Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HowTo] - ServiceNow for Automated DirectAuthorize Validation

11 April,19 at 11:50 AM

  

Background

 

This technical blog post [with Video] serves as a follow-up to a previous lab "Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator."

 

Link provided here

 

Intended Objective

 

This technical blog post [with Video] is intended to highlight the one (of many) Centrify integrations with ServiceNow to enhance change control practices, specifically for enhanced sudo or "dzdo" commands. 

 

  1. Track activities related to a particular change control request
  2. Implement controls to prevent unauthorized changes
  3. Create change control tickets that can be Approved or Rejected based on command user is trying execute

 

Considerations

 

This post assumes you have already completed the pre-requisite lab and have successfully completed:

 

  • Installing the ServiceNow Perl API
  • Testing connectivity with your ServiceNow Instance (checksn.sh)
  • Modify the dzdo.validator script to use the ServiceNow Perl API script 
  • Configure Centrify-enhanced sudo (dzdo) to use the ServiceNow Requests validator (dzcheck.snow)

Use Case

 

  1. Privileged user obtains a change control manager approval via ServiceNow workflow request.
    The request has a change control window.  (date/time range)
  2. During the request validity timeframe, the privileged user needs to perform activities (using Centrify-enhanced sudo) and when the commands are issued, the SN request number has to be provided.
  3. The dzdo.validator script uses the ServiceNow Perl API to validate if the request is approved or not.
    Additional validations can be added like user, time-range, etc;  these won't be covered for blog brevity.
  4. If the request is an approved, the Centrify-enhanced sudo command is allowed to execute.  If not, the user is notified.
  5. If the request does not exist, create a ServiceNow ticket to be sent for approval
  6. In the newly created ticket details, document the user attempting to execute as well as recording the command itself inside the ServiceNow ticket for better change control and tracking

 

Instructions

 

Enhance your existing dzcheck.snow script with the following lines highlighted below in red

#!/bin/sh /usr/share/centrifydc/perl/run
# A modified demo for Centrify-enhanced sudo (dzdo) validator 
# Modified to work with ServiceNow Requests
use strict; use lib "../perl"; use lib '/usr/share/centrifydc/perl'; use CentrifyDC::Logger; use ServiceNow; use ServiceNow::Configuration;
use ServiceNow::ITIL::Request;

# Use privilege service to retrieve SN shared account password
# Alternatively, you can modify the script to use an OAuth token
my $SN_PASSWD = `cgetaccount -s -t 3 your-user`; my $dzdo_user=$ENV{DZDO_USER}; my $dzdo_command=$ENV{DZDO_COMMAND}; my $dzdo_runasuser=$ENV{DZDO_RUNASUSER}; my $CONFIG = ServiceNow::Configuration->new(); $CONFIG->setSoapEndPoint("https://your-instance.service-now.com/"); $CONFIG->setUserName("your-user"); $CONFIG->setUserPassword($SN_PASSWD); my $SN = ServiceNow->new($CONFIG); my $logger = CentrifyDC::Logger->new('dzcheck'); printf STDERR "Enter the change control ticket number: "; my $user_input=queryRequestedItem({'number' => $user_input});
# Check if request(s) exist, if not, exit (1) if (scalar(@requests)==0) { system "adsendaudittrailevent", "-t", "tkt_id", "-i", "$user_input"; $logger->log('INFO', "Change control ticket number: %s", $user_input); $logger->log('INFO', "User \"%s\" will not be allowed to run \"%s\" as \"%s\" with ticket number (REASON:not found) \"%s\"", $dzdo_user, $dzdo_command, $dzdo_runasuser, $user_input);
$logger->log('INFO',"Change Control ticket does not exist, creating ticket...");

printf STDERR "Change Control ticket does not exist, creating ticket for approval request...";
printf "\n";

my $req = ServiceNow::ITIL::Request->new($CONFIG);

my $req_num = $req->insert({"short_description" => "New Direct Authorize Request", "special_instructions" => "1)User: ".$dzdo_user."\n2)Command: ".$dzdo_command});

printf STDERR "New Request SYS_ID: ".$req_num;
printf "\n";

exit 1; }
foreach my $request (@requests) { my $req_status = $request->{'approval'}; # Exit if request is not in approved status if ($req_status ne "approved") { system "adsendaudittrailevent", "-t", "tkt_id", "-i", "$user_input"; $logger->log('INFO', "Change control ticket number: %s", $user_input); $logger->log('INFO', "User \"%s\" will not be allowed to run \"%s\" as \"%s\" with ticket number (REASON:not approved) \"%s\"", $dzdo_user, $dzdo_command, $dzdo_runasuser, $user_input,$req_status); exit 2; } }
# Run command and log if request is approved
system "adsendaudittrailevent", "-t", "tkt_id", "-i", "$user_input"; my $logger = CentrifyDC::Logger->new('dzcheck'); $logger->log('INFO', "Change control ticket number: %s", $user_input); $logger->log('INFO', "User \"%s\" will run \"%s\" as \"%s\" with ticket number \"%s\"", $dzdo_user, $dzdo_command, $dzdo_runasuser, $user_input); exit 0;

 

[Video]

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.