Flex Connectors

3 article

Flex Connectors

Last Updated: December 12, 2020

Flex Connector is a SecurEnds term meaning, a method of ingesting data into the SecurEnds cloud without using a pre-built connector. Most popular Flex Connectors: Database Extract Tables can be mapped or query can be pasted FTP/SFTP Other methods available upon request Check out instructions for DB Extract and FTP/SFTP.

DB Extract

Last Updated: March 16, 2022

App Creation in SecurEnds Tool Log into the SecurEnds application as the Admin. Go to Applications Click the Add button next to it to begin configuration. Setup Application Select Data Ingestion method (radio button) for Flex Connector Provide an application Name Select an Agent option. The Agent is software is required to be installed on the clients on premise environment in order to pull data from applications such as Active Directory, Databases and Custom Applications. Select Remote if you have an Agent Software already installed The server where the agent is installed needs to have connectivity to the database. If an agent is required, contact your implementation consultant or submit a ticket via the SecurEnds Help Desk using the Report Issue link in the upper right corner of the application. Select Local if the client has a SaaS database. No agent install is required. You will need to whitelist the SecurEnds IP’s. Your Implementation Consultant can provide these. Select Match By logic as Default(Email or FirstName and LastName) or Employee Id Default(Email or FirstName and LastName) The system will match the user using an Email Address available from the application; OR by First Name and Last Name when a sync is performed. This OR for the matching is done for each row. For example, if an email address is present, that will be used to match the user to an email address found in the System of Record. If the email address is not present, then the first and last name will be used to match the user to a correct identity from the System of Record. Employee Id The system will only match the Employee ID while syncing. This “ID” for the user in the application must be present within the System of Record data in order to be matched. First name, last name or email address is no longer a required data point. Select Include Inactive Users to fetch all users while sync Yes All the Active status users along with all Inactive/Disabled status users within the application data will attempted to be matched to an identity within the System of Record and if a match is found, these users will be included in any campaigns against this application. No Only Active status user users within the application data will attempted to be matched to an identity within the System of Record and if a match is found, these users will be included in any campaigns for against the application. Include Entitlements Yes Will load the entitlement data from the application data when synced. No Use if the client only want the user credentials from this application data (for credential access reviews). Configure Application Select/highlight the Application Connection Type as DB Extract Provide the details below to connect with Applications using Flex connector DB UserName to login into the domain. Windows authentication is not supported. The service account must be created on the database server. For example: SecurEndsUser Provide the DB Password For example: dkjsde7y7hu3#% Provide the DB Url MySQL example: jdbc:mysql://ipaddress:3306/ MySQL example: jdbc:mysql://hostname:1433/DBNAME SQL Server example: jdbc:sqlserver://hostname:1433;DatabaseName=DBNAME SQL Server example: jdbc:sqlserver://ipaddress:1433 AS400 example: jdbc:as400://ipaddress:port;DatabaseName=DBNAME Oracle example: jdbc:oracle:thin:@hostname:port:DBNAME DB2 example: jdbc:db2://hostname:port/DBNAME DB2 example: jdbcdb2://ipaddress:port/DBNAME Postgres example: jdbc.postgresql://hostname:port/DBNAME Provide the proper DB Driver Name com.mysql.cj.jdbc.Driver com.microsoft.sqlserver.jdbc.SQLServerDriver com.ibm.as400.access.AS400JDBCDriver oracle.jdbc.driver.OracleDriver com.ibm.db2.jcc.DB2Driver org.postgresql.Driver Selecting a connection option Select the SQL radio button if the application data exists across multiple tables within your database. When the required data exists across several tables within the database, the SQL statement option will be required required. Several SecurEnds alias’ will need to be a part of the SQL so the data is mapped properly. Sample SQL statement – replace with the client data attribute within the [ ] Optional attributes include: Middle Name, Manager Name, User Status, Last Login Date See Note below for other attributes which may be optional SELECT [app credential] as commonNameColumn (visible in the UAR UI), [app credential] as distinguishedNameColumn, [user first name] as firstNameColumn, [user last name] as lastNameColumn, [user middle name or initial] as middleNameColumn, [user email address] as emailColumn, [manager's name or email address] as managerColumn, [entitlement/permission/role] as entitlementDNColumn, [entitlement/permission/role] as entitlementCNColumn (copy of entitlementDNColumn), [description of the entitlement/permission/role] as entitlementDescriptionColumn, [user app status] as accessStatusColumn (i.e., Active, Inactive or Terminated), [user last login date] as lastAuthenticationColumn, [user employee ID] as userid (needs to reside in SOR data also if used) FROM [name of client table or SQL view] Select the DB Details radio button if the application data exists all within a single table * denotes optional Table Name – name of the table within your database IAM User Column – User Credential Common Name Column – User Credential Distinguished Name Column – User Credential Last Authentication Column – User last login date First Name Column – User first name Middle Name Column – User middle name or initial Last Name Column – User last name Email Column – User email address Manager Column – Users Manager (name or email address) Entitlement DN Column – User Entitlement/Permission/Role. The reviewable attribute. Entitlement CN Column – User Entitlement/Permission/Role. The reviewable attribute. Entitlement Description Column – Description of the Entitlement/Permission/Role. Access Status Column – User application status. If empty, a user will be considered Active in the application. User Id – User employee ID (needs to be present in the SOR data) Additional columns – list additional column headers from the table separated by comma. Note: If your application data does not have a first or last name, email address or employee ID in the data, there are options for you. Important – One of first/last name, email address or employee ID is REQUIRED to be in the app data in order to match the user to an identity you brought in from the system of record. Otherwise, one or more or all of the users will be classified as Unmatched. First Name/Last Name – Can be optional depending on matching option selected under Set up Application, Step 4 above. If a user email address or user employee ID...

FTP/SFTP

Last Updated: March 16, 2022

Configuration Requirements Customer will need to have the SFTP folder available on their side. Customer needs to provide a User ID and Password so SecurEnds can configure the tool. Customer will need to go into the SecurEnds tool and update the SFTP credentials if the customer have a security policy which requires password rotation every X days. Customer will need to maintain a static file name for the file placed in the SFTP folder. App Creation in SecurEnds Tool In the Admin Console, go to Applications. Click the Add button next to it to begin configuration. Setup Application Select Data Ingestion method as Flex Connector. Enter application Name. Enter the Application Owner email information. Agent is software that needs to be installed on your on premise environment to pull data from applications such as Active Directory, Database and Custom Applications. Select Yes if you have an Agent Software installed Select No if you don’t have any agent software installed Select Match By logic as Default(Email or FirstName and LastName) or Employee Id If we select Default(Email or FirstName and LastName) the system will match the user with Email or First Name and Last Name while syncing If we select Employee Id the system will only match the Employee ID while syncing Select Include Inactive Users to fetch all users while sync If we select Yes all the Active status users along with Disabled status users will be added in the Matched users for AWS. If we select No then only Active user will be added to the Matched users for AWS. Include Entitlements Enabled as Yes to load the entitlements on application while syncing. Configure Application Search Connector in Featured Integrations and select SFTP/FTP. Provide the “FTP Host” to login into the domain Example: sftp.securends.com Provide the “FTP Port” Example: 22 Provide the “FTP UserName” to login into the domain Example: test-user Provide the “FTP Password” Example: Password Provide the “FTP File Location” Location Format: /filename.filetype or /inbound/filename.filetype Example: /SCM_SE_01_20190101.txt or /inbound/SCM_SE_01_20190101.txt Select the “Type” Select one from the drop down: SFTP/FTPNote: Please use the SecurEnds provided SFTP Sample file, the headers should be same as the provided file with case sensitive. If needed, select “Custom Configuration” to manually map the FTP/SFTP file headers to the SecurEnds headers. When you export the application data (Gear icon->More->Export), SecurEnds will export the data to a CSV format and will have mapped the data to SecurEnds attributes. Below are the mapping details Employee First Name – First Name Employee Middle Name – Middle Name Employee Last Name – Last Name Employee Email ID – Email Credential – Distinguished Name (Common Name will be a copy of Distinguished Name data) Manager Email ID – SOR Manager Email Employee Access Status – Access Status Employee ID – User Id Last Authentication Date – Last Authentication Role/Group/Permission – Entitlement DN (Entitlement CN will be a copy of Entitlement DN data) Role/Group/Permission Description – Entitlement Description Role Created Date – Entitlement Created Date Login Created Date – Credential Created Date Note: If there are Purged Credentials or Purged entitlements as a result of the most recent sync of teh application. Those are still present in the exported CSV data and will be denoted by a P within the Status and Entitlement Status attributes. You will want to exclude these from the CSV if you are just looking at data synced by from the applications. Status codes of E (Excluded) and D (Deleted) are valid records from your application, the SecurEnds Admin has simply chosen to classify these records respectively through an earlier action. Ticketing System Configuration For more information on Ticketing System Configuration, Click here. Click Save once finished to add the connector.

By Use Case

By Role

By Industry

Identity Governance

SecurEnds Deployment

Implementation

Connectors

Frequently Asked Questions

Reviewer Instructions

Release Notes

Credential Entitlement Management (CEM)

Test category

Flex Connectors

Flex Connectors

DB Extract

FTP/SFTP

Company

About Us

QUICK LINKS

Service Desk

Discover User Access Reviews

Product Documentation

Events

JOIN OUR MAILING LIST

Receive valuable information, resources and invites to special events from SecurEnds.

By Use Case

By Role

By Industry