 0 | 0 |
<GUID> | COMP | ip | <ip address> | 0 |
<GUID> | COMP | ip | <ip address> | 1 |
<GUID> | COMP | business_unit | <business name> | 0 |
<GUID> | COMP | dNSHostName | <full dns name> | 0 |
<GUID> | COMP | location | <location> | 0 |
<GUID> | COMP | os | <os name> | 0 |
Listing built-in administrator group members
When listing discovered administrators or groups , agtdos writes output to file in the <instance>\psconfig\ directory.
For versions 12.0.0 or later, the output must be in SQLite table format. It is written to the <target id>.db file and must include the following:
agtdos discobj table output for administrators or groupsstableid | type | longid | shortid | displayid | sd |
|---|---|---|---|---|---|
<GUID> | COMP | <GUID> | <computer name> | <computer name> | |
SID of user | type | SID of user | <description> | <description> |
agtdos discobjattr table output for administrators or groupsstableid | type | attrkey | attrval | seqno |
|---|---|---|---|---|
SID of user | type | sid-usr | <SID of user> | 0 |
SID of user | type | sid-grp | <SID of user> | 0 |
SID of user | type | domain | <Domain ID> | 0 |
SID of user | type | islocal | <local account 1|0> | 0 |
agtdos discobjrel table output for administrators or groupsparent_stableid | parent_type | reltype | child_stableid | child_type | child_name | |
|---|---|---|---|---|---|---|
SID of user | parent_type | SUB | <Full user ID> eg, Domain>\<account ID> | ACCT | <child_name> | <child_sd> |
Listing iis, dcom, com+, scm, task, and custom accounts
When listing discovered account objects, agtdos writes output to files in the <instance>\psconfig\ directory.
For versions 12.0.0 or later, the output must be in SQLite table format. It is written to the <target id>.db file and must include the following:
agtdos discobj table output for account objectsstableid | type | longid | shortid | displayid | sd |
|---|---|---|---|---|---|
<GUID> | COMP | <GUID> | <computer name> | <computer name> | |
SID of user | type | SID of user | <description> | <description> |
agtdos discobjattr table output for account objectsstableid | type | attrkey | attrval | seqno |
|---|---|---|---|---|
SID of user | type | sid | <SID of user> | 0 |
SID of user | type | domain | <Domain ID> | 0 |
SID of user | type | islocal | <local account 1|> | 0 |
SID of user | type | ApplicationName | <Scheduled task’s binary> | 0 |
SID of user | type | DisplayName | <Description of object> | 0 |
SID of user | type | Comment | <Comment of object> | 0 |
agtdos discobjrel table output for account objectsparent_stableid | parent_type | reltype | child_stableid | child_type | child_name | child_sd |
|---|---|---|---|---|---|---|
SID of user | parent_type | SUB | <Full user ID> eg, Domain>\<account ID> | ACCT | <child_name> | <child_sd> |