This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding many hosts to PAM

For those of you with many hosts in PAM, how did you add them all? Did you automate it through the REST API or did you add them all manually? We have a few to add and I'd rather not add them all manually. I can already add the host to the vault with the corresponding credential but don't know how to add the corresponding command control rule yet.

Parents
  • 0  

    Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

Reply
  • 0  

    Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

Children
No Data