Active Roles Just-In-Time Provisioning with Safeguard - Implementation

This video is designed to help you implement Active Roles Just-In-Time Provisioning with Safeguard. I'm going to do a quick demo. I'm going to walk through the assumptions, and talk to you about how it works. Then we're going to do the preparations both in Active Roles and Safeguard. And then we're going to install the service. And then we will test. Here's how it works. This is my environment. I have a domain here with some user objects. And you can see that they are disabled. And I'm going to go through Safeguard and I'm going to check out this account right here called TempDomAdmin1. If I take a look at that user account, of course it's disabled. But it has only the default or the domain users group as the only group membership. So I'm going to go into Safeguard and check that account out. It's from the One Identity domain. And I'm a select the account, which is TempDomAdmin1. I'm going to go ahead and check out. It's set for auto approval. So now when I take a look at that user object in Active Roles, which is a look at Active Directory, you can see that the red x is gone. So the account is now enabled. But then the group membership is populated as well. So it is populated it into the SGDomainAdmins group. And if I go do whatever I was going to do with that account, if I needed the password or if I needed a session, you can use it just like you would from any Safeguard instance. And then when I'm done, I check it back in. And it reverses the process. So let me refresh right here. So the account is now disabled again. And the group membership is reverted back to the default domain users group as the only group. And that's just in time provisioning with Safeguard and Active Roles. Let's take a look at the assumptions. The first one is that you have Active Roles installed, and are using it, and it has permissions to Active Directory. And the other assumption is that you have Safeguard installed. And it can manage accounts and passwords in Active Directory. Here's how the solution works. So we have Safeguard in this environment in the upper right corner. And it is managing Active Directory. Or has rights to manage Active Directory. And then we have Active Roles in the environment. Within Active Directory, I have created an OU structure. But an OU structure is not necessary for this. So I've created a Safeguard Managed Objects OU. And I keep some groups underneath there. And the user objects that I'm going to enable privileges on or populate the group membership. The names of these are not essential. But you will just have to determine that on your own. Active Roles uses a virtual attribute to populate this group membership. So an assumption that you have Active Roles and can use virtual attributes, even though we have scripts that will create that automatically for you, is assumed as well. Active Roles is connected to an Active Directory. And this can be multiple Active directories as well. So it can cross many streams. It doesn't really matter if you have one or many Active directories. The way it works is we have the service installed on the Active Roles box right here. And that service is going to listen for Safeguard events. So when you saw in the video that I connected and checked out TempDomAdmin1, the Active Roles service or the Git service down here listen for that event. And it saw that event, it sent a script into Active Roles that populated that virtual attribute, which populated the dynamic group that I have here. And that's the basics of how it works. Let's start with the prep work in Active Roles a few things you need to do in Active Roles. First thing you're going to need is a service account. And I have a service account created, but it's nothing special. So I've created it, and I've created a Safeguard Managed OU structure here. And then I've created a service account OU underneath that. And then I've just simply created this service account right here. There's absolutely nothing special about this account other than it's a standard user account. Of course, you will need to know the password for the initial implementation. And then Safeguard will take over management of this account, and cycle the password for you. As you can see, it doesn't have any special permissions. There's not members of any specific groups. It's just a basic user account. And we're going to give it permissions in Active Roles to do some things. That's the service account. Now that we have the service account created, let's go ahead and create the Access Templates and the Virtual Attribute. So there's a couple of scripts that come with it. A couple PowerShell scripts. There's an access template one. There's a virtual attribute one. And then there's the install file here. So we're going to go ahead and run the virtual attribute. I'm going to go ahead and open Active Roles right here. And we're going to look under Configuration. Server configuration. Virtual attributes. And it should appear right here. So we'll go over here, and we'll run the VA file. It looks like it was successful. Let's go refresh. OK. So my virtual attribute is right here. Now let's go run the access template creation. And this access template is designed to give the service account access to the virtual attribute that was just created. And that looks like it was successful as well. So let's go take a look at that. Under Access Templates, it'll show up as one identity right here. And there's my access template right there. Now that I have my access template, I can permission my service account to access the accounts that it's going to