Use the Account Discovery Rule dialog to define the search criteria to be used to discover directory accounts.
You can dynamically tag an account from Active Directory. In addition, you can add a dynamic account group based on membership in an Active Directory group or if the account is in a organizational unit (OU) in Active Directory.
NOTE: For Unix, all search terms return exact matches. A user name search for ADM only returns ADM, not AADMM or 1ADM2. To find all names that contain ADM, you must include ".*" in the search term; like this: .*ADM.*.
For Windows and Directory, the search terms is contained in the result. A user name search for ADM returns ADM, AADMM, and 1ADM2.
All search terms are case sensitive. On Windows platforms (which are case insensitive), to find all accounts that start with adm, regardless of case, you must enter [Aa][Dd][Mm].*.
To add an Account Discovery rule
- Navigate to Asset Management > Discovery > Accounts.
- Select an existing account discovery job, and click View Details.
- On the Account Discovery Rules tab, click Edit.
- Click Add to open the New Account Discovery Rule dialog.
- Name: Enter a unique name for the account discovery rule. Limit: 50 characters.
-
Find By: Select one of the types of search below.
If the Discovery Type on the previous Account Discovery dialog is Windows, Unix, or Role Based; you can search by Constraints or Find All. The search options Name, Group, and LDAP Filter are only available if the Discovery Type is Directory.
- Name: Select this option to search by account name.
- For a regular search (not directory), in Contains enter the characters to search.
- If you are searching a directory:
- Select Start With or Contains and enter the characters used to search subset within the forest. When using Active Directory for a search, you can use a full ambiguous name resolution (ANR) search. Type a full or partial account name. You can only enter a single string (full or partial account name) at a time. For example, entering "t" will return all account names that begin with the letter "t": Timothy, Tom, Ted, and so on. But entering "Tim, Tom, Ted" will return no results.
- Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
- Select Include objects from sub containers to include sub containers in the search.
- Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
- Group: Select this option to search by group name.
- Click Add to launch the Group dialog.
-
Starts withor Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.
- Filter Search Location. Click Browse to select a container to search within the directory.
- Include objects from sub containers: Select this check box to include child objects.
- Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.
- Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
-
Constraints: Select this option to search for accounts based on an account's property. All are limited to 255 numeric characters.
IMPORTANT: Some Property Constraint selections may give slow results. Using Group is especially discouraged.
NOTE: Not all constraints will be available for all platforms. For example, while both MySql and Oracle are Role Based discovery types, MySql only supports searching on Permissions while Oracle supports both Roles and Permissions.
-
Selections:
-
RID (ranges): Applies to Windows and Directory (Windows Active Directory). Enter one or more Relative Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 1000 followed by a space, then type in 5000-7000.
-
GID (ranges): Applies to Windows, Directory (Windows Active Directory), and Unix. Enter one or more Group Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 8 followed by a space, then type in 10-12.
-
UID (ranges): Applies to Windows, Directory (Windows Active Directory), and Unix. Enter one or more User Identifier numbers. To enter multiple IDs or ID ranges, you must enter each element of the list separated by a space. For example, type in 1 followed by a space, then type in 5-7.
-
Name (RegEx): Applies to Windows, Directory (Windows Active Directory and LDAP), Unix, and Role Based (MySQL, Postgres, Oracle, SQL Server, Oracle, iDrac, Hp iLO, and HP iLO MP). Using Name (RegEx) is discouraged as it may slow your results. It is recommended you use Name (described earlier) to search by account name.
For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions..
-
Group (RegEx): Applies to Windows, Directory (Windows Active Directory and LDAP), and Unix. Using Group (RegEx) is discouraged as it may slow your results. It is recommended you use Group (described earlier) to search by group name.
For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions..
-
Role (RegEx): Applies to Role Based (Oracle and Postgres). Enter one or more roles. For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions..
-
Permission (RegEx): Applies to Role Based (MySQL, Postgres, Oracle, SQL Server, Oracle, iDrac, Hp iLO, and HP iLO MP). Enter one or more permissions. For an LDAP asset, only substring matching is available (for example, a search term like abc*). Matching is case-insensitive. To use, enter a single regular expression pattern. For more information, see Regular expressions..
-
-
If you are searching a directory:
-
Click Browse to select the container to search within the directory. The location displays in Filter Search Location.
-
To include sub containers in your search, select Include objects from sub containers.
-
Click Preview then verify the search result in the Accounts dialog including Name and Domain Name.
-
-
- Name: Select this option to search by account name.
- Automatically Manage Found Accounts: Select to automatically add the discovered accounts to SPP. When selected, you can select Set default password then enter the password.
- Password Sync Group: Click Browse to select a password sync group to control validation and reset across all associated accounts. You can also use Add to add a new sync group. See: Password sync groups.
- Password Profile: If a profile was not automatically assigned for a sync group (previous step), click Browse to select a password profile to identify the configuration settings for the discovered accounts. You can also use New Profile to add a new password profile. For more information, see Password Profiles tab (partitions)..
-
Set default password: If Set default password is selected, the password you enter is a placeholder for the discovered asset until the password is changed for the first time on the asset. If Set default password is not selected, no password is stored until the password is changed for the first time on the asset. If the account is requested before the password is changed, an error may result. The default password is set in Safeguard for Privileged Passwords but not on the asset.
NOTE: If an Account Discovery Rule is configured to set a password, and a password profile (selected via the Assign to Password Profile option) is also configured to automatically change passwords, the change password schedule takes precedence and the account will have its password changed upon discovery.
- SSH Key Sync Group: Click Browse to select the SSH key sync group. For more information, see SSH Key Sync Groups settings..
- SSH Key Profile: If a profile was not automatically assigned for a sync group, cFor more information, see SSH Key Profiles tab (partitions)..
-
Set default SSH Key: Select to set a default SSH key. On the Import an SSH Key dialog, you can import a private key file for an SSH key that has been generated outside of SPP and assign it to the account. Click Browse to import the key file, enter a Password, then click OK. When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.
NOTE:SPP does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by SPP.
-
Enable Password Request: This check box is selected by default, indicating that password release requests are enabled for this account. Clear this option to prevent someone from requesting the password for this account. By default, a user can request the password for any account in the scope of the entitlements in which they are an authorized user.
- Enable Session Request: This check box is selected by default, indicating that session access requests are enabled for this account. Clear this option to prevent someone from requesting session access using this account. By default, a user can make an access request for any account in the scope of the entitlements in which they are an authorized user.
- Enable SSH Key Request: This check box is selected by default, indicating that SSH key release requests are enabled for this account. Clear this option to prevent someone from requesting the SSH key for this account. By default, a user can request the SSH key for any account in the scope of the entitlements in which they are an authorized user.
-
Enable API Key Request: This check box is selected by default, indicating that API key release requests are enabled for this account. Clear this option to prevent someone from requesting the API key for this account. By default, a user can request the API key for any account in the scope of the entitlements in which they are an authorized user.
- (For directory accounts only) Available for use across all partitions (Global Access): When selected, any partition can use this account and the password is given to other administrators. For example, this account can be used as a dependent account or a service account for other assets. Potentially, you may have assets that are running services as the account, and you can update those assets when the service account changes. If not selected, partition owners and other partitions will not know the account exists. Although archive servers are not bound by partitions, this option must be selected for the directory account for the archive server to be configured with the directory account.
- Tags: This tab allows you to select tags or add new tags with rules.
- Click Apply.
- Click OK to save the Account Discovery job.