Starling Governance Access Certification Hosted - Integration Guide

Account data

When uploading account data from Safeguard for Privileged Passwords, the information is coming from the local identity provider (Active Directory) for which Safeguard for Privileged Passwords is the authority. It does not include data for disabled Safeguard for Privileged Passwords users.

The following are descriptions of the fields within the accounts CSV file:

• authority: The authority for the account. This is the system of origin for the account. This column is used to specify whether the account is a local account or external account. The authority value consists of an authority type and the authority realmId separated by a colon.
• id: An immutable identifier for the account. Some authorities may use the same value for id and userName, but this might also be an integer value or GUID value.
• userName: The user's account name.
• owner: Set to the anchor value from a corresponding row in the identities CSV file. This attribute is used to correlate a row of the accounts CSV file to a row in the identities CSV file in order to designate which identity this account belongs to. To correlate an account with an owner, set owner value to the anchor value of the account owner's identity.

Group data

The group data being used is that which corresponds with the groupings of Safeguard for Privileged Passwords users for the purpose of assigning entitlements. Because the data is specific to Safeguard for Privileged Passwords and how it manages users, the information might not be mapped to external identity providers.

The following are descriptions of the fields within the groups CSV file:

• authority: The authority for the account. This is the system of origin for the group (that is the system that records the actual group membership). This column is used to specify whether the group is a local group or external group. The authority value consists of an authority type and the authority realmId separated by a colon.
• id: An immutable identifier for the group. Some authorities may use the same value for id and groupName, but this might also be an integer value or GUID value.
• groupName: The system name for the group.
• displayName: (Optional) The display name for the group.
• description: (Optional) Description of the group which should summarize the purpose of the group.
• owner: Set to the anchor value from a corresponding row in the identities CSV file. This attribute is used to correlate a row of the groups CSV file to a row in the identities CSV file in order to designate which identity owns this group. To specify a group owner, set owner value to the anchor value of the group owner's identity.

Entitlement data

Entitlements are groupings of Safeguard for Privileged Passwords access policies and require that the Account data and Group data must first be gathered. This is because both accounts (users within Safeguard for Privileged Passwords) and groups can be added to entitlements. Each entitlement may contain zero or more access policies. However, an individual access policy may only be part of one entitlement. The reason for this is so that changing one access policy does not unintentionally modify a separate entitlement that the administrator may not realize is related.

The entitlements CSV file is a representation of the following sentence:

<account> has <permission> on <resource> because of <group>

The following are descriptions of the fields within the entitlements CSV file:

• accountAuthority: See accountId.
• accountId: Together, accountAuthority and accountId should match a corresponding row in the accounts CSV file.
• permission: Human readable description of the permission.
• resource: Human readable identifier for the resource.
• groupAuthority: See groupId.
• groupId: Together, groupAuthority and groupId should match a corresponding row in the groups CSV file.

Generating CSV files from Safeguard for Privileged Passwords

Before you are able to upload data to Access Certification, you must generate a CSV file from Safeguard containing that data. For information on the types of data being uploaded, see Data Imports page.

To generate CSV files from Safeguard for Privileged Passwords

1. Run PowerShell as an administrator.

2. For instructions and information on connecting, see One Identity Safeguard PowerShell scripting resources. You should be using the PowerShell module marked current version which contains the Access Certification cmdlet.

   NOTE: For verification that you are running the correct module version use Get-InstallModule.

3. Once you have connected to the Safeguard Appliance (see the Getting Started instructions on the One Identity Safeguard PowerShell scripting resources page), run the following cmdlet to create all of the required CSV files:

   Get-SafeguardAccessCertificationAll

4. When prompted, enter your Active Directory credentials.

5. Once you have completed generating all CSV files, review the files to ensure the data is both complete and accurate. If you find rows that are incomplete and unnecessary, delete the corresponding row.

   NOTE: The cmdlet simplifies the CSV file creation process by allowing you to run a single cmdlet that calls six cmdlets in order to create the required CSV files. You should still ensure the following columns are correct since the information contained in them needs to match the other CSV files: Email Anchor Manager

6. Once you have finished generating and reviewing the CSV files, you'll need to upload them to Access Certification. For more information, see Uploading data.

Generating CSV files individually

As a backup option, Access Certification allows you to run each cmdlet individually rather than all together.

To generate CSV files individually from Safeguard for Privileged Passwords

CAUTION: Make sure you save a copy of the original Safeguard for Privileged Passwords CSV files before making edits to the files or uploading them to Access Certification. This is in case an edit to a CSV file leads to an unintended recommended change within Safeguard for Privileged Passwords. The unedited file can be compared to a newer version in order to identify where the data was changed and if it needs to be corrected.

IMPORTANT: Before generating CSV files, review the Additional hardware and software requirements information.

NOTE: It is recommended that you review this diagram before making any edits to the CSV files.

1. Run PowerShell as an administrator.

2. For instructions and information on connecting, see One Identity Safeguard PowerShell scripting resources. You should be using the PowerShell module marked current version which contains the Access Certification cmdlets.

   NOTE: For verification that you are running the correct module version use Get-InstallModule.

3. Once you have connected to the Safeguard Appliance (see the Getting Started instructions on the One Identity Safeguard PowerShell scripting resources page), run the following cmdlet to create an identities CSV file for Active Directory identities:

   Get-ADAccessCertificationIdentity

4. Run the following cmdlet to create an identities CSV file for Safeguard for Privileged Passwords identities:

   Get-SafeguardAccessCertificationIdentity

5. The information from the Active Directory and Safeguard identity CSV files need to be merged so that all information is contained within a single file. This will need to be done manually to ensure the correct information is appearing for every identity.

   NOTE: Ensure the following columns are correct since the information contained in them needs to match the other CSV files: Email Anchor Manager

6. Run the following cmdlet to create an accounts CSV file:

   Get-SafeguardAccessCertificationAccount

7. Run the following cmdlets to process user groups:

   1. Get-SafeguardAccessCertificationGroup
   2. Update-SafeguardAccessCertificationGroupFromAD -<csv path from step 7a>

8. Run the following cmdlet to process Safeguard for Privileged Passwords entitlements:

   Get-SafeguardAccessCertificationEntitlement

9. Once you have completed generating all CSV files, review the files to ensure the data is both complete and accurate. If you find rows that are incomplete and unnecessary, delete the corresponding row.

10. Once you have finished generating and reviewing the CSV files, you'll need to upload them to Access Certification. For more information, see Uploading data.