ServiceNow is a very popular IT Service Management solution that includes capabilities like workflow and approvals, asset management, discovery, orchestration and more. This is the fourth article in the series. We have covered ServiceNow federation using Multi-provider SSO, setting-up automatic provisioning with the Centrify Identity Service App and setting-up and configuring Centrify App Request; in this post we'll discuss the steps to set up Centrify Privilege Access Request to leverage the Service Catalog to request login or password checkout of resource accounts in Centrify Privilege Service.
About Centrify Privilege Service (CPS)
CPS is a privileged identity management solution that focuses on shared secrets on UNIX, Linux, Windows, Network devices, AD domains, Oracle or SQL databases and more. The approach is different than Server Suite that is focused on the principle of least privilege. Privilege Service provides a built-in access request system with single and multi-level approvals.
Privilege Service's Workflow vs. ServiceNow Self-Service
We often get questions about what solution to use for self-service and approvals for application or privilege requests. The answer is quite simple: if you already have all your requests in ServiceNow, you should continue to do so, this helps standardization and a unified user experience. The Centrify workflow engine is designed to meet the basic needs for Centrify products and ServiceNow is a full-fledged Service Management solution.
We'll continue to use the Plan-Do (Implement)-Check (Test)-Adjust (Enhance) methodology and assumes you have working knowledge of Identity Service and ServiceNow.
What you'll need
- A SaaS instance of Centrify Privilege Service with UNIX, Linux, Windows or Network Devices configured.
Note: You can use an on-premises instance as well, provided that the network (e.g. publicly-facing) and name resolution (publicly-resolvable) aspects of the design are taken care of.
- A ServiceNow Instance that allows you to install apps (non-developer) with federated access to your Privilege Service instance. For details on how to set up SAML federation with the Multi-provider SSO, click here or review the links below.
- Administrative accounts on both systems
During planning, discuss with your infrastructure, operations and security teams about these topics:
- Will you have a single approval or multiple approval groups per resource?
Depending on the resource(s) in question you may have a single group or multiple groups approve. You may also use a default approval group.
- How will the workflow be designed?
This topic is very organization-dependent. Some organizations may chose to have automatic approvals for certain systems and human approvals when the systems host sensitive data or are subject to strong security policy or regulations like SOx, PCI, HIPAA and others.
- Have you identified a Default Approval Group in ServiceNow?
If you chose to have a single group approve all privileged requests.
- Have you created a CIS role and policy set for the servicenow service account?
The servicenow account in Identity Service requires at a minimum the "Privilege Management" right, in addition, a policy that allows for username/password is required since the REST calls used by the app can't answer multi-factor authentication requests.
- Will you have SLAs tied to your application requests?
Although not in the scope of this post, SN offers a lot of flexibility when designing workflows including expiring worfkow requests when they are not approved within a defined duration.
- Create an Identity Service user (the service account that SN will use to authenticate and perform actions)
- Create an Identity Service role with the minimum rights (the role that will be assigned to the service account)
- Create an Identity Service Policy to allow user/password login
- Download and Install Centrify Privilege Access Request app from the ServiceNow App Store
- Configure the Centrify Privilege Access Request app
Create a Service Account
For this integration, you'll need a service account (you should know how to create users to follow this article). To practice least privilege, this account needs to belong to a role with the Privilege Management right. This is to be able grant login or password checkout rights on the accounts on each system. Centrify Directory users are created under Admin Portal > Users
When creating the user, be mindful of options that can cause an outage (like password expiration), and practice proper rotation and complexity based on your internal policy.
Create a Role with the minimum rights
To create a role, you have to go to the Admin Portal > Roles and Press Add role. In the members tab, add the newly-created account and in the Administrative rights tab, select the privilege management right.
Once completed, press the save button.
Create Policy to allow user/password login
This step may require you to create an Authentication profile that only asks for password (Admin Portal > Settings > Authentication > Authentication profiles). The reason being is that Identity Service will (by default) ask for a step-up method for any unknown connections.
- Log on to the Admin Portal with an administrative account
- Go to Policies > New Policy
- In Policy Settings, scroll down and select the "Specified roles" radio button
- Press Add and browse for the role created in the previous step.
- On the left pane expand User Security Policies > Login Authentication and select Yes to enable.
- Under default profile (used if no conditions matched) select your Auth profile that only challenges for password.
- Press Save
- In an incognito window for your browser, try to log in to the service with the newly-created account. You should only be prompted for username and then password.
Important: Make sure that the policy only applies to the members of the role created for this integration.
Download and Install the Privilege Access Request App from the ServiceNow Store
- Go to the ServiceNow app store and search for Centrify.
- Click on the Centrify Privileged Request App
- Click "Get" to make the Centrify Privileged Request app available for your ServiceNow instances.
- Go to the ServiceNow instance, select System Applications > Applications > Downloads to locate the app then click Install to install it.
Configure the Centrify Privileged Access Request app
- In the application pane (left) navigate to Centrify Privilege Request > Properties. Populate these three fields
Centrify Cloud Tenant URL: the URL for your identity service tenant. (e.g. https://your-tenant.my.centrify.com)
Centrify Cloud Service Account: the account you created in previous steps
Centrify Cloud Service Account Password: the strong password you created for the user
- Default Approval Group (Optional): now you have a decision to make based on the planning above. Populate the "Default Approval Group" if you decided to use a single ServiceNow group to approve all privilege requests. You have to find the group in ServiceNow (System Security > Groups; find the group, right-click it and "Copy sys_id" and paste it on the Default Approval Group. If you are planning to have approval groups per App, then you leave the field empty and press Save.
- Go to Centrify Privilege Request > Customize API Sync
- Set the Active checkbox
- Select an appropriate interval based on your SLAs (e.g. 1 hour)
- Press Save and then Execute Now.
This process will synchronize the Resources (systems) and accounts available in Privilege Service
If you set up a "Default Approval Group" you can skip this part. At this point you have to have a list of all the apps and the corresponding approval groups. For example, the root account in the CentOS system called engcen7 will be approved by the Team Development Code Reviewers group included with the sample data of the ServiceNow instance and the canned workflow for software.
To verify the functionality of the app, you'll have to run through the workflow of the apps (or independent apps) based on the approval group defined. For example, in my scenario I chose to have independent approval groups. My requester wants to checkout the "api-key" resource under the azure-rh1 resource and the self-service request is automatically approved based on existing ServiceNow rules.
Once the request is approved the app will provide the requester access to the type of request (login for SSH or RDP access) or checkout (for password reveal or clipboard copy). In order to get access to the system or retrieve the password, the requester must switch over to privilege manager and find the system in the resources list or in their favorites. For login they can use the PuTTY or web client and to check-out the password, they can use the system resource on privilege manager or the mobile app.
Security analysts and auditors may require reports of who has been requesting and approving apps, this is easily accessible using the service catalog requests or under the Centrify Privilege Request Access approvals or the Dashboard section.
Centrify & ServiceNow Resources
There are multiple resources available in the documentation and tech blogs:
- Centrify App Access Documentation
- How to set up ServiceNow for SSO with Identity Service and the Multi-provider SSO Plugin
- How to set up Centrify Identity Service automatic provisioning for ServiceNow
- How to set up Centrify App Access for ServiceNow
- Video: Centrify and ServiceNow configuration overview by @Andy-Z
- Video: ServiceNow Application Access Request Overview by @Andy-Z
- Video: ServiceNow Application Access Request Walkthrough by @Andy-Z
- Video: Centrify Privileged Access Request for ServiceNow by @Andy-Z
- [Labs] Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator