× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

[HowTo] - ServiceNow for Automated DirectAuthorize Validation

[HowTo] - ServiceNow for Automated DirectAuthorize Validation

By Centrify on ‎06-30-2017 02:05 AM - last edited ‎08-11-2017 06:47 AM

  

Background

 

This technical blog post [with Video] serves as a follow-up to a previous lab "Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator."

 

Link provided here

 

Intended Objective

 

This technical blog post [with Video] is intended to highlight the one (of many) Centrify integrations with ServiceNow to enhance change control practices, specifically for enhanced sudo or "dzdo" commands. 

 

  1. Track activities related to a particular change control request
  2. Implement controls to prevent unauthorized changes
  3. Create change control tickets that can be Approved or Rejected based on command user is trying execute

 

Considerations

 

This post assumes you have already completed the pre-requisite lab and have successfully completed:

 

  • Installing the ServiceNow Perl API
  • Testing connectivity with your ServiceNow Instance (checksn.sh)
  • Modify the dzdo.validator script to use the ServiceNow Perl API script 
  • Configure Centrify-enhanced sudo (dzdo) to use the ServiceNow Requests validator (dzcheck.snow)

Use Case

 

  1. Privileged user obtains a change control manager approval via ServiceNow workflow request.
    The request has a change control window.  (date/time range)
  2. During the request validity timeframe, the privileged user needs to perform activities (using Centrify-enhanced sudo) and when the commands are issued, the SN request number has to be provided.
  3. The dzdo.validator script uses the ServiceNow Perl API to validate if the request is approved or not.
    Additional validations can be added like user, time-range, etc;  these won't be covered for blog brevity.
  4. If the request is an approved, the Centrify-enhanced sudo command is allowed to execute.  If not, the user is notified.
  5. If the request does not exist, create a ServiceNow ticket to be sent for approval
  6. In the newly created ticket details, document the user attempting to execute as well as recording the command itself inside the ServiceNow ticket for better change control and tracking

 

Instructions

 

Enhance your existing dzcheck.snow script with the following lines highlighted below in red

#!/bin/sh /usr/share/centrifydc/perl/run
# A modified demo for Centrify-enhanced sudo (dzdo) validator 
# Modified to work with ServiceNow Requests
use strict; use lib "../perl"; use lib '/usr/share/centrifydc/perl'; use CentrifyDC::Logger; use ServiceNow; use ServiceNow::Configuration;
use ServiceNow::ITIL::Request;

# Use privilege service to retrieve SN shared account password
# Alternatively, you can modify the script to use an OAuth token
my $SN_PASSWD = `cgetaccount -s -t 3 your-user`; my $dzdo_user=$ENV{DZDO_USER}; my $dzdo_command=$ENV{DZDO_COMMAND}; my $dzdo_runasuser=$ENV{DZDO_RUNASUSER}; my $CONFIG = ServiceNow::Configuration->new(); $CONFIG->setSoapEndPoint("https://your-instance.service-now.com/"); $CONFIG->setUserName("your-user"); $CONFIG->setUserPassword($SN_PASSWD); my $SN = ServiceNow->new($CONFIG); my $logger = CentrifyDC::Logger->new('dzcheck'); printf STDERR "Enter the change control ticket number: "; my $user_input=<>; my @requests = $SN->queryRequestedItem({'number' => $user_input});
# Check if request(s) exist, if not, exit (1) if (scalar(@requests)==0) { system "adsendaudittrailevent", "-t", "tkt_id", "-i", "$user_input"; $logger->log('INFO', "Change control ticket number: %s", $user_input); $logger->log('INFO', "User \"%s\" will not be allowed to run \"%s\" as \"%s\" with ticket number (REASON:not found) \"%s\"", $dzdo_user, $dzdo_command, $dzdo_runasuser, $user_input);
$logger->log('INFO',"Change Control ticket does not exist, creating ticket...");

printf STDERR "Change Control ticket does not exist, creating ticket for approval request...";
printf "\n";

my $req = ServiceNow::ITIL::Request->new($CONFIG);

my $req_num = $req->insert({"short_description" => "New Direct Authorize Request", "special_instructions" => "1)User: ".$dzdo_user."\n2)Command: ".$dzdo_command});

printf STDERR "New Request SYS_ID: ".$req_num;
printf "\n";

exit 1; }
foreach my $request (@requests) { my $req_status = $request->{'approval'}; # Exit if request is not in approved status if ($req_status ne "approved") { system "adsendaudittrailevent", "-t", "tkt_id", "-i", "$user_input"; $logger->log('INFO', "Change control ticket number: %s", $user_input); $logger->log('INFO', "User \"%s\" will not be allowed to run \"%s\" as \"%s\" with ticket number (REASON:not approved) \"%s\"", $dzdo_user, $dzdo_command, $dzdo_runasuser, $user_input,$req_status); exit 2; } }
# Run command and log if request is approved
system "adsendaudittrailevent", "-t", "tkt_id", "-i", "$user_input"; my $logger = CentrifyDC::Logger->new('dzcheck'); $logger->log('INFO', "Change control ticket number: %s", $user_input); $logger->log('INFO', "User \"%s\" will run \"%s\" as \"%s\" with ticket number \"%s\"", $dzdo_user, $dzdo_command, $dzdo_runasuser, $user_input); exit 0;

 

[Video]

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel