Request failed with status code 502

Account Reviews

Regularly pool user accounts from systems and review them in a portal - long

  • Episodes12
  • Duration24m 53s
  • LanguagesEN
Episode 4

Feed Types

The automation required to use the module

Introduction

In this section, we go deeper into what types of Feeds exist.

Feed Types

Please refer to the table shown in the previous episode to know which type of feed you need as they are dependent on the type of Account Review (Exit, Snapshot or Differential) you want to execute.

There are three types of feeds:

  • AWS: this is incorporated into eramba and works with Amazon AWS
  • LDAP: this is incorporated into eramba and works with LDAP Directories
  • Custom Scripts: these are your custom scripts that pull data from any system into eramba

AWS Connector

The built-in AWS connector pulls the users and groups defined under IAM. For example, the following information will be pulled:

 

If you create an AWS feed, eramba will ask for your IAM account KEY/Secret combination and region. Those credentials must be obtained from your Amazon AWS IAM Administrator and they should have enough privileges to pull accounts and their groups (read-only is enough).

After providing the credentials, click save, and eramba will try to connect to AWS and pull accounts. If something is not ok (credentials or privileges most of the time) eramba will give you the error message that it gets from AWS.

If saving works well then your AWS connector is ready to be used on an AR.

LDAP Connector

eramba has the ability to connect to LDAP directories (System / Settings / LDAP Connector) for different purposes: Authentication to eramba, Awareness Module, Etc. There are two types of LDAP connectors: Authentication and Group, in this module you will need the "Group" type alone.

The Group connector will pull the list of groups in your directory and the users inside those groups. It will then present a table for review where every user found (first column) will have one or more associated groups.

Before you can use this feature you must create a Group connector and ensure it works well. Once you create a Feed using the LDAP type you will be asked which LDAP Group Connector you want to use and what groups from your LDAP Directory you wish to include in the reviews.

Custom Script

If the built-in LDAP and AWS connectors are not useful to your use cases, then you can create a custom script that will pull data (accounts, etc) and push them to eramba. If you are planning to use an "Exit" type of connector you will need a Custom script for sure.

Your custom scripts can then produce two types of outputs depending on the type of feed you want:

  • List of accounts: this is the list of accounts from your system
  • List of employees: this is the list of current or past employees

Regardless of the type, there are some things you need to keep in mind on the output format they need to produce:

  • Always use UTF-8 compatible formats
  • Your script should always provide the output on a file with an extension *.csv (don't use spaces on the file name)
  • If you are storing the file in the eramba file system:
    • Always under the directory: /var/www/eramba/app/upgrade/data/files/account_reviews
    • The file name should always be the same (you will be overwriting the file every time it runs)
    • The file should be readable by the process which is running Apache (in ubuntu that is www-data)
  • If you are storing the file in eramba using REST APIs
    • Review the API documentation and the guides in this episode

List of Accounts:

The CSV file must include three columns (you need at least two commas).

  • The first column is mandatory and must include the account name
  • The second column is optional (can be left empty) and can be one or more groups/roles to which that account belongs. If using more than one group/role you can use | character as a separator.
  • The third column is optional and can include any type of text you want.

The following are examples of how this file can be formatted:

List of Employees

If you are using Exit type of reviews you will need two feeds, one with the accounts (as shown above) and one with the list of current or former employees. The format for the current/former list of employees is:

  • The first and mandatory column is the employee account number, this should match the syntax used on your Account CSV template as eramba will try to compare these two.
  • The second mandatory column is any free text you wish to add. The following is an example of how this template could look like: