• State Verified Answer
  • Replies 8 replies
  • Subscribers 67 subscribers
  • Views 6978 views
  • Users 0 members are here
Options
Related

How to configure just-in-time-privileges in Active Roles and Safeguard?

itadmin_84643

Hi,

I want to configure just-in-time-privileges so that when I check out an AD-account in Safeguard SPP this account will be enabled and configured as a member of a group in AD, i.e. Domain Admins. I find several videos and demos describing this, but where can I find detailed documentation on how to configure this?

What I need is the documentation on how to configure the setup shown in this video: https://www.oneidentity.com/video/active-roles-justintime-provisioning-with-safeguard-implementation/

Br, 

Thor-Egil 

Parents
  • +1

    Hi Thor,

    The video, along with the instructions posted on the One Identity GitHub page (https://github.com/OneIdentity/ActiveRoles-Safeguard-JIT-Access), should have all the information necessary to complete the setup. The 3 scripts required for creating the objects within the Active Roles configuration (the Virtual Attribute, the Access Template and the AD service account) can also be obtained from the same GitHub repository.

    Feel free to let us know in case you get stuck! Thanks,

    Ook

  • 0 in reply to Ook

    Hi,

    The latest release on the GitHub repo is v6.9.0 (May 2021), which states it matches the SPP version numbering.

    I have been testing the scripts in the One Identity hosted lab before running them in my production environment. Scripts 1 and 2 ran successfully:
    - 1-Create-ARSGJIT-VA.ps1 White check mark
    - 2-Create-ARSGJIT-AT.ps1 White check mark

    However, script 3 (3-Create-ARSGJIT-User.ps1) produced the following error during the Active Roles connection stage:

    'InvalidOperation: You cannot call a method on a null-valued expression'

    The script appeared to fail when calling $ARConnection.ManagedDomains, suggesting the AR connection object was null.

    My questions:
    1. Is ARSGJitAccess v6.9.0 compatible with latest Active Roles and SPP ?
    2. Is there a newer version of the JIT connector available that supports AR 8.x /SPP 7.x, perhaps via the support portal?
    3. Is the error in script 3 a known issue, and is there a workaround?

    Any guidance would be greatly appreciated.

    Thank you

  • 0 in reply to itadmin_84643

    Hi; do you have multiple ADs available for management in your ARS environment? I'm not aware of any bugs in the script (and I also believe it should work with all SG versions from 7 and up) but perhaps the script can't determine in which AD to create the account?

  • 0 in reply to Ook

    Thanks for the quick response. I will double check it and get back to you if something is not working.

Reply Children
No Data