Another odd question:
So, once a LOB has been created and added as a safe member the CyberArk Synchronizer syncs all of the accounts in the safe with the associated DAP environment.
What if one wants to remove the LOB access to that safe?
Just tried removing the LOB from the Safe membership. So far not noticing an un-sync. Tried restarting the Synchronizer service. No impact so far.
Thanks,
Barry
No, it’s a great question. Currently deletion of accounts, LOBs and Safes is not synchronized to the DAP cluster. The most effective way to do that is to load an empty LOB policy with the --replace flag. That’s a bit of advanced policy hackery but I can show you how it’s done w/ just a few lines of yaml.
Sure. That would be great.
Def don’t want to accidentally remove more than we want to.
Thanks!
Well, as it happens what I had in mind deletes the LOB policy, Safe policies and group definitions, but doesn’t actually delete the variables, which is the whole point. You would need to create a delete policy with a delete record for the LOB policy, and delete records for each variable corresponding to safe account entries.
In my lab, I have the following:
$ conjur list | grep LabVault
"dev:policy:LabVault"
"dev:group:LabVault/Labs-admins"
"dev:policy:LabVault/Labs/LabSafe1/delegation"
"dev:group:LabVault/Labs/LabSafe1/delegation/consumers"
"dev:policy:LabVault/Labs"
"dev:group:LabVault/Labs/LabSafe1-admins"
"dev:policy:LabVault/Labs/LabSafe1"
"dev:variable:LabVault/Labs/LabSafe1/MySQL/username"
"dev:variable:LabVault/Labs/LabSafe1/MySQL/password"
where “Labs” is the LOB name. I created a file named LabsLOB-delete.yml:
$ cat LabsLOB-delete.yml
- !delete
record: !policy LabVault/Labs
- !delete
record: !variable LabVault/Labs/LabSafe1/MySQL/username
- !delete
record: !variable LabVault/Labs/LabSafe1/MySQL/password
and then loaded that in “delete” mode:
$ conjur policy load root LabsLOB-delete.yml delete
Which then left me with just an empty Vault policy:
$ conjur list | grep LabVault
"dev:policy:LabVault"
"dev:group:LabVault/Labs-admins"
We should really support recursive deletes, where deleting a policy deletes everything defined under the policy. There may be a good reason we don’t do this, but I can’t think of one. There may be an issue filed for this but if not, I’ll open one. It’d also be nice if the record: could take an array of variable names.
hey Barry, just realized you probably don’t want to delete the whole LOB policy, just the safe for which the LOB was removed. Here’s the correct delete policy for that.
$ cat LabsLOBSafe-delete.yml
- !delete
record: !policy LabVault/Labs/LabSafe1
- !delete
record: !group LabVault/Labs/LabSafe1-admins
- !delete
record: !variable LabVault/Labs/LabSafe1/MySQL/username
- !delete
record: !variable LabVault/Labs/LabSafe1/MySQL/password
Jodie,
Thanks! That was handy. And I’m sure I’ll end up exercising both use cases.
Now, if we can just stop tripping over ourselves and creating new problems every day. :]