RSA Archer GRC Application Guide

Transcription

1 RSA Archer GRC Application Guide Version 1.2 vember 2017

2 Contact Information RSA Link at contains a knowledgebase that answers common questions and provides solutions to known problems, product documentation, community discussions, and case management. Trademarks Dell, RSA, the RSA Logo, EMC and other trademarks, are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. For a list of RSA trademarks, go to License Agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-Party Licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed on the product documentation page on RSA SecurCare Online. By using this product, a user of this product agrees to be fully bound by terms of the license agreements. te on Encryption Technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CPATION MAKES NO REPRESENTATIONS WARRANTIES OF ANY KIND WITH RESPECT TO THE INFMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS F A PARTICULAR PURPOSE. 2

3 Contents Revision History... 5 Preface... 6 Supported RSA Identity Governance and Lifecycle Version(s)... 6 Supported RSA Archer GRC Version(s)... 6 Audience... 6 What s in this Guide... 6 About Data Collection and Provisioning with RSA Archer GRC... 7 Prerequisites:... 7 Installing required certificates:... 7 Using RSA Archer Application Wizard to Configure Connector and Collectors Creating New RSA Archer GRC Collectors - ADC & EDC (Optional) Creating a New RSA Archer GRC Connector (Optional) General Settings Capabilities Command Input Parameters Login Create an Account Command Code How to configure the output parameter in the Create Account command Delete an Account Command Code Reset an Account Password Command Code Add Account to Group Command Code Remove Account from Group Command Code Enable an Account Command Code Disable an Account Command Code Update an Account

4 Command Code Add Application Role to Account Command Code Remove Application Role from Account Command Code Create a Group Command Code Delete a Group Command Code Update a Group Command Code Add Application Role to a Group Command Code Remove Application Role from a Group Command Code Add a Group to a Group Command Code Remove a Group from a Group Command Code Create a Role Command Code Delete a Role Command Code Update a Role Command Code Tips & Troubleshooting

5 Revision History Revision Number Version 1.0 Version 1.1 Version 1.2 Description RSA Archer GRC Updated Expiration date parameter mapping in account data collector. Updated document with minimum version support. 5

6 Preface This guide provides an overview of the Connector and Collectors for the RSA Archer GRC end point. The guide describes the required configurations, parameters, and mappings of different attributes between the Connector and Collectors and how to use the AppWizard to integrate the RSA Archer GRC application with RSA Identity Governance and Lifecycle. This guide includes use cases and troubleshooting tips. Supported RSA Identity Governance and Lifecycle Version(s) RSA Identity Governance and Lifecycle and later Supported RSA Archer GRC Version(s) 6.2 Audience This guide is intended for the users of RSA Identity Governance and Lifecycle, including security administrators, RSA Archer GRC application owners and system configuration administrators. What s in this Guide About Data Collection and Provisioning with RSA Archer GRC provides an overview of how Connectors and Collectors can help integrate RSA Identity Governance and Lifecycle with RSA Archer GRC. Using RSA Archer GRC Application Wizard to Configure Collectors and Connectors describes how to set up these Connectors and Collectors. Creating a New Archer GRC Connector (Optional) describes how to configure an Archer GRC connector without using the Application Wizard. The Application Wizard is the recommended way to configure the connector. Creating New Archer GRC Collectors - ADC and EDC (Optional) describes how to configure theses collectors without using the Application Wizard. The Application Wizard is the recommended way to configure the collectors. Tips & Troubleshooting lists possible errors and their solutions. It also describes how the Connector uses Login API to generate Session Token. 6

7 About Data Collection and Provisioning with RSA Archer GRC RSA Archer GRC provides IT security risk and compliance features. RSA Archer GRC solutions allow building an efficient, collaborative enterprise governance, risk and compliance (GRC) program across IT, finance, operations and legal domains. With RSA Archer GRC, one can manage risks, demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls. Integrating RSA Archer GRC with RSA Identity Governance and Lifecycle helps you improve access decisions, reduce the risk of inappropriate access, and better analyze security incidents by providing access to identity context and application entitlement data. RSA Identity Governance and Lifecycle s collector for RSA Archer GRC provides a rich data context about users (such as their access, identity attributes, violations, accounts, etc.) and applications (entitlements, access) from RSA Archer GRC. The RSA Archer GRC Connector helps you govern and provision user access to RSA Archer GRC. You can use the business governance processes within RSA Identity Governance and Lifecycle to request, provision, and de-provision user access to workspaces within RSA Archer GRC. Prerequisites: Installing required certificates: RSA Archer GRC certificate should be added to the appropriate trust-stores. Follow the steps mentioned below for adding certificates to the trust-stores of WebSphere, WebLogic and WildFly application servers. a. WebSphere Application Server: 1. Log in to WebSphere Administrative console ( 2. In left panel, expand Security menu. 3. Click on SSL certificate and then click the key management link. 4. Under Configuration Settings, click the Manage endpoint security configurations link. 5. Select Outbound properties for the appropriate node. 6. Click on appropriate node link to get the properties. 7. Under Related Items, click Key stores and certificates and then click the dedefaulttruststore key store. 8. Under Additional Properties, click Signer certificates and then click Retrieve From Port. 9. In the Host field, enter <host_name>, enter 443 in the Port field, and archer_cert in the Alias field 10. Click Retrieve Signer Information. 11. Verify that the certificate information is for a certificate that you can trust. 12. Click Apply and then click Save. 13. w, create RSA Archer GRC V3 collectors using below mentioned steps for creating the collectors. Even after following all 12 steps mentioned above, if collectors don t work as expected and show SSL certificate issue, the authority certificate must be added in the keystore. 14. w, again go to Key stores and certificates and click the Aveksa Keystore. 7

8 15. Under Additional Properties, click Signer certificates and then click Retrieve From Port. 16. In the Host field, enter authority url, 443 in the Port field, and authority_cert in the Alias field. 17. Click Retrieve Signer Information. 18. Verify that the certificate information is for the certificate that you can trust. 19. Click Apply and then click Save. 20. Login into WebSphere machine using SSH (e.g. putty). 21. On command prompt, run : /home/oracle/afx/afx stop 22. On command prompt, run : /opt/ibm/websphere/appserver/bin/stopserver.sh server1 23. On command prompt, run : /opt/ibm/websphere/appserver/bin/startserver.sh server1 24. On command prompt, run : /home/oracle/afx/afx start b. WebLogic Application Server : 1. Download/retrieve the RSA Archer GRC SSL certificate in PEM format e.g. archer.pem and save them at location /home/oracle. 2. Log in to WebLogic Administrative console. ( 3. Under Domain Configurations, in the Environement section, click Servers link. 4. Click aveksaserver link. 5. Click the SSL tab 6. Click Advanced link 7. Select HostName as Verification = ne. 8. Save the settings. 9. Login into WebLogic machine using SSH (e.g. putty). 10. cd /home/oracle/ 11. Add archer.pem certificate in server.keystore by using keytool : Run : keytool -import -file archer.pem -alias archer -keystore server.keystore Run : keytool -import -file <authority_certificate> -alias <alias> -keystore server.keystore 12. It will ask for keystore password. Default keystore password is Av3k5a15num83r0n3 13. Restart SSL on WebLogic Server as described below: a. Go to Servers > Controls tab. b. Select/check aveksaserver(admin) and then click Restart SSL 14. Restart the server. a. /home/oracle/afx/afx stop b. Run: /home/oracle/wls/ /user_projects/domains/aveksadomain/bin/stopwe blogic.sh c. Run:/home/oracle/wls/ /user_projects/domains/aveksaDomain/bin/star tweblogic.sh d. /home/oracle/afx/afx start c. WildFly Application Server : 1. Download/retrieve the RSA Archer GRC SSL certificate in PEM format e.g. archer.pem and save at some location. 2. cd <$JAVA_HOME>/jre/lib/security. 3. Add certificates in cacerts by using keytool: keytool -import -file archer.pem -alias archer -keystore cacerts 8

9 4. Password for keystore (unless you have made any changes) : changeit 5. Restart the server: a. Run : afx stop b. Run : acm stop c. Run : acm start d. Run : afx start 9

10 Using RSA Archer Application Wizard to Configure Connector and Collectors RSA Identity Governance and Lifecycle provides an Application Wizard which simplifies the process of setting up RSA Archer GRC Connector and Collectors. RSA recommends that you use the Application Wizard to initially set up RSA Archer GRC Connectors and Collectors. If you need to modify these Connectors/Collectors later on, then please refer to next section(s). 1) Log in to RSA Identity Governance and Lifecycle. 2) Go to Resources > Applications and click Create Application. 3) From the list of applications, select RSA Archer GRC. 4) Click Next. 5) The Setup page is there to provide an overview of the RSA Archer endpoint, as well as collector and connector information. w click Next. 6) Fill out the Connect page with information regarding connecting to the RSA Archer GRC endpoint. Application Name Scheme Host Port Admin Name Admin Password Website Name Instance Name Domain Name Paging to fetch data AFX Server Description Any name to identify this application HTTP or HTTPS Host name of the RSA Archer GRC endpoint server Port number of the RSA Archer GRC endpoint server RSA Archer GRC Administrator account name which will be getting used for the provisioning of different entities and collections RSA Archer GRC Administrator password Configured on RSA Archer GRC web server RSA Archer GRC Instance name RSA Archer GRC Domain name Paging size required to fetch data from RSA Archer GRC, by default it is 1000 ( being used for all the Collectors) Select Available AFX server from the drop down list Click Test Connection to check the connectivity to the endpoint from RSA Identity Governance and Lifecycle instance. 7) Click Next. 8) On the Confirm Changes page, confirm all the provided details. If there are any corrections required, click Back to return to previous page.. 9) Click Next. 10) The Change Summary page lists all the components created by this Application Wizard: A new RSA Archer GRC Application that will have Connector and Collectors binding. Custom attribute UserId created for Account Custom attribute GroupId created for Group Custom attribute RoleId created for Application Role Account Collector (ADC) to collect Accounts and Groups. Entitlement Collector (EDC) to collect entitlements of Account. 10

11 AFX Connector o Request Form o Account Template 11) Click Finish to close the Wizard. 11

12 Creating New RSA Archer GRC Collectors - ADC & EDC (Optional) The Application Wizard provides guidance for creating the RSA Archer GRC Collectors. Use this section only if you need to create a new RSA Archer GRC Collector, which can be configured later with some Application. The recommended approach is to use the Application Wizard to get the Application- Collectors-Connector binding and Account template configurations created. Prerequisites RSA Archer GRC Account Data Collectors and Entitlement Data Collectors use REST APIs provided by the RSA Archer end point. Ensure that the RSA Archer GRC endpoint has REST API support enabled and is accessible from the RSA Identity Governance and Lifecycle installed server location. Following attributes will be collected from RSA Archer GRC: Account Attribute AccountName Status GivenName FamilyName UserID Department businessunit LastLoginDate Company Phone Lockedstatus disabledstatus Group GroupName GroupID Role role_id Role_name Description 12

13 Alias updatedate isdefault Adding Additional Attributes (Custom Attributes) Login to RSA Identity Governance and Lifecycle Go to Admin > Attributes Account - Go to "Account" tab and add following attributes if they do not exist: Attribute Name Data Database ID Data Source In Detail In Popup Mandatory <one of available> Collected Yes Yes AccountNam e <one of available> Collected Yes Yes Status <one of available> Collected Yes Yes GivenName <one of available> Collected Yes Yes FamilyName <one of available> Collected Yes Yes UserID <one of available> Collected Yes Yes Yes Department <one of available> Collected Yes Yes BusinessUnit <one of available> Collected Yes Yes LastLoginDat e <one of available> Collected Yes Yes Company <one of available> Collected Yes Yes Phone <one of available> Collected Yes Yes Lockedstatus <one of available> Collected Yes Yes 13

14 Attribute Name Data Database ID Data Source In Detail In Popup Mandatory DisabledStat us <one of available> Collected Yes Yes Group - Go to "Group" tab and add following attributes if they do not exist: Attribute Name Data Database ID Data Source In Detail In Popup Mandatory GroupName <one of available> Collected Yes Yes GroupID <one of available> Collected Yes Yes Yes Role - Go to "Application Role" tab and add following attributes if they do not exist: Attribute Name Data Database ID Data Source In Detail In Popup Mandatory RoleID <one of available> Collected Yes Yes Yes RoleName <one of available> Collected Yes Yes Description <one of available> Collected Yes Yes Alias <one of available> Collected Yes Yes UpdateDate <one of available> Collected Yes Yes Collector Configuration To set up a new instance of the RSA Archer GRC Collectors (ADC/EDC): 1. Login to RSA Identity Governance and Lifecycle. 2. Select the application already created to create ADC or EDC (Resources > Applications). 3. Click the Collectors tab. 4. Click Create Account Collector or Create Entitlement Collector depending on the requirement. 5. Configure the collectors based on your requirements: 14

15 Creating new Account Data Collector (ADC) a. Configure the Collector Description screen with these values: Collector Name RSA Archer GRC Account Data Collector Description RSA Archer GRC s Account Data Collector Data Source RSA Archer GRC Agent AveksaAgent Business Source Application for RSA Archer GRC Status Active Copy from Select Existing RSA Archer GRC Account Collector if you want to use same collector configuration Scheduled Default : b. Click Next. c. Configure the Configuration Information screen referencing these values: Scheme http or https Host < Host or IP on which RSA Archer GRC Instance is running > Port <RSA Archer GRC Server port> Admin Name < Name of the Admin user to login> Admin Password < Password of the admin of the domain registered with RSA Archer 15

16 GRC> Application Name <Application name/website name> Instance Name <Instance Name of the RSA Archer GRC> Domain Name <Domain Name of the RSA Archer GRC> Paging to fetch data <Size of Paging data to be fetched at a time> Default : 1000 d. Click Next. e. Configure the Map Collector Attributes to Account Attributes screen with these values: Last Login Date <Custom attribute to collect Last Login Date> Expiration Date A n-mandatory field. t applicable to the RSA Archer Collector because there is no attribute similar to Expiration Date for accounts provided in the REST API response from RSA Archer. User Id userid f. Click Next. g. Configure the Map Collector Attributes to Account Mapping Attributes screen with these values: User Reference accountname h. Click Next. i. Configure the Map Collector Attributes to Group Attributes screen with these values: Group id groupid 16

17 Owner j. Click Next. k. Configure the Edit User Resolution Rules screen with these values: Target Collector <Cloud IDC> Default: Users User Attribute < Address> Default: UserID l. Click Next. m. Configure the Edit Member Account Resolution Rules screen with these values: Target Collector RSA Archer GRC Account Data Collector Account Attribute UserID n. Click Next. o. Configure the Edit Sub-group Resolution Rules screen with these values, Target Collector RSA Archer GRC Account Data Collector Group Attribute GroupID p. Click Finish to save this Collector. Creating new Entitlement Data Collector a. Configure the Collector Description screen with these values: 17

18 Collector Name RSA Archer GRC Entitlement Data Collector Description RSA Archer GRC s Entitlement Data Collector Business Source Application for RSA Archer GRC Data Source RSA Archer GRC Agent AveksaAgent Status Active Copy from Select Existing RSA Archer GRC Entitlement Collector if you want to use same collector configuration. Scheduled Default : b. Click Next. c. Configure the Configuration Information screen with these values: Scheme http or https Host < Fully qualified IP/hostname> Port <RSA Archer GRC Server port> Admin Name <Admin Username> Admin Password <Admin Password> Application Name < Application/Website name (Found in the RSA Archer control panel -> 18

19 Instance -> Web tab -> BaseUrl field)> Instance Name <RSA Archer GRC instance name> Domain Name <Archer Domian Name> Paging to fetch data <Size of paging data to be fetched at a time (default : 1000)> d. Click Next. e. Configure the Map Collector Attributes to App Role Attributes screen with these values: Role ID role_id of the App Role collected f. Click Next. g. Configure Group Evaluation screen with these values: Associated Collector Archer Account Data Collector Group value evaluates to GroupID h. Click Next. i. Configure Account Evaluation screen with these values: Associated account Collector Archer Account Data Collector Account value evaluates to UserID j. Click Finish to save the Collector. 19

20 Creating a New RSA Archer GRC Connector (Optional) The Application Wizard provides guidance for creating the RSA Archer GRC Connector. Use this section only if you need to create a new RSA Archer GRC Connector, which can be configured later with some Application. The recommended approach is to use the Application Wizard to get the Application- Connector binding and Account template configurations created. te: The created Connector will be in Test mode by default and cannot be used with any application unless it is set to the Active mode. Prerequisites RSA Archer GRC Connector makes use of REST APIs provided by the RSA Archer GRC endpoint. Make sure that the RSA Archer GRC endpoint has REST API support enabled and is accessible from the RSA Identity Governance and Lifecycle installed server location. Connector Configuration Set up a new instance of the RSA Archer GRC Connector: The Connector creation is made up of three sections: General General details about the Connector; such as. the name, type, etc. Settings The connection settings required to connect RSA Identity Governance and Lifecycle with the endpoint application in consideration. Capabilities These are the list of verbs or capabilities that theconnector supports; for example: Create, Update, Delete, etc. To set up a new instance of the RSA Archer GRC connector without using the Application Wizard: 1. Log in to RSA Identity Governance and Lifecycle. 2. From the top menu bar, go to AFX > Connectors. 3. Click Create Connector. 4. Use the reference tables below to configure the connector. General The following describes the Parameters the General page. Parameter Name <Provide Connector instance Name> Description <Provide some description for this Connector instance> 20

21 Server <Select available AFX Server> Connector Template RSA Archer GRC State Test (It can be changed later to Active, once capabilities are tested) Export As Template Name of Connector template te: When you are satisfied your connector is configured properly, change the state to Active. automated provisioning will occur while in the Test state. It is recommended that you test all enabled commands using Test Connector Capabilities prior to changing to the Active state. Settings The following table describes the parameters on the Settings page. Description Scheme HTTP or HTTPS (Scheme to use to access the RESTful web service) In case of using HTTPS, make sure that all the required certificates (Archer server certs as well as all the certs required in chain) are added to the jre s keystore. ( See the Troubleshooting and Tips section for information about keystore settings.) Host <Fully qualified RSA Archer Server Hostname/IP> Port <Port number to access Archer server rest services> Admin Username <Username for authentication> Admin Password <Password for authentication> Application Name <Application/Website name> Can be found in the RSA Archer GRC control panel > Instance > Web tab> BaseUrl field 21

22 Instance Name <RSA Archer GRC Instance Name> Domain Name <RSA Archer GRC Domain Name> Follow redirects (GET requests only) <If checked and the RESTful web service call is a GET, redirects will be followed> Response timeout (in milliseconds) <The number of milliseconds to wait for a response> (default is 10000) Asynchronous callback? If checked, after a successful response from the web service, AFX will wait for a callback Proxy Host <Hostname of the proxy server> Proxy Port <Port of the proxy server> Default : 0 Proxy User Name <User name for the proxy server> Proxy Password <Password for the proxy server> Capabilities The following capabilities are supported for the RSA Archer GRC Connector: Category Command Login Account Login Create an Account Delete an Account Reset an Account Password Add Account to Group Remove Account from Group Enable an Account Disable an Account Update an Account Add Application Role to Account 22

23 Group Role Remove Application Role from Account Create a Group Delete a Group Update a Group Add Application Role to a Group Remove Application Role from a Group Add a Group to a Group Remove a Group from a Group Create a Role Delete a Role Update a Role Command Input Parameters Login Path ${Settings.Application}/api/core/security/login Encode Path Check if path encoding required Default- unchecked(false) Method POST Request Headers Content-:application/json Request body {"UserDomain":"","Password":"${Settings.Password}","Username":"${Settings.Username}", "InstanceName":"${Settings.Instance}"} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 23

24 Partial Match: unchecked for both Expression : statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match: unchecked for both Brief Response Expression : JsonPath Expression: ValidationMessages[0]/MessageKey Expression :statuscode Detailed Response Expression : JsonPath Expression: ValidationMessages[0]/MessageKey Expression : statuscode Expression :JsonPath Expression: RequestedObject/ te: input parameters should be configured, use parameters from Settings page as ${Settings.paramName} if required in request body. Create an Account FirstName 24

25 Default Is the parameter required? Yes Is the parameter encrypted? First Name Mapping ${User.First_Name} Account First Name LastName Default Is the parameter required? Yes Is the parameter encrypted? Last Name Mapping ${User.Last_Name} Account Last Name 25

26 Password Default Is the parameter required? Yes Is the parameter encrypted? Yes Password Mapping ${AccountTemplate.Password} Account Password Default Is the parameter required? Is the parameter encrypted? Mapping 26

27 UserName Default Is the parameter required? Yes Is the parameter encrypted? Yes UserName Mapping ${User.UserId} Username Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/user Encode Path Check if path encoding required Default- unchecked(false) 27

28 Method POST Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"User":{"FirstName":"${FirstName}","LastName":"${LastName}", "UserName":"${UserName}"}, "Password":"${Password}"}} te: Can add more parameters to create account, with valid json request. Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath 28

29 Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example:statuscode/jsonpath How to configure the output parameter in the Create Account command 1. Login to RSA Identity Governance and Lifecycle. 2. From the top menu bar, click AFX > Connectors 3. Click on the RSA Archer GRC Connector for which you want to configure the output parameter. 4. Click Edit. 5. Click the Capabilities tab and then click Create an Account. 6. Under Command Output Parameters, click Add More. 7. Provide AccountId as and select Account.User_Id as Mapping. 8. In AccountId response at the end of the page, select JsonPath as Expression and add RequestedObject/Id as Expression 9. Click OK to save the configurations 29

30 Delete an Account AccountId Number Default Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id to be deleted Default Is the parameter required? Is the parameter encrypted? Mapping 30

31 Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/user/${AccountId} Encode Path Check if path encoding required Default- unchecked(false) Method DELETE Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 31

32 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Reset an Account Password AccountId Number Default Is the parameter required? Yes Is the parameter encrypted? Account Id 32

33 Mapping ${Account.UserId} Id of account who s password is to be reset Default Is the parameter required? Is the parameter encrypted? Mapping Password Default Is the parameter required? Yes 33

34 Is the parameter encrypted? Yes New Password Mapping New Password value Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/userpassword Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"UserId":${AccountId},"NewPassword":"${Password}"} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 34

35 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Add Account to Group AccountId Number Default 35

36 Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id to be added to group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Group Id Mapping ${Group.Group_Id} Group Id where account is to be added 36

37 Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/usergroup Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"UserId":${AccountId},"GroupId":${GroupId},"IsAdd":true} 37

38 Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath 38

39 Remove Account from Group AccountId Number Default Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id to be removed from group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Group Id 39

40 Mapping ${Group.Group_Id} Group Id where account is to be removed Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/usergroup Encode Path Check if path encoding required 40

41 Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"UserId":${AccountId},"GroupId":${GroupId},"IsAdd":false} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage 41

42 Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Enable an Account AccountId Number Default Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id to be enabled Default 42

43 Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/user/status/active/${AccountId} Encode Path Check if path encoding required Default- unchecked(false) Method POST Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 43

44 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Disable an Account AccountId Number 44

45 Default Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id to be disabled Default Is the parameter required? Is the parameter encrypted? Mapping Command Code 45

46 Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/user/status/inactive/${AccountId} Encode Path Check if path encoding required Default- unchecked(false) Method POST Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both 46

47 Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Update an Account FirstName Default Is the parameter required? Yes Is the parameter encrypted? First Name Mapping ${User.First_Name} Account First Name 47

48 LastName Default Is the parameter required? Yes Is the parameter encrypted? Last Name Mapping ${User.Last_Name} Account Last Name Password Default Is the parameter required? Yes Is the parameter encrypted? Yes Password Mapping 48

49 Account Password Default Is the parameter required? Is the parameter encrypted? Mapping AccountId Number Default Is the parameter required? Yes Is the parameter encrypted? 49

50 Account Id Mapping ${Account.UserId} Id of account to be updated Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/user Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"User":{"Id":${AccountId},"FirstName":"${FirstName}","LastName":"${LastNa me}","username":"${username}","accountstatus":1}} te: Can add more parameters to update account, with valid json request Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 50

51 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Add Application Role to Account AccountId Number Default 51

52 Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id RoleId Number Default Is the parameter required? Yes Is the parameter encrypted? Role Id Mapping ${ApplicationRole.Role_Id} Role Id 52

53 Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/usergroup Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} 53

54 Request body {"UserId":${AccountId},"RoleId":${RoleId},"IsAdd":true} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath 54

55 Remove Application Role from Account AccountId Number Default Is the parameter required? Yes Is the parameter encrypted? Account Id Mapping ${Account.UserId} Account Id RoleId Number Default Is the parameter required? Yes Is the parameter encrypted? Role Id 55

56 Mapping ${ApplicationRole.Role_Id} Role Id Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/usergroup Encode Path Check if path encoding required 56

57 Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"UserId":${AccountId},"RoleId":${RoleId},"IsAdd":false} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode 57

58 Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Create a Group Group Default Is the parameter required? Yes Is the parameter encrypted? Group Name Mapping Group name to be created 58

59 Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/group Encode Path Check if path encoding required Default- unchecked(false) Method POST Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"Group":{"Name":"${Group}"}} 59

60 te: Can add more parameters to create account, with valid json request. Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath 60

61 Delete a Group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Group Id Mapping ${Group.Group_Id} Group name to be deleted Default Is the parameter required? Is the parameter encrypted? 61

62 Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/group/${GroupId} Encode Path Check if path encoding required Default- unchecked(false) Method DELETE Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body. Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode 62

63 Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Update a Group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? 63

64 Group Id Mapping ${Group.Group_Id} Group name to be updated Default Is the parameter required? Is the parameter encrypted? Mapping Group Default 64

65 Is the parameter required? Yes Is the parameter encrypted? Group Name Mapping New group name to be updated Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/group Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"Group":{"Name":"${Group}","Id":${GroupId}}} te: Can add more parameters to create account, with valid json request. Status Code Expression :JsonPath Expression:IsSuccessful 65

66 Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath 66

67 Add Application Role to a Group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Group Id Mapping ${Group.Group_Id} Group Id RoleId Number Default Is the parameter required? Yes Is the parameter encrypted? Role Id 67

68 Mapping ${ApplicationRole.Role_Id} Role Id Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/rolegroup 68

69 Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"GroupId":${GroupId},"RoleId":${RoleId},"IsAdd":true} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode 69

70 Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Remove Application Role from a Group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Group Id Mapping ${Group.Group_Id} Group Id RoleId 70

71 Number Default Is the parameter required? Yes Is the parameter encrypted? Role Id Mapping ${ApplicationRole.Role_Id} Role Id Default Is the parameter required? Is the parameter encrypted? Mapping 71

72 Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/rolegroup Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"GroupId":${GroupId},"RoleId":${RoleId},"IsAdd":false} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 72

73 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Add a Group to a Group GroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Group Id Mapping ${Group.Group_Id} 73

74 Parent group Id SubgroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Sungroup Id Mapping ${Group.Group_Id} Subgroup Id to be added Default Is the parameter required? Is the parameter 74

75 encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/groupmember Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"GroupId":${GroupId},"GroupMemberId":${SubgroupId},"IsAdd":true} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 75

76 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Remove a Group from a Group GroupId Number 76

77 Default Is the parameter required? Yes Is the parameter encrypted? Group Id Mapping ${Group.Group_Id} Parent group Id SubgroupId Number Default Is the parameter required? Yes Is the parameter encrypted? Sungroup Id Mapping ${Group.Group_Id} Subgroup Id to be removed 77

78 Default Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/groupmember Encode Path Check if path encoding required Default- unchecked(false) Method PUT 78

79 Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"GroupId":${GroupId},"GroupMemberId":${SubgroupId},"IsAdd":false} Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode 79

80 te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Create a Role Role Default Is the parameter required? Yes Is the parameter encrypted? Role Name Mapping Role name to be created Default 80

81 Is the parameter required? Is the parameter encrypted? Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/role Encode Path Check if path encoding required Default- unchecked(false) Method POST Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"AccessRole":{"Name":"${Role}"}} te: Can add more input parameters to create role, with valid json request Status Code Expression :JsonPath 81

82 Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression i.e. statuscode/jsonpath 82

83 Delete a Role RoleId Number Default Is the parameter required? Yes Is the parameter encrypted? Role Id Mapping ${ApplicationRole.Role_Id} Role Id to be deleted Default Is the parameter required? Is the parameter encrypted? 83

84 Mapping Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/role/${RoleId} Encode Path Check if path encoding required Default- unchecked(false) Method DELETE Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both 84

85 Expression :statuscode Expression: Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression i.e. statuscode/jsonpath Update a Role RoleId Number Default Is the parameter required? Yes 85

86 Is the parameter encrypted? Role Id Mapping ${ApplicationRole.Role_Id} Role Id to be updated Default Is the parameter required? Is the parameter encrypted? Mapping Role 86

87 Default Is the parameter required? Yes Is the parameter encrypted? Role Name Mapping ${ApplicationRole.Name} Role name to be updated Alias Default Is the parameter required? Yes Is the parameter encrypted? Role Alias Mapping 87

88 New alias name of role to be updated Command Code Generate Checked(true) te: Have the login command configured Path ${Settings.Application}/api/core/system/role Encode Path Check if path encoding required Default- unchecked(false) Method PUT Request Headers Content-:application/json Accept:application/json; charset=utf-8 Authorization:Archer session-id= ${} Request body {"AccessRole":{"Name":"${Role}","Id":${RoleId},"Alias":"${Alias}"}} te: Can add more input parameters to update role, with valid json request Status Code Expression :JsonPath Expression:IsSuccessful Pattern/Replacement 1. true/0 2. false/1 Partial Match:unchecked for both Expression :statuscode Expression: 88

89 Pattern/Replacement 1. ^[23]\d{2}$/0 2. ^([45])\d{2}$/$1 Partial Match:unchecked for both Brief Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode Detailed Response Expression :JsonPath Expression: ValidationMessages[0]/ResourcedMessage Expression :statuscode te : Have StatusCode, BriefResponse, DetailedResponse configured to same Expression ; for example: statuscode/jsonpath Known Limitations of RSA Archer GRC connector: 1. Enabling/Disabling an already enabled/disabled account passes. e.g. If an account is enabled and you again try to enable it, the capability passes successfully; same is applicable for disable account. 2. Adding approletoaccount/group already added passes. e.g. If an account/group is given access to some role, and you again perform the operation on same account/group for same role it passes successfully. 3. Removing approlefromaccount/group which does not have that account/group passes. e.g. An account/group not having access to some role, and you perform the operation to remove role it passes successfully. 89

90 Tips & Troubleshooting RSA Archer GRC is an application which runs on Windows IIS server. Inside an RSA Archer GRC instance, you can create multiple applications with different names. When providing the URL for the Connector and Collector, use the application name hosted on the IIS server. In the REST commands, always use the Instance name which is configured in the RSA Archer GRC application. Below are the possible RSA Archer GRC REST API error responses with error code. This table can be used to troubleshoot issues related to the endpoint while using the Connector and Collectors. In the case of Connectors, these errors can be observed in Server log files AFX/mule/logs/mule.AFX-CONN-<ConnectorName>.log. Expected Condition HTTP Response Code Meaning Example The business process succeeded or failed in an expected way 200 Success Request for non-existent user A system process failed (at a deeper level than the business process) 400 bad request A deserialization exception is thrown Invalid session 401 Unauthorized Invalid or incorrect session token in request header User requests resource to which they do not have permission 403 Forbidden The user requests a user but does not have read access to the module User attempts to POST content using the PUT uri or vice versa 403 Forbidden The user attempts to save changes to an existing group record using the POST uri on the group controller route matching the requested 404 t Found The user requested a URI that has no corresponding route to 90

91 URI is round map it to a controller OData query too large (default 1024) 413 HTTP Request Too Large OData query string exceeds configured limit More about OData usages by RSA Archer GRC REST API: (Refer for more information) REST API Responses, i.e. Results, can be limited and organized in several different ways by the caller. The user can control the number of results found (filtering), the number of columns in each row returned (projection), and several other aspects of result sets. OData queries are normally passed on the request URI in a query string. Due to the security issues, this will not be a supported use of OData for Archer API. OData queries must be passed in the request body. $top, $skip, $filter, $orderby, $select are fully supported for retrieving Users, Groups and Roles. These filters are being used by the RSA Identity Governance and Lifecycle collector for RSA Archer GRC. POST: Request Headers: Accept:application/json,text/html,application/xhtml+xml,application/xml;q=.9,*/*;q=0.8 Authorization: Archer session-id="session token ID from login" Content-: application/json X-Http-Method-Override: GET Request Body: { :?$filter=contact eq 7 &select= } RSA Archer GRC provides a REST API interface to communicate to its internal entities for collection and modification. To implement Connectors and Collectors for this endpoint, RSA Identity Governance and Lifecycle must have the REST API support enabled. In addition to this, RSA Archer GRC should be accessible from the location where RSA Identity Governance and Lifecycle server (ACM and AFX) is running. To verify whether RSA Archer GRC is accessible and REST API support is enabled, make use of any REST Client and try the command below (replace credentials and other artifacts shown in the example with real values). Request: POST Request Header: Request Body: Accept: application/json,text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-: application/json 91

92 {"InstanceName":"Archer","Username":"ArcherAdmin","UserDomain":"","Password":"Archer123!"} Check the response - it should be something similar to the response below. Expected response: IsSuccessful=True Links RequestedObject Context=0 InstanceName=Archer =B6542A941EA367EBB2DE214E1621A42B Translate=False UserConfig Login capability creates an RSA Archer GRC session using the specified credentials on the specified instance. The API request will return a serialized representation of a SessionContext object, known as a in this Connector. Refer to the section below to find out more about how the is used for the Connectors and their configurations. Additional information regarding Connector s Login capability and Session Token: te: This section provides additional information about the Login capability. configuration changes need to be made by the end user. All of the described configurations are set by default when the Connector is created. To communicate to the RSA Archer GRC instance, you need a Session Token, which is returned by its POST request This Session Token has approximately 30 seconds validity. You must regenerate the Session Token before every Capability execution. To get this Session Token before any capability execution, RSA Identity Governance and Lifecycle Connector for RSA Archer GRC executes its Login capability implicitly when Generate Session Token check box is checked for each capability. (By default this is checked when the Connector is created.) 92

93 This Login capability is responsible for generating a new and passing it to all the capabilities (Applicable only to this RSA Archer GRC Connector template). By default, there is an output parameter configured and named as. This is a Read-Only parameter and you should not change these settings. te that, the Mapping field of this output parameter should be blank. This Output parameter is configured to parse the response from the Login Post request and get the token from the JSON path RequestedObject/. java.net.unknownhostexception can occur for the following reasons: host name is wrong, RSA Archer endpoint is not accessible from the RSA Identity Governance and Lifecycle host, no network connectivity is available, etc. To verify the host name, you can use the command: ping <host name/ip> How to configure the output parameter in the Create Account command 10. Login to RSA Identity Governance and Lifecycle. 11. From the top menu bar, click AFX > Connectors 12. Click on the RSA Archer GRC Connector for which you want to configure the output parameter. 13. Click Edit. 14. Click the Capabilities tab and then click Create an Account. 15. Under Command Output Parameters, click Add More. 16. Provide AccountId as and select Account.User_Id as Mapping. 93

94 17. In AccountId response at the end of the page, select JsonPath as Expression and add RequestedObject/Id as Expression 18. Click OK to save the configurations RSA Archer GRC supports SSL configuration and allows communication over HTTPS protocol. To use secure communication, make sure that the default trust-store has RSA Archer GRC Server certificates added. If the chaining of certificate is required to reach the RSA Archer GRC endpoint from the RSA Identity Governance and Lifecycle instance, ensure that default trust-store has all the required network certificates as well. If the valid certificates are not in the proper keystore, SSLHandshakeException can be observed: javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: PKIX path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target 94