-
Notifications
You must be signed in to change notification settings - Fork 24
WriteDiscoveredAccount
A mechanism for the script to return account discovery information to the client.
This should be called for each account discovered on the remote host. A constraint filter must be configured to filter the required accounts that will be reported to the client (ie Safeguard). A constraint filter must be configured in the 'AccountDiscovery' operation parameter, but can be overridden in the FilterQuery property of the 'WriteDiscoveredAccount' command. The constraint filter can be used to match on any/all of the following: user name, user id, group name, group id, relative id.
| Parameter Name | Description | Type | Resolved Type | Required |
|---|---|---|---|---|
| Name | The name of the discovered account | Value | String | Yes |
| UserId | The ID of the discovered account | Value | String | No |
| GroupId | The group ID of the discovered account | Value | String | No |
| Groups | The list of groups of which the discovered account is a member. Each element of the array resolves to a Group object, see below | Value | Array | No |
| Roles | The list of roles of which the discovered account is a member. Each element of the array resolves to a Role object, see below. Added in v7.3 | Value | Array | No |
| Permissions | The list of permissions available to the discovered account. Each element of the array resolves to a string value. Added in v7.3 | Value | Array | No |
| FilterQuery | The filter to match the discovered accounts, see below | Object | Object | Yes |
Each group in the list of Groups is an object with the following properties
| Parameter Name | Description | Type | Resolved Type | Required |
|---|---|---|---|---|
| Name | The name of the group | String | String | Yes |
| Id | The ID of the group | String | String | No |
| Guid | The Guid of the group, if supported | String | String | No |
Each role in the list of Roles is an object with the following properties.
| Parameter Name | Description | Type | Resolved Type | Required |
|---|---|---|---|---|
| Name | The name of the role | String | String | Yes |
| RoleId | The ID of the role | String | String | No |
A query is required to filter the results that will be reported to Safeguard. The query can alternatively be configured as an operation parameter called "DiscoveryQuery".
| Parameter Name | Description | Type | Resolved Type | Required |
|---|---|---|---|---|
| Rules | An optional array of rules to apply, see below. If no rules are configured, all accounts will match the filter. | Array | Array | No |
Each rule provides a filter to apply to the discovered list of accounts.
| Parameter Name | Description | Type | Resolved Type | Required |
|---|---|---|---|---|
| Name | A string to identify the rule | String | String | Yes |
| Type | The filter type. This must be set to 'Constraints' | String | String | Yes |
| Filters | The constraint filters to apply, see below. If no constraints are configured, all accounts will match the filter. | Object | Object | Yes |
A set of properties that can be used to filter a discovered account.
| Parameter Name | Description | Type | Resolved Type | Required |
|---|---|---|---|---|
| UserName | The string to match the discovered UserName; null or empty string will match all | String | String | No |
| UserId | The string to match to discovered UserId; null or empty string will match all | String | String | No |
| Group | The string to match the discovered Group; null or empty string will match all | String | String | No |
| GroupId | The string to match the discovered GroupId; null or empty string will match all | String | String | No |
| RelativeId | The string to match the discovered RelativeId; null or empty string will match all | String | String | No |
| Role | The string to match the discovered Role; null or empty string will match all | String | String | No |
| Permission | The string to match the discovered permission; null or empty string will match all | String | String | No |
Example 1: Filter on any userid > 100, overriding the 'AccountDiscovery' operation parameter passed in to the operation:
{
"WriteDiscoveredAccount": {
"Name": "Tom",
"UserId": "1234",
"GroupId": "2345",
"FilterQuery": {
"Rules": [
{
"Name": "any UserId > 100",
"Type": "Constraints",
"Filters": {
"UserName": "",
"UserId": "(10[1-9]+)|(1[1-9][0-9]+)",
"Group": null,
"GroupId": "",
"RelativeId": null
}
}
]
}
}
},
**Example two: Assuming the AccountName, AccountUID, AccountGID, GroupName and GroupID string variables have been retrieved for the discovered account. Include all accounts, overriding the 'AccountDiscovery' operation parameter passed in to the operation: **
{
"SetItem": {
"Name": "GroupList",
"Value": "%{ new List<DiscoveredGroup>() }%"
}
},
{
"Eval": {
"Expression": "GroupList.Add(new DiscoveredGroup(GroupName, GroupId))"
}
},
{
"WriteDiscoveredAccount": {
"Name": "%{ AccountName }%",
"UserId": "%{ AccountUID}%",
"GroupId": "%{ AccountGID}%",
"Groups": "%{ GroupList }%",
"FilterQuery": {
"Rules": [
{
"Name": "Include all accounts",
"Type": "Constraints",
"Filters": {
}
}
]
}
}
},
**Example three: Assuming the AccountName, AccountUID, AccountGID, GroupName and GroupID string variables have been retrieved for the discovered account. Use the 'DiscoveryQuery' operation parameter passed in to the operation to filter: **
{
"SetItem": {
"Name": "GroupList",
"Value": "%{new List<DiscoveredGroup>();}%"
}
},
{
"Eval": {
"Expression": "%{GroupList.Add(new DiscoveredGroup(GroupName, GroupId))}%"
}
},
{
"WriteDiscoveredAccount": {
"Name": "%AccountName%",
"UserId": "%AccountUID%",
"GroupId": "%AccountGID%",
"Groups": "%{GroupList}%"
}
}