Symantec Privileged Access Management

  • 1.  PAM Integration approach - Implementation

    Posted May 16, 2018 12:26 PM

    Hi All,

     

    Good day. We want to have your expertise and best practices on implementation the PAM solution for the given below scenario. Kindly provide your valuable suggestion.

     

    In our environment, we have to integrate the devices (only on the OS level) from 2 application teams.

     

    AppTeam-A : This team has 20 windows servers

    AppTeam-B : Has 10 Windows and 10 Linux server.

    No. Privileged accounts: 4 accounts on each server

     

    We will do only local privileged account managed, no domain account management.

     

    In this scenario,  is the following approach is OK. or can it be improved ?

     

    1. Import devices

    2. Create group -AppTeam-A and B and attach respective devices to group

    3. Create application AppTeam-A and B

    4. Create Target accounts in PAM - 4 accounts for each servers. so total 40*4 = 160

    6. Create user group AppTeam-A and map to device group AppTeam-A. so that AppteamA users can only see this application's devices.

    7. And then normal approval and access flows.

     

    Is this approach is good, or please let me know how best we can optimize it?

     

    The challenge: We use the PAM GUI for all the above activities. We have option for import only for few steps.

    But for account creation and policy, we dont see import option.

     

    Can you please help, how this can be done using csv import or any other way (using CLI)?

     

    Thanks in advance

    dk



  • 2.  Re: PAM Integration approach - Implementation
    Best Answer

    Broadcom Employee
    Posted May 16, 2018 02:41 PM

    Hi Dk, This seems to have the same scope as thread https://communities.ca.com/thread/241809386-import-device-accounts-policies-etc-using-cli-import

    As pointed out there you can import policies in bulk. The Remote CLI is suited for importing target applications and accounts. For UNIX target devices this can also be done via the Rest API/External API, see the links to our online documentation in the other thread. For Rest API details, you use the Settings > Api Doc page on the PAM UI once you have the External API enabled.