swagger

i am following this KB:

Error when updating service account for Asset Discovery Rule, "Specify either an Account by ID or credentials, not both. (60409) (329320) (oneidentity.com)

i have to perform a PUT in this path /v3/AssetPartitions/{id}/DiscoveryJobs/{jobId}  but i have diffucult to find the jobId.

in which path i can find it?

then i have the name of the service account but where i can find the Account Id also?

i have difficult to follow this KB that not help me at best.

Please can you help me?

  • Hi Dario,

    To execute the PUT /v3/AssetPartitions/{id}/DiscoveryJobs/{jobId}

    You will need the following:
    1. Asset Partition ID
    - you can get this from GET ​/v3​/AssetPartitions
    - In fields, select to show: Id,name
    - Note the Id here will be the Partition id.

    2. Discovery Job ID:
    - you can get this from GET ​/v3​/AssetPartitions​/{id}​/DiscoveryJobs
    - In fields, select to show: Id,name
    - Note the Id here will be the job id for Asset Discovery.

    3. The Directory service account id to be set:
    - you can get this from GET ​/v3​/AssetAccounts
    - Filter by Name ieq 'Username'
    - In fields, select to show: Id,name

    4. Using the Partition id and Discovery Job id from steps 1 and 2 above:
    - Run a GET ​/v3​/AssetPartitions​/{id}​/DiscoveryJobs​/{jobId}
    - This will give you the body that you will need to update
    - Copy the response to notepad to modify the connection properties section.

    - I tested by removing the below 4 lines:

    "ServiceAccountUniqueObjectId": "",
    "ServiceAccountSecurityId": "",
    "ServiceAccountDistinguishedName": "",
    "EffectiveServiceAccountDistinguishedName": "",

    - updated the following lines to the new service account:

    "ServiceAccountId": ##,
    "EffectiveServiceAccountName": "Username",

    Thanks!

  • Hello Tawfiq!!! My Saviour!!

    thank you very much! So, I'm at the last step. Before making the final change I have to be sure because we are in a production environment and I must not make a mistake. I can't!
    So I'm asking you to confirm what I'm doing in the last step:

    I have downloaded the response to notepad and now I can make any changes on it.
    In this response (which is the complete job discovery) there are 18 rules.
    Six of the rules have the attributes you indicate set values, all the other rules have no values configured.

    The specific problem is that if the customer tries to add a rule it immediately receives this message:

    Specify either an account by ID or credentials, not both. (60409)

    So now I should copy all the response modified by adding the new rule (copying all the code part precisely with the values of the new rule) and execute the PUT. Correct?

    Can I do this without deleting the lines below?
    Or should I delete the 4 lines in each Connection Properties of each rule for this Job discovery? Or just the values of these 4 parameters?

    "ServiceAccountUniqueObjectId": "",
    "ServiceAccountSecurityId": "",
    "ServiceAccountDistinguishedName": "",
    "EffectiveServiceAccountDistinguishedName": "",

    and I must also specify these two attributes in the new rule:

    "ServiceAccountId": 2,
    "EffectiveServiceAccountName": "PAM_LDAP_RW",

    What do you think?

    here is all the code for a single rule in the discovery job, which I would add with the parameters of the new rule.

    this is the code of a rule that i modify with parameters for the new rule that is not possible to add from the desktop client:

    (highlighted in yellow the new parameter of the new rule that i have to add in the discovery job; in bold the parameter you mentioned)

    {
    "Name": "Hostname starting with AFARIA",
    "AssetTemplate": {
    "ProfileId": 3,
    "ProfileName": "Windows Profile",
    "EffectiveProfileId": 3,
    "EffectiveProfileName": "Windows Profile",
    "SshKeyProfileId": null,
    "SshKeyProfileName": null,
    "EffectiveSshKeyProfileId": null,
    "EffectiveSshKeyProfileName": null,
    "AccountDiscoveryScheduleId": null,
    "AccountDiscoveryScheduleName": null,
    "ManagedNetworkId": null,
    "ManagedNetworkName": null,
    "PlatformId": null,
    "PlatformType": null,
    "PlatformFamily": null,
    "PlatformDisplayName": null,
    "ConnectionProperties": {
    "ServiceAccountUniqueObjectId": "dc7aa17d-e715-478a-a91e-f10b283e324b",
    "ServiceAccountSecurityId": "S-1-5-21-313011508-1182879561-701057205-27889",
    "EnablePassword": null,
    "EnableHasPassword": false,
    "CommandTimeout": 60,
    "WorkstationId": null,
    "ClientId": null,
    "ServiceAccountProfileId": null,
    "ServiceAccountProfileName": null,
    "ServiceAccountSshKeyProfileId": null,
    "ServiceAccountSshKeyProfileName": null,
    "UseSslEncryption": true,
    "VerifySslCertificate": true,
    "Instance": null,
    "SslThumbprint": null,
    "PrivilegeElevationCommand": null,
    "AccessKeyId": null,
    "SecretKey": null,
    "HasSecretKey": false,
    "OraclePrivileges": null,
    "UseNamedPipeForServiceAccountConnection": false,
    "RegisteredConnectorId": null,
    "TacacsSecret": null,
    "HasTacacsSecret": false,
    "ServiceAccountId": 2,
    "ServiceAccountName": null,
    "EffectiveServiceAccountName": "PAM_LDAP_RW",
    "ServiceAccountDomainName": "industries.local",
    "ServiceAccountDistinguishedName": "CN=PAM LDAP,OU=Service Users,OU=EDP,OU=Moncler,DC=industries,DC=local",
    "EffectiveServiceAccountDistinguishedName": "CN=PAM LDAP,OU=Service Users,OU=EDP,OU=Moncler,DC=industries,DC=local",
    "ServiceAccountCredentialType": "DirectoryPassword",
    "ServiceAccountPassword": null,
    "ServiceAccountHasPassword": true,
    "ServiceAccountSshKey": {
    "PrivateKey": null,
    "Passphrase": null,
    "PublicKey": null,
    "Comment": null,
    "Fingerprint": null,
    "FingerprintSha256": null,
    "KeyType": null,
    "KeyLength": null
    },
    "ServiceAccountHasSshKey": false,
    "Port": null,
    "ServiceAccountSshKeyId": null,
    "ServiceAccountSshKeyFingerprint": null,
    "ServiceAccountSshKeyComment": null,
    "ServiceAccountAssetId": 3621,
    "ServiceAccountAssetName": "AD_industries.local",
    "ServiceAccountAssetPlatformId": 522,
    "ServiceAccountAssetPlatformType": "MicrosoftAD",
    "ServiceAccountAssetPlatformDisplayName": "Active Directory",
    "ServiceAccountNetbiosName": "PEP_DOMAIN"
    },
    "SessionAccessProperties": {
    "SshSessionPort": null,
    "RemoteDesktopSessionPort": null,
    "TelnetSessionPort": null
    },
    "AllowSessionRequests": true,
    "Tags": []
    },
    "Conditions": [
    {
    "ConditionType": "PropertyConstraint",
    "AdGroups": [],
    "LdapFilter": null,
    "PropertyConstraints": [
    {
    "PropertyName": "Name",
    "Operator": "Contains",
    "Value": "AFARIA"
    }
    ],
    "SearchBase": "DC=industries,DC=local",
    "SearchScope": "SubTree"
    }
    ]
    },

    PLEASE HELP ME to clarify this last final step and i will proceed.

    let me know if you need to understand something of specific.

  • Hi Dario,

    Thanks for the update.

    The steps I provided are for updating an existing rule within the Asset Discovery Job, for example rule A has ServiceAccount_1 and you want to change it to use ServiceAccount_2.

    If what you are looking for is simply to add a new Rule B with a different Service account without changing the existing rules then:

    I would use POST​/v3​/AssetPartitions​/{id}​/DiscoveryJobs​/{jobId}​/Rules​/{operation} with Add as the operation 

    Instead of PUT /v3/AssetPartitions/{id}/DiscoveryJobs/{jobId} 

    The POST call will take the same copied response and this way you are only adding a new rule to an existing Discovery Job so it does not impact any other existing rules.

    In the response body that you will use, you can remove the 4 lines mentioned earlier or leave them with null values if the data in these lines belong to another service account, (it does not seem to matter as long as the ("ServiceAccountId": ##,) is the correct id, these values will auto populate to the values that belong to the service account Id. If these lines have correct data that matches the service account being set then would be ok to leave them as is.

    Thanks!

  • sorry Tawfiq i just give you a feedback. Unfortunately the operation (POST) failed. It gives me an error on some missing parameters even though I have entered them. Error 70000 the request is invalid. It's a shame I can't attach the screenshot. I only addes a new rule modifying some values in the code that is suggested in a box under the /v3​/AssetPartitions​/{id}​/DiscoveryJobs​/{jobId}​/Rules​/{operation} and i also attempted to copy the entire code of the new rule with correct parameter for my case. But not....

  • Hi Dario,

    The error means there is something wrong with the data, may be something was missed when you did copy\ paste?

    Make sure you did not miss the square brackets on top and bottom?

    Example:
    --------------

    [
    {
    "Name": "Hostname starting with AFARIA",
    "AssetTemplate": {
    "ProfileId": 3,
    "ProfileName": "Windows Profile",
    "EffectiveProfileId": 3,
    "EffectiveProfileName": "Windows Profile",
    "SshKeyProfileId": null,
    "SshKeyProfileName": null,
    "EffectiveSshKeyProfileId": null,
    "EffectiveSshKeyProfileName": null,
    "AccountDiscoveryScheduleId": null,
    "AccountDiscoveryScheduleName": null,
    "ManagedNetworkId": null,
    "ManagedNetworkName": null,
    "PlatformId": null,
    "PlatformType": null,
    "PlatformFamily": null,
    "PlatformDisplayName": null,
    "ConnectionProperties": {
    "ServiceAccountUniqueObjectId": "dc7aa17d-e715-478a-a91e-f10b283e324b",
    "ServiceAccountSecurityId": "S-1-5-21-313011508-1182879561-701057205-27889",
    "EnablePassword": null,
    "EnableHasPassword": false,
    "CommandTimeout": 60,
    "WorkstationId": null,
    "ClientId": null,
    "ServiceAccountProfileId": null,
    "ServiceAccountProfileName": null,
    "ServiceAccountSshKeyProfileId": null,
    "ServiceAccountSshKeyProfileName": null,
    "UseSslEncryption": true,
    "VerifySslCertificate": true,
    "Instance": null,
    "SslThumbprint": null,
    "PrivilegeElevationCommand": null,
    "AccessKeyId": null,
    "SecretKey": null,
    "HasSecretKey": false,
    "OraclePrivileges": null,
    "UseNamedPipeForServiceAccountConnection": false,
    "RegisteredConnectorId": null,
    "TacacsSecret": null,
    "HasTacacsSecret": false,
    "ServiceAccountId": 2,
    "ServiceAccountName": null,
    "EffectiveServiceAccountName": "PAM_LDAP_RW",
    "ServiceAccountDomainName": "industries.local",
    "ServiceAccountDistinguishedName": "CN=PAM LDAP,OU=Service Users,OU=EDP,OU=Moncler,DC=industries,DC=local",
    "EffectiveServiceAccountDistinguishedName": "CN=PAM LDAP,OU=Service Users,OU=EDP,OU=Moncler,DC=industries,DC=local",
    "ServiceAccountCredentialType": "DirectoryPassword",
    "ServiceAccountPassword": null,
    "ServiceAccountHasPassword": true,
    "ServiceAccountSshKey": {
    "PrivateKey": null,
    "Passphrase": null,
    "PublicKey": null,
    "Comment": null,
    "Fingerprint": null,
    "FingerprintSha256": null,
    "KeyType": null,
    "KeyLength": null
    },
    "ServiceAccountHasSshKey": false,
    "Port": null,
    "ServiceAccountSshKeyId": null,
    "ServiceAccountSshKeyFingerprint": null,
    "ServiceAccountSshKeyComment": null,
    "ServiceAccountAssetId": 3621,
    "ServiceAccountAssetName": "AD_industries.local",
    "ServiceAccountAssetPlatformId": 522,
    "ServiceAccountAssetPlatformType": "MicrosoftAD",
    "ServiceAccountAssetPlatformDisplayName": "Active Directory",
    "ServiceAccountNetbiosName": "PEP_DOMAIN"
    },
    "SessionAccessProperties": {
    "SshSessionPort": null,
    "RemoteDesktopSessionPort": null,
    "TelnetSessionPort": null
    },
    "AllowSessionRequests": true,
    "Tags": []
    },
    "Conditions": [
    {
    "ConditionType": "PropertyConstraint",
    "AdGroups": [],
    "LdapFilter": null,
    "PropertyConstraints": [
    {
    "PropertyName": "Name",
    "Operator": "Contains",
    "Value": "AFARIA"
    }
    ],
    "SearchBase": "DC=industries,DC=local",
    "SearchScope": "SubTree"
    }
    ]
    }
    ]

    --------------

  • thank you Tawfiq, effectively i tridd to copy the code you suggested with all the brackets but the error is: 

    {
      "Code": 60409,
      "Message": "Specify either an account by ID or credentials, not both.",
      "InnerError": null
    }


    the same that i get in desktop client.
    this error is going me crazy.
    i cannot understand how can i do to add a new rule.
    thank you for your suggestions, but is it possible to forward this thread to a techncician with your details?
    maybe is better because you helped me perfectly but i think that now there is an issue and o don't know if it is right to involve you (i really appreciate a lot your help)

    Please let me know. thank you so much Tawfiq!

  • Hi Dario,

    Please feel free to open a support service request with this information to investigate the issue further. 

    I agree this will likely need more troubleshooting over a scheduled meeting.

    Thanks!