Connector versions and features
AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.
AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.
For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name
- Client Id of the cloud account
-
Client Secret of the cloud account
-
Region of the cloud account
-
SCIM URL (Cloud application's REST API's base URL)
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 41: Supported operations and objects for Users
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all users |
GET |
Get (Id) |
GET |
Pagination |
GET |
Groups
Table 42: Supported operations and objects for Groups
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all groups |
GET |
Get (Id) |
GET |
NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.
Profiles
Table 43: Supported operations for Profiles
Get All Profiles |
GET |
Get Profile |
GET |
Roles
Table 44: Supported operations for Roles
Get Role |
GET |
Get All Roles |
GET |
Mandatory fields
Users
- User Name
- Password - This is applicable only for the Create operation.
Groups
Mappings
The user and group mappings are listed in the tables below.
Table 45: User mapping
Id |
UserName |
UserName |
UserName |
Password |
password |
DisplayName |
Arn |
Active |
(true) |
Groups |
(ListGroupsForUserResult)Group |
Entitlements |
(ListAttachedUserPoliciesResult)AttachedPolicies |
Created |
CreateDate |
LastModified |
PasswordLastUsed |
Table 46: Group mapping
Id |
GroupName |
displayName |
UserName |
Entitlements |
(ListAttachedGroupPoliciesResult)AttachedPolicies |
Members |
(GetGroupResult)Users |
Created |
CreateDate |
LastModified |
PasswordLastUsed |
Table 47: Profile mapping
Id |
Arn |
displayName |
PolicyName |
Created |
CreateDate |
LastModified |
UpdateDate |
Table 48: Roles mapping
Id |
RoleName |
Name |
RoleName |
Entitlements |
(ListAttachedGroupPoliciesResult)AttachedPolicies |
description |
Description |
Created |
CreateDate |
Table 49: Mappings for v2.0
Id |
Base64encoded(id) |
targetId |
id |
NOTE:Applicable for all object types.
Connector limitations
-
Signature generation is embedded within a data process. Hence, the performance of the application is affected.
-
The Last Modified date is not available. Hence, the field contains the value of the recently used Password.
-
While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.
-
The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.
-
Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.
The following subsections describe the different connector version(s) and features available with them.
Features available exclusively in AWS IAM v.2.0
Following are the features that are available exclusively in AWS IAM v.2.0:
- All the endpoints return one new attribute “targetId”.
- The "id" in the SCIM response will be base64 encoded in all the endpoints.
AWS IAM connector for Safeguard for Privileged Passwords
-
If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).
-
Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.
-
Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").
-
When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).
AWS IAM connector for Safeguard for Privileged Passwords
AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.
AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.
For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name
- Client Id of the cloud account
-
Client Secret of the cloud account
-
Region of the cloud account
-
SCIM URL (Cloud application's REST API's base URL)
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 41: Supported operations and objects for Users
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all users |
GET |
Get (Id) |
GET |
Pagination |
GET |
Groups
Table 42: Supported operations and objects for Groups
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all groups |
GET |
Get (Id) |
GET |
NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.
Profiles
Table 43: Supported operations for Profiles
Get All Profiles |
GET |
Get Profile |
GET |
Roles
Table 44: Supported operations for Roles
Get Role |
GET |
Get All Roles |
GET |
Mandatory fields
Users
- User Name
- Password - This is applicable only for the Create operation.
Groups
Mappings
The user and group mappings are listed in the tables below.
Table 45: User mapping
Id |
UserName |
UserName |
UserName |
Password |
password |
DisplayName |
Arn |
Active |
(true) |
Groups |
(ListGroupsForUserResult)Group |
Entitlements |
(ListAttachedUserPoliciesResult)AttachedPolicies |
Created |
CreateDate |
LastModified |
PasswordLastUsed |
Table 46: Group mapping
Id |
GroupName |
displayName |
UserName |
Entitlements |
(ListAttachedGroupPoliciesResult)AttachedPolicies |
Members |
(GetGroupResult)Users |
Created |
CreateDate |
LastModified |
PasswordLastUsed |
Table 47: Profile mapping
Id |
Arn |
displayName |
PolicyName |
Created |
CreateDate |
LastModified |
UpdateDate |
Table 48: Roles mapping
Id |
RoleName |
Name |
RoleName |
Entitlements |
(ListAttachedGroupPoliciesResult)AttachedPolicies |
description |
Description |
Created |
CreateDate |
Table 49: Mappings for v2.0
Id |
Base64encoded(id) |
targetId |
id |
NOTE:Applicable for all object types.
Connector limitations
-
Signature generation is embedded within a data process. Hence, the performance of the application is affected.
-
The Last Modified date is not available. Hence, the field contains the value of the recently used Password.
-
While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.
-
The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.
-
Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.
Connector versions and features
The following subsections describe the different connector version(s) and features available with them.
Features available exclusively in AWS IAM v.2.0
Following are the features that are available exclusively in AWS IAM v.2.0:
- All the endpoints return one new attribute “targetId”.
- The "id" in the SCIM response will be base64 encoded in all the endpoints.
-
If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).
-
Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.
-
Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").
-
When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).
ServiceNow
ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.
ServiceNow connectors are available for use with One Identity Safeguard for Privileged Passwords.
Supervisor configuration parameters for ServiceNow v.1.0
To configure the connector, following parameters are required:
-
Connector name
-
Username for the cloud account
-
Password for the cloud account
-
Custom Properties (List of custom properties, if any, to be mapped)
For more information, see Configuring custom attributes for ServiceNow v.1.0.
-
SCIM URL (Cloud application's REST API's base URL)
Configuring custom attributes for ServiceNow v.1.0
You can configure custom attributes for the ServiceNow v.1.0 connector when you configure the connector in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.
Supervisor configuration parameters for ServiceNow v.2.0
To configure the connector, following parameters are required:
-
Connector name
-
Username for the cloud account
-
Password for the cloud account
-
SCIM URL (Cloud application's REST API's base URL)
Configuring custom attributes for ServiceNow v.2.0
You can configure custom attributes for the ServiceNow v.2.0 SCIM connector in Starling Connect for Users, Groups and Roles in the Custom Attributes section in Schema Configuration.
NOTE:
- For more information about how to configure custom attributes in ServiceNowv.2.0, see Configuring custom attributes in connectors.
- As the ServiceNow target system does not support disabling of attributes, the ServiceNow connector is enhanced only to support the configuration of custom attributes in the SCIM connector.
-
If a custom attribute is a complex attribute, then you must enter it in the following format in Starling Connect:
<custom_attribute>$$<nested_attribute>.
For example,
"parent": {
"link": "https://dev60043.service-now.com/api/now/table/sys_user_group/b85d44954a3623120004689b2d5dd60a",
"value": "b85d44954a3623120004689b2d5dd60a"
}
you must enter as parent$$value in Starling Connect.
-
The connector supports single level of navigation only.
Supported objects and operations
Users
Table 50: Supported operations for Users
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all users |
GET |
Get (Id) |
GET |
Pagination |
GET |
Groups
Table 51: Supported operations for Groups
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all groups |
GET |
Get (id) |
GET |
Get |
GET |
Pagination |
GET |
Roles
Table 52: Supported operations for Roles
Get All Roles |
GET |
Get Role (Id) |
GET |
Mandatory fields
Users
Groups
User and Group mapping
The user and group mapping is listed in the table below.
Table 53: User mapping
userName |
user_name |
name.familyName |
last_name |
name.givenName |
first_name |
name.middleName |
middle_name |
displayName |
name |
emails[0].value |
email |
addresses[0].streetAddress |
street |
addresses[0].locality |
city |
addresses[0].region |
state |
addresses[0].postalCode |
zip |
addresses[0].country |
country |
phoneNumbers[0].value(type=work) |
phone |
title |
title |
preferredLanguage |
preferred_language |
timeZone |
time_zone |
active |
active |
password |
user_password |
roles.value |
{resource}.role.value |
extension.organization |
company |
extension.department |
department |
extension.manager.value |
manager.value |
extension.employeeNumber |
employee_number |
id |
sys_id |
groups.value |
{resource}.group.value |
extension.lastLogon |
last_login_time |
PhoneNumbers[0].value(type=mobile) |
mobile_phone |
Table 54: Group mapping
id |
sys_id |
displayName |
name |
members.value |
{resource}.user.value |
extension.description |
description |
extension.email |
email |
extension.groupType |
type |
extension.manager.value |
manager.value |
Connector versions and features
The following subsections describe the different connector version(s) and features available with them.
Supported Versions
The supported versions of ServiceNow connector are:
Connector limitations
-
ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.
-
If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.
-
If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.
- In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
-
GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).
- If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
-
If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.
-
Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.
Supervisor configuration parameters for ServiceNow v.1.0
ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.
ServiceNow connectors are available for use with One Identity Safeguard for Privileged Passwords.
To configure the connector, following parameters are required:
-
Connector name
-
Username for the cloud account
-
Password for the cloud account
-
Custom Properties (List of custom properties, if any, to be mapped)
For more information, see Configuring custom attributes for ServiceNow v.1.0.
-
SCIM URL (Cloud application's REST API's base URL)
Configuring custom attributes for ServiceNow v.1.0
You can configure custom attributes for the ServiceNow v.1.0 connector when you configure the connector in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.
Supervisor configuration parameters for ServiceNow v.2.0
To configure the connector, following parameters are required:
-
Connector name
-
Username for the cloud account
-
Password for the cloud account
-
SCIM URL (Cloud application's REST API's base URL)
Configuring custom attributes for ServiceNow v.2.0
You can configure custom attributes for the ServiceNow v.2.0 SCIM connector in Starling Connect for Users, Groups and Roles in the Custom Attributes section in Schema Configuration.
NOTE:
- For more information about how to configure custom attributes in ServiceNowv.2.0, see Configuring custom attributes in connectors.
- As the ServiceNow target system does not support disabling of attributes, the ServiceNow connector is enhanced only to support the configuration of custom attributes in the SCIM connector.
-
If a custom attribute is a complex attribute, then you must enter it in the following format in Starling Connect:
<custom_attribute>$$<nested_attribute>.
For example,
"parent": {
"link": "https://dev60043.service-now.com/api/now/table/sys_user_group/b85d44954a3623120004689b2d5dd60a",
"value": "b85d44954a3623120004689b2d5dd60a"
}
you must enter as parent$$value in Starling Connect.
-
The connector supports single level of navigation only.
Supported objects and operations
Users
Table 50: Supported operations for Users
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all users |
GET |
Get (Id) |
GET |
Pagination |
GET |
Groups
Table 51: Supported operations for Groups
Create |
POST |
Update |
PUT |
Delete |
DELETE |
Get all groups |
GET |
Get (id) |
GET |
Get |
GET |
Pagination |
GET |
Roles
Table 52: Supported operations for Roles
Get All Roles |
GET |
Get Role (Id) |
GET |
Mandatory fields
Users
Groups
User and Group mapping
The user and group mapping is listed in the table below.
Table 53: User mapping
userName |
user_name |
name.familyName |
last_name |
name.givenName |
first_name |
name.middleName |
middle_name |
displayName |
name |
emails[0].value |
email |
addresses[0].streetAddress |
street |
addresses[0].locality |
city |
addresses[0].region |
state |
addresses[0].postalCode |
zip |
addresses[0].country |
country |
phoneNumbers[0].value(type=work) |
phone |
title |
title |
preferredLanguage |
preferred_language |
timeZone |
time_zone |
active |
active |
password |
user_password |
roles.value |
{resource}.role.value |
extension.organization |
company |
extension.department |
department |
extension.manager.value |
manager.value |
extension.employeeNumber |
employee_number |
id |
sys_id |
groups.value |
{resource}.group.value |
extension.lastLogon |
last_login_time |
PhoneNumbers[0].value(type=mobile) |
mobile_phone |
Table 54: Group mapping
id |
sys_id |
displayName |
name |
members.value |
{resource}.user.value |
extension.description |
description |
extension.email |
email |
extension.groupType |
type |
extension.manager.value |
manager.value |
Connector versions and features
The following subsections describe the different connector version(s) and features available with them.
Supported Versions
The supported versions of ServiceNow connector are:
Connector limitations
-
ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.
-
If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.
-
If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.
- In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
-
GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).
- If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
-
If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.
-
Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.