Centrify Infrastructure Service provides shared-account password management for on-premises and cloud-based resources. This topic shows you how to use the /ServerManage API endpoints to do the following:

• Add a resource to manage. A resource is a server, workstation, or network device such as a switch or router.
• Assign one or more Identity-Platform users to manage the resource.
• Add one or more shared accounts and passwords that provide access to the resource.
• Assign one or more Identity Platform users with permission to use or manage these accounts.

For more information, select a task:

• Adding computers and network devices
• Add an account and password for a resource
• Assign permissions to a resource
• Provide permissions to a shared account
• Check out Shared Account Passwords
• Add domains

Adding computers and network devices

If you deploy Centrify infrastructure services, you can add computers and network devices to manage privileged accounts and passwords. The computers and network devices you add are listed under Systems in the Infrastructure section.

To add a computer or network device, call /ServerManage/AddResource and pass fields in the payload to identify the resource:

• Name: Your name for the resource.
• FQDN: IP address or DNS name for the resource.
• ComputerClass: Type of resource, such as Unix, Windows, CiscoIOS, etc.
• SessionType: Type of session Ssh or Rdp.
• Description: Optional description for the resource.

See /ServerManage/AddResource for a complete list of payload parameters.

For example, the following call adds a UNIX server resource:

/ServerManage/AddResource
{
  "Name": "Acct-Server",
  "FQDN": "192.168.132.10",
  "ComputerClass": "Unix",
  "SessionType": "Ssh",
  "Description": "Accounting Server"
}

This function returns the ID for the resource it creates (Result:0a00c714-9b83-4392-b7b1-514f190a9f28) . Save this ID for use in other function calls.

The /ServerManage/AddResource response:

{
"success": true,
"Result": "0a00c714-9b83-4392-b7b1-514f190a9f28"
"Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "InnerExceptions": null
}

Assign permissions to a resource

When you add a resource, the authenticated account on whose behalf you call /ServerManage/AddResource is given all permissions to the resource. You can call /ServerManage/SetResourcePermissions to assign permissions to additional Identity-Platform users or roles to manage the resource. The permissions that you may add are:

• Grant — Allows a user to grant permission to another user or role to manage a resource.
• ManageSession — Allows a user to monitor or abort a user's remote session on the managed resource.
• Edit — Allows a user to edit the resource's details, such as name and description.
• Delete — Allows a user to delete the resource.

You can assign permissions to a resource to one or more specific users or to one or more roles. The following example (in Grants) assigns all permissions (ManageSession, Edit, etc.) to a role, where:

• "PType": "Role" indicates that the assignment is to a role.
• "Principal": "ServerManage" specifies a role named ServerManage. All users in this role have all permissions to the specified resource.

For ID, pass the ID returned by the previous call to /ServerManage/AddResource.

/ServerManage/SetResourcePermissions
{
  "ID": "0a00c714-9b83-4392-b7b1-514f190a9f28",
  "Grants": 
  [
    {"Ptype": "Role",
     "Principal": "ServerManage",
     "Rights": "ManageSession, Edit, Grant, Delete"}
  ]
}

Add an account and password for a resource

To add a shared account with access to the resource you added, call /ServerManage/AddAccount and pass the following fields in the payload:

• User and Password: An account that has login privileges to the resource, and the password for the account.
• IsManaged: True Specifies that an Identity Service manages the password. In this case, Identity Service controls the password and changes it after each use. No one 'knows' the password, so even the administrator who created the account and password can't log in directly to the server but must do so by checking out the account and password from an identity service.
• IsManaged: False: Specifies that the password is unmanaged, which means that Identity Service does not change the password. CPS grants access to the account, through /ServerManage/CheckoutPassword, but doesn't change or show the password. Anyone who knows the password, such as the administrator who created the account, can log in directly. CPS users only need to be granted permission — they don't need to supply the password — CPS supplies the password.
• Usewheel: false: Specifies not to use a proxy account.
• Host: The ID of the resource.
• Description: An optional description for the account.

The following sample call adds a managed account for the resource created previously.

/ServerManage/AddAccount
{
    "User":"QATEST2",
    "Password":"Abcd1234",
    "IsManaged":true,
    "UseWheel":false,
    "Description":"Admin account.",
    "Host":"0a00c714-9b83-4392-b7b1-514f190a9f28"
}

This function returns the ID for the newly created account in Result (3834d122-30cd-4893-8820-41af9447b313). Save this ID to pass to other functions.

The /ServerManage/AddResource response:

{
    "success": true,
    "Result": "3834d122-30cd-4893-8820-41af9447b313,"
    "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "InnerExceptions": null
}

Provide permissions to a shared account

When you add a shared account for a resource, as described in the previous section, the authenticated Identity Service account on whose behalf you call /ServerManage/AddAccount is given all permissions to the shared account. You can call /ServerManage/SetAccountPermissions to assign permissions to additional Identity-Platform users or roles to manage and access the account. You can add the following permissions:

• Owner — Allows a user to grant permission to another user or role to manage an account.
• Manage — Allows a user to edit details about the account, such as the description.
• UpdatePassword — Allows a user to update the password for a managed account.
• Delete — Allows a user to delete the account.
• Login — Allows a user to use the account to log in to the resource.
• UserPortalLogin — Allows a user to log in to the resource by using the account without entering the password, which Identity Platform supplies.
• Naked — Allows a user to see the password in plain-text format. For a managed account, a user must be able to see or copy the password in order to enter it for login.

You can assign permissions to an account to one or more specific users or to one or more roles. It makes sense to assign at least two types of permissions, one for users to manage the account and one for users to log into the account.

For example, to provide management permissions to a role (ServerManage), call /ServerManage/SetAccountPermissions and pass a payload similar to the following:

/ServerManage/SetAccountPermissions
{
    "ID": "3834d122-30cd-4893-8820-41af9447b313
    "Grants": 
    [
        {"Ptype": "Role",
        "Principal": 
        "ServerManage",
        "Rights":"Owner, Manage, UpdatePassword, Delete"}
    ]
}

To provide users with the ability to use the account to log in to the resource, provide these permissions to a different role (ServerCheckout in this example):

/ServerManage/SetAccountPermissions
{
    "ID": "3834d122-30cd-4893-8820-41af9447b313
    "Grants": 
    [
        {"Ptype": "Role",
        "Principal": 
        "ServerCheckout",
        "Rights":"Login, UerPortalLogin, Naked"}
    ]
}

See Also

• Check out Shared Account Passwords
• Resource Management