This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding many hosts to PAM

For those of you with many hosts in PAM, how did you add them all? Did you automate it through the REST API or did you add them all manually? We have a few to add and I'd rather not add them all manually. I can already add the host to the vault with the corresponding credential but don't know how to add the corresponding command control rule yet.

Parents
  • 0  

    Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

Reply
  • 0  

    Is the privileged account name the same for these hosts (e.g. root)? If so, you could create a Host Group in Command Control Console with a list of all the Resource Names in the Vault (usually hostname) and configure a single rule that would authorize access to a group of servers for a specific credential 'Run User' ..

    If there are unique privileged account names for each Resource/server, then an authorizing rule would need to be created for that as far as I understand. And yes, it's possible to create rules automatically by leveraging the REST API in PAM. More details can be found in "/pam" console of PAM 3.5 or 3.6 and selecting "REST API" from the user details in the top right. A nice API Explorer will be available there.

    If this is PAM 3.2, sorry, I don't know what the call might have been.

    If you mean registering a PAM Agent as a host in the framework, there are typically deployment tools that are used to install / manage software or some custom script made unique for the environments. Examples of registration scripts can be found in TID 7024174.

Children
  • 0 in reply to   

    Thanks. The privileged account name is the same. At the moment, we are creating unique authorization rules for every server (only difference is Account Domain/Credentials/Run Host). I'll try to collapse this into one rule.

  • 0 in reply to   
    Does every host need to be a resource in credential vault? I have a long list of hosts that I need to use same local credential but can not figure out how to get ssh relay to work without adding each host and credential to credential vault. I have created a host group but if I try to use one credential SSH connects to hostname set in resource.