Auto Onboarding Guide

ARCON|PAM
Auto Onboarding Guide

Table of Contents
1 Introduction ...................................................................................................................................................................................... 5
2 AD Onboarding Installation........................................................................................................................................................ 6
2.1 Pre-requisites .................................................................................................................................................................................6
2.2 Implementation..............................................................................................................................................................................6
2.2.1 ARCOS AD Scanner Setup...................................................................................................................................................... 6
2.2.2 ARCOS User Service Onboarding Setup ....................................................................................................................... 10
2.2.3 Task Scheduler ......................................................................................................................................................................... 14
2.3 Package Structure......................................................................................................................................................................20
2.3.1 Copying the package.............................................................................................................................................................. 20
2.4 ARCON AD Onboarding Hosting ........................................................................................................................................21
2.4.1 Hosting AD Onboarding Application .............................................................................................................................. 21
2.4.1.1 Hosting Onboarding API .................................................................................................................................................... 21
2.4.1.2 DB Settings configuration for Onboarding API ........................................................................................................ 21
2.5 Configurations.............................................................................................................................................................................23
2.5.1 OnboardingAPI Configurations ........................................................................................................................................ 23
2.5.2 ARCONOnboarding UI Configurations ......................................................................................................................... 23
3 Accessing Auto-Onboarding.....................................................................................................................................................24
3.1 Auto On-Boarding......................................................................................................................................................................24
3.2 Microsoft Active Directory ....................................................................................................................................................25
3.2.1 User Onboarding..................................................................................................................................................................... 25
3.2.2 Service Onboarding................................................................................................................................................................ 32
3.3 Amazon Web Services..............................................................................................................................................................42
3.3.1 User Onboarding..................................................................................................................................................................... 42
3.3.2.1 Databases................................................................................................................................................................................. 51
3.3.2.2 Windows VMs ........................................................................................................................................................................ 56
3.3.2.3 LInux VMs................................................................................................................................................................................. 61
3.3.2.4 AWS Session Manager ........................................................................................................................................................ 66
3.4 Azure Active Directory ............................................................................................................................................................70
3.4.1 User Onboarding..................................................................................................................................................................... 70
3.4.2.1 Database................................................................................................................................................................................... 79
3.4.2.2 Windows VMs ........................................................................................................................................................................ 84
2
3.4.2.3 Linux VMs................................................................................................................................................................................. 90

3.5 Default Service Details ............................................................................................................................................................95
3.6 Reports ...........................................................................................................................................................................................95
3
Disclaimer
The handbook of ARCON PAM solution is being published to guide stakeholders and users. If any of the
statements in this document are at variance or inconsistent it shall be brought to the notice of ARCON through
the support team. Wherever appropriate, references have been made to facilitate a better understanding of the
PAM solution. ARCON team has made every effort to ensure that the information contained in it was correct at
the time of publishing.
Nothing in this document constitutes a guarantee, warranty, or license, expressed or implied. ARCON disclaims
all liability for all such guarantees, warranties, and licenses, including but not limited to: Fitness for a particular
purpose; merchantability; non-infringement of intellectual property or other rights of any third party or of
ARCON; indemnity; and all others. The reader is advised that third parties can have intellectual property rights
that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice
of competent legal counsel, without obligation of ARCON.
Copyright Notice
Copyright © 2022 ARCON All rights reserved.
ARCON retains the right to make changes to this document at any time without notice. ARCON makes no
warranty for the use of this document and assumes no responsibility for any errors that can appear in the
document nor does it make a commitment to update the information contained herein.
Trademarks
Other product and corporate names may be trademarks of other companies and are used only for explanation
and to the owners' benefit, without intent to infringe.
Sales Contact
You can directly contact us with sales-related topics at the email address <sales@arconnet.com>, or leave us
your contact information and we will call you back.
4
1 Introduction
ARCON PAM Onboarding enables auto-provisioning and auto-deprovisioning of Users and Services from
Azure Active Directory, and Amazon Web Service, inside ARCON PAM. This is a seamless process and takes as
little time as possible to complete, reducing the administrator's efforts, increasing efficiency, copy the existing
AD structure into ARCON PAM(optional), and near real-time syncing of data from the Active Directory.
Rule-based automation is a key principle that ARCON introduces to simplify various aspects of Azure and AWS
management. This feature is used to automate the process of creation of user and mapping to User Group,
creation of Service and mapping to Server Group, and also eventually mapping the Users and Services.
The Administrator/ User having Auto On-Boarding privilege shall only be able to auto onboard and deboard
Users and Services from ARCON PAM. Thus, ARCON realizes this requirement by providing an independent
module named ARCON PAM Onboarding.
5
2 AD Onboarding Installation
This document will guide you through the steps involved in deployment for the ARCON Privileged Access
Management (PAM) AD Onboarding. The following steps are to be followed for the successful deployment of
ARCON PAM AD Onboarding in your environment.
2.1 Pre-requisites
Before installing the ARCON PAM AD Onboarding, you should check the points enlisted below to ensure that
your environment meets the minimum installation requirement for the ARCON PAM AD Onboarding.
• Web API Configuration (For more information, Refer to Web API Configuration section from
Administrative Guide)
• An Active directory account with read-only credentials to connect to the user, Computer Objects, and
Organisational Units/Groups.
• Supported .NET Framework version 4.
2.2 Implementation
This section describes the steps to be followed for implementing the Onboarding and Deboarding process in
ARCON PAM and the Database settings for AD Scanner.
You need to run the following two exes on Task Scheduler to enable auto onboarding and deboarding process.
• ARCOSADScannerService.exe: This service is used to scan details of the Active Directory and fetch
User/ Device details.
• ARCOSUserOnboardingService.exe: This service is used to auto onboard or deboard users/ devices.
These users and device details are scanned from Active Directory, using ARCOSADScannerService.
2.2.1 ARCOS AD Scanner Setup

The steps to execute ARCOS AD Scanner Setup are as follows:
1. Open the ARCOSADScannerSetup.msi file the following window will open. To Install the setup click
Next.
0
6
0
2. Install in the pre-set folder or browse and change the folder, select the option as Everyone, and Click on
Next.
0
7
0
3. To confirm the installation click Next.
0
8
0
4. The installation is completed, click on Close to Exit.
0
9
0
5. Open the folder in which the setup was installed. Open the ARCOSADScannerService.exe.config file in
a notepad and change the value of the key: baseurl and pamapiurl, Also Change the value for the status
of AWS or Azure to true based on which the application is hosted.
6. To execute the application file follow the steps in the Task Scheduler section.
2.2.2 ARCOS User Service Onboarding Setup

The steps to execute ARCOS User Service OnBoarding Setup are as follows:
1. Open the ARCOSUserServiceOnBoardingSetup.msi file the following window will open. To Install the
setup click Next.
0
10
0
2. Install in the pre-set folder or browse and change the folder, select the option as Everyone, and click on
Next.
0
11
0
3. To confirm the installation click Next.
0
12
0
4. The installation is completed, click on Close to Exit.
0
13
0
5. Open the folder in which the setup was installed. Open the ARCOSADScannerService.exe.config file in
a notepad and change the value of the key: baseurl and pamapiurl, Also Change the value for the status
of AWS or Azure to true based on which the application is hosted.
6. To execute the application file follow the steps in the Task Scheduler section.
2.2.3 Task Scheduler

The steps to execute ARCOSADScannerService.exe on Task Scheduler are as follows:
1. Go to Run → Enter Task Scheduler

0
14
0
2. Right-click on Task Scheduler Library and click Create Task.
0
15
3. Enter the required name for the task in the Name text field and the required description for the task in
the Description in the text field and select the required Security Options based on the client
requirements.
0
0
4. Go to the Actions tab and click New. The following pop-up is displayed.
0
16
0
5. Click Browse and select ARCOSADScannerService.exe to be executed on the server.
0
17
0
6. Click Open, the service path is displayed.
0
18
0
7. Click OK. The action and its details are displayed.
0
19
0
8. Click OK, to create a task.
9. Similarly, for executing ARCOSUserOnboardingService.exe the above steps shall be followed.
The Triggers, Conditions, and Settings shall be configured based on the Client's requirement.
2.3 Package Structure

2.3.1 Copying the package
This section provides information about how to configure ARCON PAM AD Onboarding on IIS Manager.
Use the following steps to configure ARCON Auto Onboarding:
1. Create AutoOnboarding folder on ARCON Solutions path e.g. <Drive>:\ARCON

Solutions\AutoOnboarding
2. Copy the ARCONAutoBoarding.zip and unzip files to the above drive location created i.e. <Drive>:
\ARCON Solutions\AutoOnboarding
3. Unzip the ARCONAutoOnboarding file.
4. Kindly check for the OnboardingAPI folder e.g. <Drive>:\ARCON Solutions\AutoOnboarding, everyone has
permission at the folder level.
5. Inside the AutoOnboarding folder, we will have the OnboardingUI folder and OnboardingAPI folder.
Give full permission to all folders of AutoOnboarding.
20
2.4 ARCON AD Onboarding Hosting

2.4.1 Hosting AD Onboarding Application
This topic provides information about how to configure the hosting of AD Onboarding.
Use the following steps to host the AD Onboarding Application.
1. Go to the Start button and type run.

2. In the run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. Click on the arrow sign of your <server name>.
4. Right-click on the Sites and click on Add Web Site.
5. Enter the following details on the Add Web Site window:
a. Site Name: ARCONAutoOnboarding UI

b. Physical Path: Select the path of where the AutoOnboarding UI folder is placed.
c. Site Type: HTTP or HTTPS
d. IP Address: As required
e. Port: As required
f. Click Start website immediately and click the OK button.
2.4.1.1 Hosting Onboarding API
This section provides information about how to host ARCON OnboardingAPI
Use the following steps to add the application pool for ARCON OnboardingAPI.
1. Go to the Start button and type run.

2. In the run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens.
3. Click on the arrow sign of your <server name>.
4. Right-click on the Sites and click on Add Web Site.
5. Enter the following details on the Add Web Site window:
a. Site Name: ARCONAutoOnboarding API

b. Physical Path: Select the path of where the AutoOnboarding API folder is placed.
c. Site Type: HTTP or HTTPS
d. IP Address: As required
e. Port: As required
f. Click Start website immediately and click the OK button.
The AWS API or the Azure API can be hosted similarly to the Onboarding API as required.
2.4.1.2 DB Settings configuration for Onboarding API
1. Go to <Drive>:\ARCON Solutions\AutoOnboarding\OnboardingAPI\DBSetting folder.
21
2. Double click on ‘ARCOSDBSettingCreator.exe’

3. The ARCON PAM Database DBSettings.ini File Creatorwindow opens. Enter the following details:
Connection Details (Primary)
a. Server IP– Enter the address where the AD Onboarding Database is located
b. Server Port– Enter the port on which the ARCON PAM AD Onboarding Database will listen
(Default port is - 1433)
c. Server Name– Enter the name of the server / IP address.
d. User Name– Enter the ARCON PAM AD Onboarding database name.
e. User Password– Enter the ARCON PAM AD Onboarding database password.
f. Database Name Details:
i. Primary Database: Enter the name of the Onboarding database as the Primary Database.
ii. RDP Database: Enter the name of the RDP Database.
Click on Generate ini file button, to generate the ini file. The ini file is generated inside the DBSetting folder.
22
2.5 Configurations
2.5.1 OnboardingAPI Configurations
In the web.config file present in the AutoOnboarding folder change the value of the key: PAMbaseURL and
AzureURL or AWSUrl to the URL on which the Onboarding API is hosted.
• PAMBaseUrl : http://IP:port i.e "http://10.10.0.171:8001"

• AzureURL : http://IP:port/ i.e “http://10.10.0.171:8093"
• AWSURL : http://IP:port/ i.e "http://10.10.0.179:8097"
2.5.2 ARCONOnboarding UI Configurations

• In the ARCONONBOARDING assets folder (ARCONONBOARDING/assets/info/info.json), in
file info.json, update the value parameter of “BaseUrl” to the Url on which WebAPI will be hosted in IIS.
• BaseUrl: i.e "http://10.10.0.171:8002"
• PAMBaseUrl : http://IP:port i.e "http://10.10.0.171:8001"
• AzureURL : http://IP:port/ i.e “http://10.10.0.171:8093"
• AWSURL : http://IP:port/ i.e "http://10.10.0.179:8097"
The AWS API and Azure API will require Internet Access
Access the application through ARCON PAM Application → Manager → My Apps→ Auto-Onboarding
Only Administrators can assign the Auto-Onboarding privileges to the Users in the Server Manager.
Once the privilege is assigned, Users can see the Auto-Onboarding tab in the Server Manager.
23
3 Accessing Auto-Onboarding
3.1 Auto On-Boarding
To navigate to Auto On-Boarding feature,
Login to ARCON PAM application → Manager → Auto On-Boarding icon

0
0
Click on the Auto On-Boarding icon, the following screen displayed.
The Auto-Onboarding solution provides the following automation category:
• Microsoft Active Directory

• Amazon Web Services
• Azure Active Directory
The Auto-Onboarding feature provides both User and Service Onboarding for each of the automation
categories.
24
3.2 Microsoft Active Directory

3.2.1 User Onboarding
User Onboarding is used to automate the process of onboarding Users into ARCON PAM. It enables
Administrators to auto-onboard and deboard the Users by interacting with the Active Directory.
For On-Boarding User, the following actions shall be performed:
1. Connect to Domain and scan Directory Details

2. Rule Creation (Optional)
3. Map multiple LOB's and Groups
4. Semi/ Auto Onboard
The User Onboarding Dashboard screen displays the following information:
25
Field Name Description
Domain Select the Domain and scan Directory Details
Rule Create Rule
Mappings Map multiple LOB's and Groups
Last Scan On Displays last scan details in date and time format
Total Onboarded Displays the count of total Users onboarded
Auto Onboarded Displays the count of Users who are auto onboarded
Semi Onboarded Displays the count of Users who are onboarded, using Semi
Onboard feature.
Group-wise User Mapping Displays graphical representation, count of new Users mapped
to Groups.
For example, in the above screen one User is added in
WINDOWS SERVERS User Group.
Date Wise User onboarded Displays graphical representation, count of Users onboarded
on basis of date.
Following are the steps to be followed for User Onboarding:
1. Select the User tab for User onboarding from the ARCON PAM Onboarding screen:
2. Click on Domain, to connect to Domain and Scan Directory Details.
26
3. As in the following screen enter the required Directory type, Domain URL, Domain IP, Port Number,
User name, and Password respectively, then click on connect.
 To Scan AD Users, user having Read-only access is required.
To Create PID functionality in User Onboarding, a user having Prefix-Suffix Rule Write-access
is required
4. Once the connection is successful, click icon, to view available OU's in the domain.
27
1. Select the OU or group which is to be configured for Auto-onboarding, then select either the Child OU
or the Parent OU, using the toggle option and click Select. Selected OU's will be displayed in the OU
Path field.
0
2. Click Next. The following Rule screen is displayed.
3. To add a Rule click on the top-right corner of the screen. The rule can be created as
either Prefix-Suffix or Smart Tags and click save.
28
The Add Rule screen contains the following Rule:

0
Prefix-Suffix
Rule Name Enter Name for Rule
Rule Status: Select to know Rule Status
Type: Select the Type
Value: Give a Value
Create PID in AD: Select to create PID in AD
Domain/Path: Select the Domain/Path
Smart Tag
Rule Name: Enter Name for Rule
Rule Status: Select to know Rule Status
Filter Type: Select the Filter Type
Filter Value: Give the Filter Value

0
4. Click Next. The following Mapping screen is displayed. In this case, since the Child OU was selected
while selecting the OU to be configured, the Child OUs along with the Parent OU will be displayed.
29
0
5. Select the required OU checkbox, to map LOB and Active Directory Groups of ARCON PAM.
0
0
6. Select the LOB corresponding to the selected OU. You can map multiple LOB's corresponding to the
selected OU. The default naming convention for PAM new groups which are created are corresponding
to each OU is based on the OU or Groups in Active Directory.
7. Add PAM Existing Groups corresponding to the OU selected and click icon, for mapping. All the
existing groups in LOB shall be available for selection under PAM Existing Groups column. You can map
multiple LOB's and Groups, using icon. The mapped LOB's and Groups can be revoked, using
icon.
0
30
0
8. Once the LOB and Groups are mapped, select the required type of Onboard Process.
a. Semi: Users will be able to view the Review screen for verification before proceeding for
onboarding.
b. Auto: Users will not view the Review screen for verification, if Auto Onboarding is enabled. If all
OU's are enabled for Auto Onboard, the Finish button will be displayed on the bottom of the
screen
9. Click Save. A window pops up displaying the following message:

Active Directory Scan Successfully
0
31
10. Click Onboard User A window pops up displaying the following message:
User Onboarded Successfully
3.2.2 Service Onboarding

Service Onboarding is used to automate the process of onboarding Services into ARCON PAM. It helps to
automatically provision and deprovision services from your Active Directory or a supported Lightweight
Directory Access Protocol (LDAP) that the organization uses. This process runs on an on-going basis and allows
review of selected devices and automate changes in real-time. LDAP allows unhindered and ceaseless access to
Microsoft Active Directory services for real-time synchronization and information retrieval. Similar to LDAP,
we also support the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Simple Network
Management Protocol (SNMP) protocols for seamless discovery and onboarding of network devices. For more
information, please refer to the Network Discovery Document.
32
For On-Boarding Service, the following actions shall be performed:

2. Rule Creation (Optional)
4. Assign Rule
The Service Onboarding Dashboard screen displays the following information:

00
Domain Select Domain and scan Directory Details
Rule Create Rule
Mapping Map multiple LOB's and Groups
Last Scan Displays last scan details in date and time format.
Total Onboarded Displays the count of total Services onboarded.
Auto Onboarded Displays the count of Services, auto onboarded.
Semi Onboarded Displays the count of Services onboarded, using Semi Onboard feature.
Group-wise Service Displays graphical representation, count of new Services mapped to Groups.
Mapping
For example, in the above screen, one Service is added in ADMIN USERS,
ADMINS, and NEW JOINEES Server Groups.
33
Date Wise Services Displays graphical representation, count of Services onboarded on basis of date.
onboarded
Following are the steps to be followed for Service Onboarding:
1. Select the Service tab for Service onboarding from the ARCON PAM Onboarding screen:
2. Click on Domain, to connect to the Domain and Scan Directory Details.
0
3. Enter the required Service Directory Type, Domain URL, Domain IP, Port Number, Username, and
Password in the text field respectively and click Connect.
34
 To scan devices in AD, user having Read-only access is required.
4. Once the connection is successful, click icon, to view available OU's in domain.
0
5. Select the OU or the group to be configured for Auto-provisioning or Deprovisioning, then select either
the Child OU or the Parent OU, using the toggle option and click Select.The selected OU's will be
displayed in the OU Path field.
0
35
0
6. Click Next. The following Rule screen is displayed. Select the required Rule from the Rule dropdown and
then configure required details.
7. Click icon, to add Rule. The following screen is displayed where you Enter the required details and
click Save. Rules can be deleted, using icon.
36
0
The Add New Rule contains the following fields:
0
Rule Name Enter the name for the Rule
Operating System Select the required operating system. The valid values
are:
Windows
Desktop
Default Service Details Select the Service Details.
Rule Status Enable Rule
Rule Type's
Default Privilege ID Enable Default Privilege ID configuration
User Discovery Enable User Discovery configuration
Device Filter Enable Device Filter

0
8. Depending on the rule, one can add and delete the following four configurations and create services on
the basis of Privilege ID's or User Discovery.
37
a. Default Privilege ID: Devices are scanned and services are created based on the configured
default Privilege ID's under Default Privilege ID.
For example, in a scenario, where one device is scanned from an OU, and two privilege IDs are
configured in Rule, then, in this case, two services will be created based on the configured Rule.
b. User Discovery: Local Users are discovered from the scanned devices based on the User
Discovery configuration and then services are created.
For example, if one Local User is discovered from a scanned device, and the User belongs to
multiple User Groups, then you will be able to view entries for all the User Groups to which the
User belongs but a single service will be created.
c. Device Filter: The devices can also be filtered by creating specific device filters based on the
values provided.
d. Prefix-Suffix: Services are created based on the Rule Name.
For example, if one local user is discovered based on the rule name, and the User will be mapped
to a created service based on the prefix-suffix for the user.
0
Default Privilege ID
Default Privilege ID Enter default privilege ID
Password Enter default privilege ID password of service.
Service Type Select type of service
Account Type Select account type. The valid values are:

Domain
Local
Port Enter Port Number
Allow Schedule Password Change Select to schedule password change of service
Vault Password Select to vault password of service.
PAM Group Extension Enter PAM Group Extension
User Discovery
Service Type Select Service Type
Port Enter port number
Allow Schedule Password Change Select to schedule password change of service
Type of Smart Rule Select type of Smart Rule. The valid values are:
User-Based: To match on basis of Users
Group-Based: To match on basis of Groups
38
Wildcard Enter required Wildcard i.e, Scan on basis of a particular

Wildcard
For example,
*adm* :Denotes Contain string
*adm :Denotes Suffix
adm* :Denotes Prefix
PAM Group Extension Enter required PAM Group extension
LOB Select LOB
PAM Existing Groups Select Groups
Allow Password Change Select to allow password change
Use Global Password Policy Select to use global password policy
Password Policy Select the Password Policy
Allows Scheduled Password Select to allow scheduled password change

Change
Min Password Age Select the minimum password age
Max Password Age Select the maximum password age
Device Filter Rule
Filter Name Enter the filter name
Filter Value Enter the value for the filter
Filter Position Select the filter position, the valid values are:
StartWith
EndWith
Contains
New Rule
Rule Name Select the Rule Name
Rule Type Select the Rule Type
Value Enter the Value
Service Type Select the Service Type
Port Enter the Port Number
39
PAM Extension Group Enter required PAM Group extension

00
9. Configure details and click Save. A window pops up with the following message:
Record Saved Successfully
10. Then click Next. The following screen is displayed.
0
11. Select the required LOB, PAM New Groups, PAM Existing Groups, Rule, and Onboard Type
corresponding to the OU selected and click Save. A window pops up displaying the following
message: Data Saved Successfully. To onboard devices in bulk, you shall select the checkbox
corresponding to Users and click Onboard Devices. Unresolved Devices shall display those device
details, for which details are not detected while scanning.
40
12. Click Next. Another window pops up displaying the following message:
Active Directory Scan Successfully
0
13. Click OK. Another window pops up displaying the following message:
Services Onboarded Successfully
41
3.3 Amazon Web Services

For On-Boarding User through Amazon Web Services, the following actions shall be performed:
1. Connect to Domain and scan the directory details.

2. Rule Creation
4. Semi/Auto Onboard
42
The User Onboarding Dashboard for Amazon Web Services, screen displays the following information:
Rule Create Rule
Onboard feature.
to Groups.
on basis of date.
43
1. To Auto Onboard Users via Amazon Web Services, Select Amazon Web Services from the following
screen:
2. Select the User tab for User onboarding from the ARCON PAM Onboarding screen:
3. The following Dashboard will be displayed.
44
4. To connect to Domain and Scan Directory Details where you enter the required details and click
Connect. Click on Domain in the Dashboard. Once the connection is successful, click Next.
0
 Account having IAMFullAccess is required.
5. Click Rule. The following Rule screen is displayed. Based on these, the console service of AWS
Management Console created for the IAM user will be mapped in the respective lob and groups.
45
6. To add Rule click on the top-right corner of the screen.

0
The Add Rule screen contains the following Rule:
LOB Name : Select LOB Name from the Dropdown
Existing Groups Based on the LOBs Selected, Select groups.

0
46
7. Click Save. The Rule will be displayed in the following screen:

0
9. Click Next. The following Mapping screen displays all the scanned AWS Groups. Select the Console
service rule that you want to map the group with.
0
10. Select the LOB corresponding to the selected GroupName. You can map multiple LOB's corresponding
to the selected GroupName.
11. Add PAM Existing Groups corresponding to the Group Name selected and click icon, for
mapping. All the existing groups in LOB shall be available for selection under PAM Existing Groups
column. You can map multiple LOB's and Groups, using icon. The mapped LOB's and Groups can be
revoked, using icon.
47
a. Auto: Users will not view the Review screen for verification, if Auto Onboarding is enabled. If
all groups are enabled for Auto Onboard, the Finish button will be displayed on the bottom of the
screen.
b. Semi: Users will be able to view the Review screen for verification before proceeding for
onboarding.
0
13. Click Save. A window pops up displaying the following message:Configuration Save Successfully
14. Click Onboard User A window pops up displaying the following message: User Onboarded Successfully

For On-Boarding Service via Amazon Web Services, the following actions shall be performed:
1. Connect to Domain and scan Directory details

2. Rule Creation
4. Assign Rule
48
Domain Select Domain and scan Directory Details
Rule Create Rule
Semi Onboarded Displays the count of Services onboarded, using Semi

Onboard feature
Group-wise Service Mapping Displays graphical representation, count of new Services

mapped to Groups.
For example, in the above screen, one Service is added in
ADMIN USERS, ADMINS, and NEW JOINEES Server Groups.
Date Wise Services onboarded Displays graphical representation, count of Services

onboarded on basis of date.
Following are the steps to be followed for Service Onboarding via Amazon Web Services:
49
1. To Auto Onboard Services via Amazon Web Services, Select Amazon Web Services from the following
screen:
2. Select the Service tab for Service onboarding from the following screen:
3. 4 different types of services can be onboarded: Database, Windows VMs, Linux VMS, and AWS Session
Manager.
0
50
3.3.2.1 Databases
1. Click on Database then The following screen is displayed upon selecting the Service tab:
51
 Account having AWSRDSFullAccess is required.
0
3. Click Rule. The following Rule screen is displayed.
4. Click icon, to add Rule. The following screen is displayed. Rules can be deleted, using icon.
52
0
0
Rule Name Enter a name for Rule
Database Type Select the database type, the options are as follows:
SQL
Oracle
Postgres
MYSQL
Default Service Profile Select the default service profile based on which the
parameters will be set for the service created
0
5. Enter/ Select the required details and click Save. A window pops up displaying the following message:
Save Rule Successfully
0
6. Select the required Rule from the Rule dropdown and then configure the required details. Based on the
rule created, you can add multiple privileged ids within that rule. These are privileged accounts on the
cloud database instances to scan and onboard all of its local users.To create services on the basis of
Privilege ID's, configure the following details:
53
Default Privilege Enter default privilege ID

ID
Service Type Select the type of service

MS SQL EM Local

Domain
Local
Vault Password Select to vault the password of the service.
54
Allow Password Select to allow password change

Change
Use Global Select to use a global password policy

Password Policy
Allows Scheduled Select to allow scheduled password change

Password Change
Max Password Select the maximum password age

Age
0
corresponding to the AWS Key Pair selected and click Save. A window pops up displaying the following
0
8. Click save and pop up displays showing Data saved successfully
9. Click Next to go the review screen where you verify and select the required checkbox and click Onboard
Devices. To onboard devices in bulk, you shall select the checkbox corresponding to Users and click
Onboard Devices. Unresolved Devices shall display those device details, for which details are not
detected while scanning.
0
55
0
10. Another window pops up displaying the following message:
3.3.2.2 Windows VMs
1. Click on Windows VMs then The following screen is displayed upon selecting the Service tab:
56
 Account having AmazonEC2FullAccess is required.
0
57
0
0
Operating System Select the OS Windows
0
0
rule created, you can add multiple privileged ids within that rule. These are privileged accounts on the
cloud windows instances to scan and onboard all of its local users. To create services on the basis of
Privilege ID's, configure the following details:
58
Key Pair Name Enter keypair name of AWS keypair that was added during VM creation on AWS

Windows RDP
App X RDP
59

Domain
Local

Change

Password Policy

Password Change

0
0
60
0
0
3.3.2.3 LInux VMs
1. Click on Windows VMs then The following screen is displayed upon selecting the Service tab:
61
0
0
 Account having AmazonEC2FullAccess is required.
62
0
0
Operating System Select Linux
0
0
rule created, you can add multiple privileged ids within that rule.These are privileged accounts on the
cloud linux instances to scan and onboard all of its local users. To create services on the basis of Privilege
ID's, configure the following details:
63
Key Pair Name Enter keypair name of AWS keypair that was added during VM creation on AWS

SSH Linux
64

Domain
Local

Change

Password Policy

Password Change

0
corresponding to the AWS Resource Group selected and click Save. A window pops up displaying the
following message: Data Saved Successfully. To onboard devices in bulk, you shall select the checkbox
0
65
0
0
3.3.2.4 AWS Session Manager
Using this service, your Windows and Linux EC2 instances that have the AWS SSM Agent installed and are
added to AWS Fleet Manager are onboarded with connection taken through STS.
1. Click on AWS Session Manager then The following screen is displayed upon selecting the Service tab:
66
0
 Account having AmazonEC2FullAccess and permissions to generate STS tokens is required.

Please refer the document for SSM using STS.
0
67
0
0
Operating System Select Linux or Windows
5. Click Add Role icon, to add new role. The following screen is displayed. Roles can be deleted, using
icon. Configure the STS role using which connection to the EC2 instance will be made.
68
0
The Add New Role contains the following fields:
0
Role Name Enter a name for Role
Role ARN Add the AWS ARN number for the Role
Service Type Select the EC2 Access using AWS SSM Service type
0
0
0
69
0
0
3.4 Azure Active Directory

For On-Boarding User through Azure Active Directory, the following actions shall be performed:
70

2. Rule Creation
4. Semi/Auto Onboard
The User Onboarding Dashboard for Azure Active Directory, screen displays the following information:
Rule Create Rule
Onboard feature.
to Groups.
71
on basis of date.
1. To Auto Onboard Users via Azure Active Directory, Select Azure Active Directory from the following
screen:
2. Select User Onboarding.
72
3. The following Dashboard will be displayed.
 Account having User Administrator permissions is required.
73
5. The following Rule screen is displayed. Based on these, the console service of Azure Portal created for
the Azure AD user will be mapped in the respective LOB and groups.
6. To add Rule click on the top-right corner of the screen.
a. The Add Rule screen contains the following Rule:
LOB Name Select LOB Name from the dropdown
74
Existing Groups Based on the LOB selected, select groups
0
7. Click Save. The Rule will be displayed in the following screen.
8. Click Next. The following Mapping screen displays all the scanned Azure AD groups. Select the Console
service rule, that you want to map the group with
9. Select the LOB corresponding to the selected Azure AD Group. You can map multiple LOB's
corresponding to the selected Azure AD group. the Azure AD user that is created as an ARCON PAM
user is mapped based on this mapping.
0
75
10. Select the required Azure AD Group checkbox, to map LOB's and Groups of ARCON PAM.
11. Add PAM Existing Groups corresponding to the Azure AD Group selected and click icon, for
mapping. All the existing groups in LOB shall be available for selection under PAM Existing Groups
column.
You can map multiple LOB's and Groups, using icon. The mapped LOB's and Groups can be revoked,
using icon.
0
12. Click Save. A window pops up displaying the following message:
Configuration Save Successfully
0
a. Semi: Users will be able to view the Review screen for verification before proceeding for
onboarding.
b. Auto: Users will not view the Review screen for verification, if Auto Onboarding is enabled. If all
Azure AD Group are enabled for Auto Onboard, the Finish button will be displayed on the bottom
of the screen
76
14. Click Onboard User. A window pops up displaying the following message:
User Onboarded Successfully

For On-Boarding Service via Azure Active Directory, the following actions shall be performed:

2. Rule Creation
4. Assign Rule
Domain Enter details, to connect to Domain and scan Directory

Details
Rule Create Rule
77
Semi Onboarded Displays the count of Services onboarded, using Semi

Onboard feature.
Group-wise Service Mapping Displays graphical representation, count of new Services

mapped to Groups.
For example, in the above screen, one Service is added in
ADMIN USERS, ADMINS and NEW JOINEES Server Groups.
Date Wise Services onboarded Displays graphical representation, count of Services

onboarded on basis of date.
Following are the steps to be followed for Service Onboarding:
1. To Auto Onboard Services via Azure Active Directory, Select Azure Active Directory from the
following screen:
2. Select the Service tab for Service onboarding from the ARCON PAM Onboarding screen:
78
3. You can onboard Database, Windows VMs, and Linux VMs under service onboarding.
On clicking service onboarding the following screen will be displayed.

0
3.4.2.1 Database
1. Click on Database then Click on Domain, to connect to the Domain and Scan Directory Details.
0
79
0
0
0
3. Click Next. The following Rule screen is displayed.
80

0
Rule Name Enter the name for Rule
Database Type Select the database type, the options are as follows:
SQL
Postgres
MYSQL
81
0
Save Rule Successfully.
6. Select the required Rule from the Rule dropdown and then configure required details. Based on the rule
created, you can add multiple privileged ids within that rule. These are privileged accounts on the cloud
database instances to scan and onboard all of its local users. To create services on the basis of Privilege
ID's, configure the following details:
Default Privilege ID Enter default privilege ID
Service Type Select type of service
Allows Scheduled Password Change Select to allow scheduled password change
82
0
corresponding to the Azure Resource Group selected and click Save. A window pops up displaying the
10. A window pops up displaying the following message:
11. Click Next.
0
83
0
Devices Onboarded Successfully
3.4.2.2 Windows VMs
1. On clicking service onboarding the following screen will be displayed.

0
2. Click on Windows VMs then Click on Domain, to connect to the Domain and Scan Directory Details.
0
84
0
85
0
a. The Add New Rule contains the following fields:

0
Operating System Select the OS Windows
5. Within a rule, you can add multiple privilege ids using which the users on VMs will be scanned. Privileged
ids can be added based on password or key. These are privileged accounts on the cloud
windows instances to scan and onboard all of its local users. Select the required Rule from the Rule
dropdown and then configure required details. To create services on the basis of Privilege ID's,
configure the following details:
86
Password
KeyPair Name Enter keypair name of Azure keypair that was added
during VM creation on Azure
Password Enter the password
Service Type Select type of service: Windows RDP or APP X-RDP
Key
Key Enter the key
Service Type Select type of service: Windows RDP or APP X-RDP
87

0
0
88
10. Click Next.
0
89
3.4.2.3 Linux VMs
1. On clicking service onboarding the following screen will be displayed.

0
2. Click on Linux VMs then Click on Domain, to connect to the Domain and Scan Directory Details.
0
90
0
a. The Add New Rule contains the following fields:

0
Operating System Select the OS Linux
91
5. Within a rule, you can add multiple privilege ids using which the users on VMs will be scanned. Privileged
ids can be added based on password or key. These are privileged accounts on the cloud linux instances to
scan and onboard all of its local users. Select the required Rule from the Rule dropdown and then
configure required details. To create services on the basis of Privilege ID's, configure the following
details:
Password
Password Enter the password
Service Type Select type of service: SSH Linux
Key
92
Key Enter the key
Service Type Select type of service: SSH Linux

0
0
93
10. Click Next.
0
94
3.5 Default Service Details

In Onboarding Menu - Default Service Details, you can add various service profiles. These can be attached to
Rules using the Default Service Profile drop-down under Rule creation.
Based on the parameters set here, while onboarding and creation of services, these parameters will be used.
0
3.6 Reports
The reports or logs can be generated, viewed, and downloaded for all the services onboarded. From the side
panel select Service onboarding logs under Reports.
95
After selecting the Service onboarding logs option the following screen will be displayed.
Select the From Date, To Date, and the type of Onboard Process used. The onboard process consists of the
following options: All. Semi, and Auto. Then Select Get Service Logs. The logs will be displayed in tabular format
as seen on the following screen.
Similar logs can be generated for the unresolved devices. The displayed logs can also be downloaded in either
an Excel, CSV and a PDF
96
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means such as electronic, mechanical, photocopying, recording, or otherwise without permission.

Auto Onboarding Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auto Onboarding Guide

Uploaded by

Copyright:

Available Formats

ARCON|PAM

Auto Onboarding Guide

3.4.2.3 Linux VMs................................................................................................................................................................................. 90

2.2.1 ARCOS AD Scanner Setup

2.2.2 ARCOS User Service Onboarding Setup

2.2.3 Task Scheduler

1. Go to Run → Enter Task Scheduler

2.3 Package Structure

Use the following steps to configure ARCON Auto Onboarding:

1. Create AutoOnboarding folder on ARCON Solutions path e.g. <Drive>:\ARCON

Give full permission to all folders of AutoOnboarding.

2.4 ARCON AD Onboarding Hosting

Use the following steps to host the AD Onboarding Application.

1. Go to the Start button and type run.

a. Site Name: ARCONAutoOnboarding UI

2.4.1.1 Hosting Onboarding API

This section provides information about how to host ARCON OnboardingAPI

1. Go to the Start button and type run.

a. Site Name: ARCONAutoOnboarding API

2.4.1.2 DB Settings configuration for Onboarding API

1. Go to <Drive>:\ARCON Solutions\AutoOnboarding\OnboardingAPI\DBSetting folder.

2. Double click on ‘ARCOSDBSettingCreator.exe’

• PAMBaseUrl : http://IP:port i.e "http://10.10.0.171:8001"

2.5.2 ARCONOnboarding UI Configurations

Login to ARCON PAM application → Manager → Auto On-Boarding icon

The Auto-Onboarding solution provides the following automation category:

• Microsoft Active Directory

3.2 Microsoft Active Directory

For On-Boarding User, the following actions shall be performed:

1. Connect to Domain and scan Directory Details

The User Onboarding Dashboard screen displays the following information:

Field Name Description

Domain Select the Domain and scan Directory Details

Rule Create Rule

Mappings Map multiple LOB's and Groups

Total Onboarded Displays the count of total Users onboarded

Following are the steps to be followed for User Onboarding:

2. Click on Domain, to connect to Domain and Scan Directory Details.

 To Scan AD Users, user having Read-only access is required.

The Add Rule screen contains the following Rule:

Field Name Description

Rule Name Enter Name for Rule

Rule Status: Select to know Rule Status

Type: Select the Type

Value: Give a Value

Create PID in AD: Select to create PID in AD

Domain/Path: Select the Domain/Path

Rule Name: Enter Name for Rule

Rule Status: Select to know Rule Status

Filter Type: Select the Filter Type

Filter Value: Give the Filter Value

9. Click Save. A window pops up displaying the following message:

3.2.2 Service Onboarding

For On-Boarding Service, the following actions shall be performed:

1. Connect to Domain and scan Directory Details

The Service Onboarding Dashboard screen displays the following information:

Field Name Description

Domain Select Domain and scan Directory Details

Rule Create Rule

Mapping Map multiple LOB's and Groups

Total Onboarded Displays the count of total Services onboarded.

Auto Onboarded Displays the count of Services, auto onboarded.

Field Name Description

Following are the steps to be followed for Service Onboarding: