IdentityIQ Connector for BeyondTrust Privilege Management for Windows & Mac

CoLab Connector Configurations
, ,
1

Marketplace-Gradient
Marketplace-Gradient2401×1351 239 KB
:spiral_notepad: Description IdentityIQ Connector for BeyondTrust Privilege Management for Windows & Mac
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link N/A
:open_book: New to Connector Configurations in the CoLab? Read the getting started guide for Connector Configurations in the CoLab.
:hospital: Supported by Community Developed

Overview

BeyondTrust Privilege Management for Windows and Mac allows for removing local admin rights, control root access, and enforce true least privilege seamlessly across Windows and macOS desktops and servers.

Capabilities:

  • Accounts Aggregation via SCIM 2.0;
  • Roles Aggregation - Modifiable;
  • Entitlement Aggregation – Read Only;
  • Create Account;
  • Add/Remove Roles for Accounts;
  • Enable/Disable Account;
  • Update Account.

Requirements

Requirements: IdentityIQ 8.1 and above patched, and Privilege Management Cloud v24.4 and above.

Guide

Deployment

Download the Application/Connector file:
Application_IIQ_BeyondTrust_EPM_Cloud_Win&Mac.xml (11.0 KB)

With a test editor, edit the file and change the Application name:

image
The name needs to be changed before importing the Application.

image
Navigate to Global Settings, and click Import from File.

image
Click Choose File to select the file, then click the Import button.

image
Click Done.

image
Navigate to Applications, Application Definition, click the new Application, and navigate to Configuration. We need to obtain the Client Id and Client Secret for the API Account in EPM.

Note: The URLs examples are myInstance-services, for which we need to replace myInstance with the actual value for the EPM instance. If the EPM instance URL for the web console is myInstance.pm.beyondtrustcloud.com, the -services part must be added for API access.

image
Access the EPM Console as an administrator. Navigate to Configuration, API Settings, and create a new API account for IdentityIQ.

image
Grant the Full Access permission for SCIM to the new API account.

Copy the Client ID and Client Secret into the new Application Configuration in SailPoint IdentityIQ.

image
Navigate to Correlation, and add a correlation rule for Accounts.

Also, we need to set the Application Owner on the Details tab, then Save the Application.

At this point, we should be able to Successfully test the configuration.

image
Test Connection Successful.

Now we need to create Aggregation Tasks under Setup, Tasks, for both Roles(Group) and Accounts, and Execute these Tasks.

image
After executing Aggregation Tasks, we should be able to see Accounts and Entitlements for Identities.

image
Under Applications, Entitlement Catalog, we should be able to see the Roles.

Note: An issue for Removing Roles via PATCH has been identified with the current version of EPM as of May 2024, and will be resolved shortly. Meanwhile, the configuration for this Application is set to use PUT not PATCH. Once the issue is resolved, the Application can be configured to use PATCH via the debug interface.

image
The Boolean value can be set to true to use PATCH, once the EPM SCIM API issue is resolved.

This Post will be updated once the PATCH issue for Remove Roles is resolved for the EPM API.

1 Like