From d24033b5a34e9fdc449ce1d5fbc8d013031ff3c6 Mon Sep 17 00:00:00 2001 From: Rick Roca Date: Tue, 30 Jan 2024 14:00:43 -0500 Subject: [PATCH] Databricks AWS and Salesforce Clean Up --- .../Remote Password Changer/readme.md | 35 +- .../DataBricks/Discovery/readme.md | 662 +++++++++++++++--- .../SecretServer/DataBricks/instructions.md | 91 ++- .../SecretServer/SalesForce/Instructions.md | 2 + .../SalesForce Heartbeat Placeholder.ps1 | 1 + .../SalesForce Heartbeat-BK.ps1 | 144 ---- .../SalesForce Heartbeat.ps1 | 124 ---- .../Salesforce Remote Password Changer.ps1 | 4 +- .../Remote Password Changer/readme.md | 16 +- Scripts/SecretServer/SalesForce/readme.md | 10 +- 10 files changed, 685 insertions(+), 404 deletions(-) create mode 100644 Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat Placeholder.ps1 delete mode 100644 Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat-BK.ps1 delete mode 100644 Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat.ps1 diff --git a/Scripts/SecretServer/AWS/AWS-IAM Users/Remote Password Changer/readme.md b/Scripts/SecretServer/AWS/AWS-IAM Users/Remote Password Changer/readme.md index ccfc08f..1401ea7 100644 --- a/Scripts/SecretServer/AWS/AWS-IAM Users/Remote Password Changer/readme.md +++ b/Scripts/SecretServer/AWS/AWS-IAM Users/Remote Password Changer/readme.md @@ -12,7 +12,7 @@ - Password Type to use: Select the Amazon IAM Console Password Privileged Account - Click on Save -## Associate scripting account to Azure AD secret +## Associate AWS Service account to AWS secret To be able to correctly use the password changer, the AWS Service account must be associated with the AWS IAM User secret. This can be done by following the steps below: - Log in to the Delinea Secret Server - Navigate to Secrets @@ -25,36 +25,5 @@ To be able to correctly use the password changer, the AWS Service account must b - Search for the earlier created [AWS Service Account secret](../Instructions.md#create-secret-in-secret-server-for-the-aws-service-account) for the application registration and select that - Click on Save - This can also be done using a Secret Policy assigned to the Parent Folder + This can also be done using a Secret Policy assigned to the Parent Folder or Directly to The Secret -## Testing the configuration -If all went well, you now should have: -- A secret template for the application registration -- An application registration in Azure AD / Entra ID -- A secret in Secret Server for the application registration -- The password changer script in Secret Server -- The password changer configured in Secret Server to use the script -- The password changer associated with the Azure AD Account template -- An Azure AD Account secret (not covered in this guide) -- The application registration secret associated with the Azure AD Account secret - -To test the configuration, you can first start by performing a Heartbeat on the Azure AD Account secret. This can be done by following the steps below: -- Log in to the Delinea Secret Server -- Navigate to Secrets -- Locate your secret(s) based on the Azure AD Account template -- Click on the secret -- Click on Heartbeat -After a few moments, the heartbeat should complete successfully. - -To test the configuration, you can now change the password of the Azure AD Account secret. This can be done by following the steps below: -- Log in to the Delinea Secret Server -- Navigate to Secrets -- Locate your secret(s) based on the Azure AD Account template -- Click on the secret -- Click on Change Password Now -- Select Randomly Generated or Manual (and enter a password) -- Click on Change Password - -If there are any issues, please check the following: - -- SSDE.log on the Distributed Engine diff --git a/Scripts/SecretServer/DataBricks/Discovery/readme.md b/Scripts/SecretServer/DataBricks/Discovery/readme.md index ad7c1f5..5a9c83e 100644 --- a/Scripts/SecretServer/DataBricks/Discovery/readme.md +++ b/Scripts/SecretServer/DataBricks/Discovery/readme.md @@ -1,134 +1,618 @@ -# Adobe Acrobat Sign Account Discovery +# Delinea Secret Server / EntraID/Azure Databricks Integration Base configuration -## Create Discovery Source + +This connector provides the following functions + + + +- Discovery of Local Accounts + + +- Remote Password Changing of Local aUsers + + +- Heartbeats of Local Accounts to verify that user credentials are still valid + + + +Follow the Steps below to complete the base setup for this integration. These steps are required to run any of the processes. -### Create Adobe Sign Scan Template + + + +The following steps are required to create the Secret Template for Databricks Advanced Users: + + +### Create Databricks Tenant Scan Template + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + - Click **Create Scan Template** + - Fill out the required fields with the information - - **Name:** (Example: Adobe Sign Tenant) - - **Active:** (Checked) - - **Scan Type:** Host - - **Parent Scan Template:** Host Range - - **Fields** - - Change HostRange to **tenant-url** - - Click Save - - This completes the creation of the Adobe Sign Scan Template Creation - -### Create Account Scan Template +- **Name:** (Example: Databricks Tenant) + +- **Active:** (Checked) + +- **Scan Type:** Host + +- **Parent Scan Template:** Host Range + +- **Fields** + +- Change HostRange to **tenant-url** + +- Click Save + +- This completes the creation of the Databricks Scan Template Creation + + + + + +### Create Databricks Account Scan Template + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + - Click **Create Scan Template** + - Fill out the required fields with the information - - **Name:** (Example: Adobe Sign Account) - - **Active:** (Checked) - - **Scan Type:** Account - - **Parent Scan Template:** Account(Basic) - - **Fields** - - Change Resource to **tenant-url** - - Add field: Account-Admin (Leave Parent and Include in Match Blank) - - Add field: Local-Admin (Leave Parent and Include in Match Blank) - - Add field: Group-Admin (Leave Parent and Include in Match Blank) - - Add field: Service-Account (Leave parent and Include in Match Blank) - - Click Save - - This completes the creation of the Account Scan Template Creation - + +- **Name:** (Example: Databricks Account) + +- **Active:** (Checked) + +- **Scan Type:** Account + +- **Parent Scan Template:** Account(Basic) + +- **Fields** + +- Change Resource to **tenant-url** + +- Add field: Admin-Account (Leave Parent and Include in Match Blank) + +- Add field: Service-Account (Leave Parent and Include in Match Blank) + +- Add field: Local-Admin (Leave Parent and Include in Match Blank) + + +- Click Save + +- This completes the creation of the Account Scan Template Creation + + + + + + + + + + + + + + +- Discovery of Local Accounts + + + + + +- Remote Password Changing of Local aUsers + + + + + +- Heartbeats of Local Accounts to verify that user credentials are still valid + + + + + + + +Follow the Steps below to complete the base setup for this integration. These steps are required to run any of the processes. + + + + + + + + + + + + + + + + + + + + + + + +The following steps are required to create the Secret Template for Databricks Advanced Users: + + + + + + + +- Log in to the Delinea Secret Server (If you have not already done so) + + + + + +- Navigate to Admin / Secret Templates + + + + + +- Click on Create / Import Template + + + + + +- Click on Import. + + + + + +- Copy and Paste the XML in the [Databricks User Advanced.xml File](./templates/Databricks%20User%20Advanced.xml) + + + + + +- Click on Save + + + + + +- This completes the creation of the User Account template + + + + + + + + + + + + + + + +- Log in to the Delinea Secret Server + + + + + +- Navigate to Admin / Secret Templates + + + + + +- Click on Create / Import Template + + + + + +- Copy and Paste the XML in the [Databricks Privileged Account.xml File](./templates/Databricks%20Privileged%20Account.xml) + + + + + +- Click on Save + + + + + +- This completes the creation of the secret template + + + + + + + + + + + +- Log in to the Delinea Secret Server + + + + + +- Navigate to Secrets + + + + + +- Click on Create Secret + + + + + +- Select the template created in the earlier step [Creating Secret Template for Privileged Account](#creating-secret-template-for-databricks-privileged-accounts) (in the example EntraID Application Identity) + + + + + +- Fill out the required fields with the information from the application registration + + + + + +- Secret Name (for example Databricks Privileged Account) + + + + + +- Tenant-URL (The URL of your Azure Databricks workspace.) + + + + + +- Client ID: Your Entra ID AD application's Client ID. + + + + + +- Client Secret: Your DataBricks Oauth2 secret that was mapped to the EntraID app. + + + + + +- Admin-Criteria - These are the Groups that will be used to identify an admin user in Databricks. These groups need to be comma separated of the Group Name. + + + + + +Examples: + + + + + +- admins + + + + + +- admins,samplegroup + + + + + +- SVC-Account-Criteria - These are the Groups that will be used to identify a Service Accounts + +These groups need to be Comma separated group names. + + + + +Examples: + + + + +- ServiceAccounts1 + + + + +- ServiceAccounts1,ServiceAccounts2 + + + + + +- Click Create Secret Account) + +- **Active:** (Checked) + +- **Scan Type:** Account + +- **Parent Scan Template:** Account(Basic) + +- **Fields** + +- Change Resource to **tenant-url** + +- Add field: Account-Admin (Leave Parent and Include in Match Blank) + +- Add field: Service-Account (Leave Parent and Include in Match Blank) + +- Add field: Service-Account (Leave Parent and Include in Match Blank) + +- Add field: Local-Account (Leave parent and Include in Match Blank) + +- Click Save + +- This completes the creation of the Account Scan Template Creation + ### Create Discovery Script + + - Log in to Secret Server Tenant + - Navigate to**ADMIN** > **Scripts** + - Click on **Create Script** + - Fill out the required fields with the information from the application registration - - Name: ( example Adobe Sign Account Scanner) - - Description: (Enter something meaningful to your Organization) - - Active: (Checked) - - Script Type: Powershell - - Category: Discovery Scanner - - Merge Fields: Leave Blank - - Script: Copy and paste the Script included in the file [AdobeSign Discovery.ps1](./AdobeSign%20Discovery.ps1) - - Click Save - - This completes the creation of the Local Account Discovery Script - -### Create Adobe Sign Tenant Scanner + +- Name: ( example Databricks Account Scanner) + +- Description: (Enter something meaningful to your Organization) + +- Active: (Checked) + +- Script Type: Powershell + +- Category: Discovery Scanner + +- Merge Fields: Leave Blank + +- Script: Copy and paste the Script included in the file Databricks Discovery.ps1](./DataBricks-Account-Discovery.ps1) + +- Click Save + +- This completes the creation of the Local Account Discovery Script + + + +### Create Databricks Tenant Scanner + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > - - Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** - - Click **Create Scanner** - - Fill out the required fields with the information - - **Name:** > Adobe Sign Tenant Scanner - - **Description:** (Example - Base scanner used to discover Adobe Sign) - - **Discovery Type:** Host - - **Base Scanner:** Manual Input Discovery - - **Input Template**: Discovery Source - - **Output Template:**: Adobe Sign Tenant (Use Temaplte that Was Created in the [Adobe Sign Scan Template Section](#create-adobe-sign-scan-template)) - - Click Save - - This completes the creation of the Adobe Sign Tenant Scanner - -### Create Adobe Sign Account Scanner + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + +- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + +- Click **Create Scanner** + +- Fill out the required fields with the information + +- **Name:** > Databricks Tenant Scanner + +- **Description:** (Example - Base scanner used to discover Databricks Accounts) + +- **Discovery Type:** Host + +- **Base Scanner:** Manual Input Discovery + +- **Input Template**: Discovery Source + +- **Output Template:**: Adobe Sign Tenant (Use Template that Was Created in the [Databricks Tenant Scan Template Section](#create-databricks-tenant-scan-template)) + +- Click Save + +- This completes the creation of the Adobe Sign Tenant Scanner + + + +### Create Databricks Account Scanner + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > - - Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** - - Click **Create Scanner** - - Fill out the required fields with the information - - **Name:** (Example - Adobe Sign Account Scanner) - - **Description:** (Example - Discovers Adobe Sign accounts according to configured privileged account template ) - - **Discovery Type:** Accounts - - **Base Scanner:** PowerShell Discovery Create Discovery Script - - **Allow OU Inpurt**: Yes - - **Input Template**: Adobe Sign Tenant (Use Temaplte that Was Created in the [Adobe Sign Scan Template Section](#create-adobe-sign-scan-template)) - - **Output Template:**: Adobe Sign Account (Use Template that Was Created in the [Create Account Scan Template Section](#create-account-scan-template)) - - **Script:** Adobe Sign Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script)) - - - **Script Arguments:** - ```PowerShell - $[1]$search-mode $[1]$tenant-url $[1]$access-token $[1]$saml-enabled $[1]$service-account-group - ``` - - Click Save - - This completes the creation of the Adobe Sign Account Scanner + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + +- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + +- Click **Create Scanner** + +- Fill out the required fields with the information + +- **Name:** (Example - Databricks Account Scanner) + +- **Description:** (Example - Discovers Databricks accounts according to configured privileged account template ) + +- **Discovery Type:** Accounts + +- **Base Scanner:** PowerShell Discovery Create Discovery Script + +- **Allow OU Import**: Yes + +- **Input Template**: Databricks Tenant (Use Template that Was Created in the [Databricks Tenant Scan Template Section](#create-databricks-tenant-scan-template)) + +- **Output Template:**: Databricks Account (Use Template that Was Created in the [Create Account Scan Template Section](#create-databricks-account-scan-template)) + +- **Script:** Databricks Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script)) + + + +- **Script Arguments:** + +```PowerShell + +$[1] $[1]$tenant-url $[1]$client-Id $[1]$client-Secret $[1]$admin-criteria $[1]$svc-account-criteria $[1]$domain-acct-criteria + +``` + +- Click Save + +- This completes the creation of the Databricks Account Scanner + + ### Create Discovery Source + + - Navigate to **Admin | Discovery | Discovery Sources** + - Click **Create** drop-down + - Click **Empty Discovery Source** + -Enter the Values below - - **Name:** (example: Adobe Sign Test Tenant) - - **Site** (Select Site Where Discovery will run) - - **Source Type** Empty + +- **Name:** (example: Databricks Tenant) + +- **Site** (Select Site Where Discovery will run) + +- **Source Type** Empty + - Click Save + - Click Cancel on the Add Flow Screen + - Click **Add Scanner** -- Find the Saas Tenant Scanner or the Scanner Creatted in the [Create Adobe Sign Tenant Scanner Section](#create-abode-sign-tenant-scanner) and Click **Add Scanner** -- Select the Scanner just Ceated and Click **Edit Scanner** -- In the **lines Parse Format** Section Enter the Source Name (example: Adobe Sign Test Tenant) + +- Find the Saas Tenant Scanner or the Scanner Created in the [Create Adobe Sign Tenant Scanner Section](#) and Click **Add Scanner** + +- Select the Scanner just Created and Click **Edit Scanner** + +- In the **lines Parse Format** Section Enter the Source Name (example: Databricks Tenant) + - Click **Save** + + - Click **Add Scanner** -- Find the Adobe Sign Account Scanner or the Scanner Creatted in the [Create ServiceNow Account Scanner Section](#create-adobe-sign-account-scanner) and Click **Add Scanner** -- Select the Scanner just Ceated and Click **Edit Scanner** + +- Find the Databricks Account Scanner or the Scanner Created in the [Create Databricks Account Scanner Section](#create-databricks-account-scanner) and Click **Add Scanner** + +- Select the Scanner just Created and Click **Edit Scanner** + - Click **Edit Scanner** + - Click the **Add Secret** Link -- Search for the Privoleged Account Secret created in the [instructions.md file](../Instructions.md) + +- Search for the Privileged Account Secret created in the [instructions.md file](../Instructions.md) + - Check the Use Site Run As Secret Check box to enable it - **Note Default Site run as Secret had to ne setup in the Site configuration. - See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation + +**Note Default Site run as Secret had to ne setup in the Site configuration. + +See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation + - Click Save -- Click on the Discovery Source yab and Click the Active check box + +- Click on the Discovery Source tab and Click the Active check box + - This completes the creation of theDiscovery Source + + ### Next Steps - The ServiceNow configuration is now complete. The next step is to run a manual discovery scan. -- Navigate to **Admin | Discovery** -- Click the **Run Discovery Noe** (Dropdon) and select **Run Discovery Now** + + + + +- Navigate to **Admin | Discovery** + +- Click the **Run Discovery Noe** (Dropdown) and select **Run Discovery Now** + - Click on the **Network view** Button in the upper right corner -- Click on the newly cretaed discocvery source -- Click the **Domain \ Cloud Accounts** yab to view the discovered accounts +- Click on the newly created discovery source + +- Click the **Domain \ Cloud Accounts** Tab to view the discovered accounts + + +## Optional Report + + + +In this section, There are instructions on creating an optional report to display user information found in the discovery. + + + +- Login to Secret Server Tenant (If you have not already done so) + +- Navigate to the Reports module +- click on the New Report Button +- Fill in the following values: + - Name: The name of the Discovery Source you just Created in the [Create Discovery Source ](#create-discovery-source) Section + - Description: (Enter something meaningful to your organization) + - Category: Select the Section where you would like the report to appear (ex. Discovery Scan) + - Report SQL: Copy and Paste the SQL Query below + ***Note** " You must replace the WHERE d.DiscoverySourceId = 32 value with the Discovery Source ID of the Discovery source you are reporting on. You can find this by opening up the Discovery source and finding the ID in the URL + + +``` SQL + +SELECT + +d.[ComputerAccountId] + +,d.[CreatedDate] + +,d.[AccountName] AS [Username] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Tenant-url' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Domain] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Admin-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Admin] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Service-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Local-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount] + +FROM tbComputerAccount AS d + +CROSS APPLY OPENJSON (d.AdditionalData) AS adata + +INNER JOIN tbScanItemTemplate AS s ON s.ScanItemTemplateId = d.ScanItemTemplateId + +WHERE d.DiscoverySourceId = 32 + +GROUP BY d.ComputerAccountId, d.AccountName, d.CreatedDate + + + +``` +- Click Save + +You will now find this report under the section you chose in the Category field. \ No newline at end of file diff --git a/Scripts/SecretServer/DataBricks/instructions.md b/Scripts/SecretServer/DataBricks/instructions.md index 92e227e..cdbc65f 100644 --- a/Scripts/SecretServer/DataBricks/instructions.md +++ b/Scripts/SecretServer/DataBricks/instructions.md @@ -1,114 +1,203 @@ + # Delinea Secret Server / EntraID/Azure Databricks Integration Base configuration + + This connector provides the following functions + + - Discovery of Local Accounts + + - Remote Password Changing of Local aUsers + + - Heartbeats of Local Accounts to verify that user credentials are still valid + + Follow the Steps below to complete the base setup for this integration. These steps are required to run any of the processes. + + ## Creating secret template for Databricks Accounts + + ## Creating secret templates for Databricks Accounts + + ### Creating secret template for User Accounts + + The following steps are required to create the Secret Template for Databricks Advanced Users: + + - Log in to the Delinea Secret Server (If you have not already done so) + + - Navigate to Admin / Secret Templates + + - Click on Create / Import Template + + - Click on Import. + + - Copy and Paste the XML in the [Databricks User Advanced.xml File](./templates/Databricks%20User%20Advanced.xml) + + - Click on Save + + - This completes the creation of the User Account template -### Creating secret template for Databricks Privileged Acounts + + +### Creating secret template for Databricks Privileged Accounts + + The following steps are required to create the secret template for the application registration: + + - Log in to the Delinea Secret Server + + - Navigate to Admin / Secret Templates + + - Click on Create / Import Template + + - Copy and Paste the XML in the [Databricks Privileged Account.xml File](./templates/Databricks%20Privileged%20Account.xml) + + - Click on Save + + - This completes the creation of the secret template + + ## Create secret in Secret Server for the Databricks Privileged Account + + - Log in to the Delinea Secret Server + + - Navigate to Secrets + + - Click on Create Secret + + - Select the template created in the earlier step [Creating Secret Template for Privileged Account](#creating-secret-template-for-privileged-account) (in the example EntraID Application Identity) + + - Fill out the required fields with the information from the application registration + + - Secret Name (for example Databricks Privileged Account) + + - Tenant-URL (The URL of your Azure Databricks workspace.) + + - Client ID: Your Entra ID AD application's Client ID. + + - Client Secret: Your DataBricks Oauth2 secret that was mapped to the Entra ID app. + + - Admin-Criteria - These are the Groups that will be used to identify an admin user in Databricks. These groups need to be comma separated of the Group Name. + + Examples: + + - admins + + - admins,samplegroup + + - SVC-Account-Criteria - These are the Groups that will be used to identify a Services + + Account User in Databricks. These groups need to be Comma separated group names. + + Examples: + + - ServiceAccounts1 + + - ServiceAccounts1,ServiceAccounts2 + + - Click Create Secret \ No newline at end of file diff --git a/Scripts/SecretServer/SalesForce/Instructions.md b/Scripts/SecretServer/SalesForce/Instructions.md index 9b5f081..e5a59a5 100644 --- a/Scripts/SecretServer/SalesForce/Instructions.md +++ b/Scripts/SecretServer/SalesForce/Instructions.md @@ -12,6 +12,8 @@ This connector provides the following functions - Heartbeats Coming by end of 1st quarter) to verify that user credentials are still valid +A heartbeat place holder has been provided so that the process is complete + For a temporary simulated Heartbeat process Please contact Delinea Account Manager to possibly engage Professional Services diff --git a/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat Placeholder.ps1 b/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat Placeholder.ps1 new file mode 100644 index 0000000..8d63ae9 --- /dev/null +++ b/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat Placeholder.ps1 @@ -0,0 +1 @@ +return $true \ No newline at end of file diff --git a/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat-BK.ps1 b/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat-BK.ps1 deleted file mode 100644 index 8e094bd..0000000 --- a/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat-BK.ps1 +++ /dev/null @@ -1,144 +0,0 @@ - #Expected Argumnts @("Privileged User Name","Privileged User Password", "Instance URL", "SF Client iD","clientSecret" , "Secret Server Admin User Domain","Secret Server Admin User",Secret Server Admin Password","New Password" ) - - $username = $args[0] #SFDC Integration Account - $password = $args[1] #SFDC Integration Account Password - $baseUrl = $args[2] - $tokenUrl = "$baseUrl/services/oauth2/token" - $api = "$baseUrl/services" - $clientId = $args[3] - $clientSecret = $args[4] - - <# - #Set Constant Varibles - $ssapi = "$SS_BaseUrl/api/v1" - $allowedDateDiff = 5 # In Minutes - #> - # Create a hashtable with the request parameters - $body = @{ - grant_type = "password" - client_id = $clientId - client_secret = $clientSecret - username = $username - password = $password - } | ConvertTo-Json - - <# - # for Debug Only - $value = "$Privusername $Privpassword $baseUrl $clientId $clientSecret $SSPrivilegedUserDomain $SSPrivilegedUserName $SSPrivilegedUserPassword $SS_BaseUrl $SFDCUserDomin $SFDCUserDomin $SecretID" - - #> - # Send a POST request to obtain an access token -$uri = "$api/Soap/u/39.0" -$encodedString = [Convert]::ToBase64String([char[]]'admin@blue.com:C0lb!3Y0ung47') -$Headers = @{} -$Headers.Add('Authorization', ("Basic {0}" -f $encodedString) ) -$Headers.Add('Content-Type','application/text') - #Invoke-WebRequest -Uri $uri -method Post -Headers $Headers - $tokenResponse = Invoke-RestMethod -Uri "https://login.salesforce.com/services/oauth2/token" -Method Post -Body $body -ContentType "application/json" - - # Extract access token from the token response JSON - $accessToken = $tokenResponse.access_token - function Get_Users{ - - try - { - $Headers = @{} - $Headers.Add('Authorization', ("Bearer {0}" -f $AccessToken)) - $Headers.Add('Content-Type', 'application/json') - - #Get UserID and Last Password Change Dta - $from = "USER" - $where = "(Username = '$UserName')" - $query = "SELECT ID,LastPasswordChangeDate FROM $from WHERE $where" - $SanitisedQuery = [System.Web.HttpUtility]::UrlEncode($Query) - $Uri = "$api/data/v55.0/query?q=$SanitisedQuery" - $response =Invoke-RestMethod -Uri $uri -Headers $Headers - $userId = $response.Records[0].iD - $uri = "$api/data/v59.0/sobjects/User/$userId/password" - Invoke-RestMethod -Uri $uri -Headers $Headers - - $Headers = @{} - $Headers.Add('username', "admin@blue.com") - $Headers.Add('password', "Colb!3Y0ung47") - $Headers.Add('Content-Type', 'application/json') - - - - - $uri = "$api/services/apexrest/getVisitDetails" - Invoke-RestMethod -Uri $uri -Method Post -Headers $Headers - - - - } - - Catch - { - $message = $_ - - Write-Error " $message" - exit 1 - } - } - - $userInfo = Get_Users - # https://MyDomainName.my.salesforce.com/services/data/v59.0/sobjects/User/005Hp00000eacK6IAI/password -H "Authorization: Bearer token" - - $body = @{ - loginUrl = $baseUrl - user = $username - password = $password - } | ConvertTo-Json - - #Set Secret Server Headers and Create Header - try - { - - $ssCreds = @{ - username = $SSPrivilegedUserName - password = $SSPrivilegedUserPassword - grant_type = "password" - } - - - $sstoken = "" - $response = Invoke-RestMethod -Uri "$SS_BaseUrl/oauth2/token" -Method Post -Body $ssCreds - $sstoken = $response.access_token; - - - - - $ssheaders = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" - $ssheaders.Add("Authorization", "Bearer $sstoken") - - } - - catch - { - $message = $Error[1] - - Write-Error " $message" - exit 1 - } - - function Get_ssLastChangDate{ - - try { - - $getSecret = Invoke-RestMethod -Uri "$ssapi/secrets/$secretId" -Headers $ssheaders -ErrorAction Stop - $lastChangedDate =$getSecret.items[6].itemValue - - } - catch { - $message = $Error[1] - Write-Error "Get_ssLastChangDate Failed $message" - exit 1 - } - return $lastChangedDate - } - - Get_Users - Write-Host $global:results - return $global:results - - \ No newline at end of file diff --git a/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat.ps1 b/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat.ps1 deleted file mode 100644 index 906f18d..0000000 --- a/Scripts/SecretServer/SalesForce/Remote Password Changer/SalesForce Heartbeat.ps1 +++ /dev/null @@ -1,124 +0,0 @@ -#Expected Argumnts @("Privileged User Name","Privileged User Password", "Instance URL", "SF Client iD","clientSecret" , "Secret Server Admin User Domain","Secret Server Admin User",Secret Server Admin Password","New Password" ) - - -$username = $args[0] #SFDC Integration Account -$password = $args[1] #SFDC Integration Account Password -$baseUrl = $args[2] -$tokenUrl = "$baseUrl/services/oauth2/token" -$api = "$baseUrl/services" -$clientId = $args[3] -$clientSecret = $args[4] - -<# -#Set Constant Varibles -$ssapi = "$SS_BaseUrl/api/v1" -$allowedDateDiff = 5 # In Minutes -#> -# Create a hashtable with the request parameters -$tokenParams = @{ - grant_type = "client_credentials" - client_id = $clientId - client_secret = $clientSecret - username = $username - password = $password -} - -<# -# for Debug Only -$value = "$Privusername $Privpassword $baseUrl $clientId $clientSecret $SSPrivilegedUserDomain $SSPrivilegedUserName $SSPrivilegedUserPassword $SS_BaseUrl $SFDCUserDomin $SFDCUserDomin $SecretID" - -#> -# Send a POST request to obtain an access token -$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $tokenParams - -# Extract access token from the token response JSON -$accessToken = $tokenResponse.access_token -function Get_Users{ - - try - { - $Headers = @{} - $Headers.Add('Authorization', ("Bearer {0}" -f $AccessToken)) - $Headers.Add('Content-Type', 'application/json') - - #Get UserID and Last Password Change Dta - $from = "USER" - $where = "(Username = '$UserName')" - $query = "SELECT ID,LastPasswordChangeDate FROM $from WHERE $where" - $SanitisedQuery = [System.Web.HttpUtility]::UrlEncode($Query) - $Uri = "$api/data/v55.0/query?q=$SanitisedQuery" - $response =Invoke-RestMethod -Uri $uri -Headers $Headers - $userId = $response.Records[0].iD - $uri = "$api/data/v59.0/sobjects/User/$userId/password" - Invoke-RestMethod -Uri $uri -Headers $Headers - - } - - Catch - { - $message = $_ - - Write-Error " $message" - exit 1 - } - } - -$userInfo = Get_Users - # https://MyDomainName.my.salesforce.com/services/data/v59.0/sobjects/User/005Hp00000eacK6IAI/password -H "Authorization: Bearer token" - -$body = @{ - loginUrl = $baseUrl - user = $username - password = $password - } | ConvertTo-Json - -#Set Secret Server Headers and Create Header -try -{ - - $ssCreds = @{ - username = $SSPrivilegedUserName - password = $SSPrivilegedUserPassword - grant_type = "password" - } - - -$sstoken = "" -$response = Invoke-RestMethod -Uri "$SS_BaseUrl/oauth2/token" -Method Post -Body $ssCreds -$sstoken = $response.access_token; - - - - -$ssheaders = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" -$ssheaders.Add("Authorization", "Bearer $sstoken") - -} - -catch -{ -$message = $Error[1] - -Write-Error " $message" -exit 1 -} - -function Get_ssLastChangDate{ - - try { - - $getSecret = Invoke-RestMethod -Uri "$ssapi/secrets/$secretId" -Headers $ssheaders -ErrorAction Stop - $lastChangedDate =$getSecret.items[6].itemValue - -} - catch { - $message = $Error[1] - Write-Error "Get_ssLastChangDate Failed $message" - exit 1 - } - return $lastChangedDate -} - -Get_Users -Write-Host $global:results -return $global:results diff --git a/Scripts/SecretServer/SalesForce/Remote Password Changer/Salesforce Remote Password Changer.ps1 b/Scripts/SecretServer/SalesForce/Remote Password Changer/Salesforce Remote Password Changer.ps1 index 617a2ef..1f4eaad 100644 --- a/Scripts/SecretServer/SalesForce/Remote Password Changer/Salesforce Remote Password Changer.ps1 +++ b/Scripts/SecretServer/SalesForce/Remote Password Changer/Salesforce Remote Password Changer.ps1 @@ -1,9 +1,7 @@ #Expected Argumnts @("username", "password", "clientId", "clientSecret", "kid", "tenant", "privuseremail", "privateKeyPEM") [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -$args = @("rroca66@delinea.com","@nd3rsL3327", "https://delinea6-dev-ed.develop.my.salesforce.com", "3MVG9Xl3BC6VHB.ZLyfZKb0Jasih5obkPHuF8E3MYeRPttN3lO.VSO3PUU8.jF165HSSV.zuDZEFLg_JECAr6", "3BFDA3D0B54B80EFAE72A42F480BB8B413E36A95EBC806B6B47EA4881AC81136","admin@blue.com","P3pper!2345" ) -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 #Expected Argumnts @("Privileged User Name","Privileged User Password", "Instance URL", "SF Client iD","clientSecret" ,"SFDC UserName","SFDC User Domain" ,"New Password" ) #region Set Paramaters and Vaeiables @@ -104,7 +102,7 @@ try } $payload = $body | ConvertTo-Json $uri ="$api/data/v58.0/sobjects/User/$SFDCuserId/password" - $result = Invoke-RestMethod -Uri $uri -Method Post -Headers $Headers -Body $payload -ContentType "application/json" + Invoke-RestMethod -Uri $uri -Method Post -Headers $Headers -Body $payload -ContentType "application/json" } diff --git a/Scripts/SecretServer/SalesForce/Remote Password Changer/readme.md b/Scripts/SecretServer/SalesForce/Remote Password Changer/readme.md index f9ebc31..3ea3b8e 100644 --- a/Scripts/SecretServer/SalesForce/Remote Password Changer/readme.md +++ b/Scripts/SecretServer/SalesForce/Remote Password Changer/readme.md @@ -86,7 +86,7 @@ If you have not already done, so, please follow the steps in the **Instructions. - Navigate to **ADMIN** > **Remote Password Changing** -- Click on Options (Gropdown List) and select ***Configure Password Changers** +- Click on Options (Dropdown List) and select ***Configure Password Changers** - Click on Create Password Changer @@ -98,12 +98,10 @@ If you have not already done, so, please follow the steps in the **Instructions. - Under the **Verify Password Changed Commands** section, Enter the following information: -- **PowerShell Script** (DropdownList) Select PowerShell Script or the Script that was Creted in the [Heartbeat](#heartbeat-script) Section +- **PowerShell Script** (DropdownList) Select PowerShell Script or the Script that was Created in the [Heartbeat](#heartbeat-script) Section + +- **Script Args**: Leave Blank -- **Script Args**: -``` )9wershell -$tenant-url $[1]$username $[1]$password $[1]$client-id $[1]$client-secret $username $password -``` - Click **Save** @@ -122,7 +120,7 @@ $[1]$tenant-url $[1]$username $[1]$password $[1]$client-id $[1]$client-secret $u - Click **Save** -- This completes the creationof the RemotePassword Changer +- This completes the creation of the RemotePassword Changer @@ -174,11 +172,11 @@ $[1]$tenant-url $[1]$username $[1]$password $[1]$client-id $[1]$client-secret $u - Navigate to **ADMIN** > **Remote Password Changing** -- Click on Options (Gropdown List) and select ***Configure Password Changers** +- Click on Options Dropdown List) and select ***Configure Password Changers** - Select the Salesforce Remote Password Changer or the Password Changer created in the [create-password-change](#create-password-changer) section -- Click **Configure Scan Template at the bottom of the pasge** +- Click **Configure Scan Template at the bottom of the page** - Click Edit diff --git a/Scripts/SecretServer/SalesForce/readme.md b/Scripts/SecretServer/SalesForce/readme.md index 94c2a50..89936d0 100644 --- a/Scripts/SecretServer/SalesForce/readme.md +++ b/Scripts/SecretServer/SalesForce/readme.md @@ -1,7 +1,15 @@ + # Salesforce Delinea Secret Server Integration -This package is designed to discover and Manage ServiceNow User Accounts. It will provude detailed instructions and the neccessary Scripts to perform these functions. Before beging to implement any of the specific processes it is a requirement to perform the taskscontained in the overview.md document which can be found [Here](./Instructions.md) + + +This package is designed to discover and Manage ServiceNow User Accounts. It will provide detailed instructions and the necessary Scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the instructions.md document which can be found [Here](./Instructions.md) + + + # Disclaimer + + The provided scripts are for informational purposes only and are not intended to be used for any production or commercial purposes. You are responsible for ensuring that the scripts are compatible with your system and that you have the necessary permissions to run them. The provided scripts are not guaranteed to be error-free or to function as intended. The end user is responsible for testing the scripts thoroughly before using them in any environment. The authors of the scripts are not responsible for any damages or losses that may result from the use of the scripts. The end user agrees to use the provided scripts at their own risk. Please note that the provided scripts may be subject to change without notice. \ No newline at end of file