• State Not Answered
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 251 views
  • Users 0 members are here
Options
Related

API Call From SPP to IGA tool

david williams
1 month ago

Hi,

We use our IGA system for account and entitlement provisioning, so I'm wondering how SPP can call the IGA API.

Use Case: 

1. user raises request for windows server access for specific AD account

2. When the request is approved or when the session starts, I want SPP to make a call to the IGA API, for the IGA to provision the account into an AD group which allows access to the server

3. Wen the session completes, then another call to de-provision the group entitlement from the account.

Is this possible and how in SPP could I configure the call to be made

Thanks

  • 0 1 month ago

    Hi,

    There is a new feature (JIT Account Privilege Elevate and Demote for Supported Platforms) that will be included in SPP's next feature release 7.5 subject to Product management approval.

    This new feature will include support for this type of workflow which can be configured on the SPP side without needing for SPP to make any extra calls back to IGA.

    Thanks!

  • 0 1 month ago in reply to Tawfiq.Ahmad

    Hello Tawfiq,

    That you certainly be an enormous capability to add. Without this level of JIT capability, it forces the practice of standing privilege's, which is what we are all trying to get away from.

    Many thanks for your time in responding.

    Dave

  • 0 24 days ago in reply to Tawfiq.Ahmad

    Hi Tawfiq,

    Since SPP version 7.5 released just now, I have updated it today and also reviewed the documentation about JIT feature however it mentioned everthing on how the JIT groups should be configured.

    As per the admin guide (One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide), I am now able to see the JIT option under Account management also can add the Group, but it is a free text value. I assume it should lookup group in AD to select from. 

    The admin guide says "To add multiple groups, repeat. The syntax of the group name may depend on the type of platform."

    What I am missing is:

    1) The documentation about syntax to link an existing AD group for membership.

    2) It says we can add multiple groups however I could not see any option in Access Request Policy about JIT to link specific group. This is required for the case where I have 2 or more Access request Policy for same account but 2 different groups.

    If you can provide more details about this feature, then it would be great to test this feature.

  • 0 2 days ago in reply to Deep Jansari

    Currently the JIT Privilege Group Membership is configured at the Account level:

     Accounts > Management tab > Add groups to JIT Privilege Group Membership

    I see that you may have raised a service request for an enhancement feature of a different use-case which you can provide the requested details via the case.

    Thanks!