Writing a custom script

The following describes how to write a custom system script used to create a resource profile. Once the system script is written, you may add or update a resource profile that contains the script and then add a system of that type.

Note:   Scripts must be written in JavaScript, extensive JavaScript knowledge is not required.

The script must implement two functions as follows:

getAttributes()

The script must implement the getAttributes() function. It indicates the functionality your script provides and additional configuration information.

Example:

Copy
function getAttributes() {
var attributes = {
CanChangeOwnPassword: false,
AdministrativeAccountSupported: false
};
return attributes;
}

The remaining functions you write consist of send and expect verbs that are invoked with the sshSend() and sshExpect() functions.

verifyPassword()

The verifyPassword() function is required and allows Privileged Access Service to determine if a username/password combination is valid. When the verifyPassword() function is invoked, Privileged Access Service logs into the system and nothing more may be needed to validate that the user name and password combination is valid.

Example:

Note:   The following is an implementation of verifyPassword() that ensures a command prompt outputs by the target system:

Copy
function verifyPassword(verifyPasswordInfo) {
// Expect a prompt.
var result = sshExpect(["Prompt> $"]);
if (result.MatchIndex < 0) {
ErrorInvalidUserPassword
}
// Password is OK.
return Success;
}

sshExpect()

The following are true for sshExpect():

  • The sshExpect() function is called and commands to wait until the target system outputs the string "Prompt> ".
  • If the target system does not output the expected string, your script returns an error code.
  • The argument to the sshExpect() function is a list of regular expressions to expect.
  • If the result.MatchIndex returned is less than zero, the expected string was not output by the target system.

Putting it all together

Finally, put together the complete script as follows:

Copy
function getAttributes() {
var attributes = {
CanChangeOwnPassword: false,
AdministrativeAccountSupported: false
};
return attributes;
}
function verifyPassword(verifyPasswordInfo) {
// Expect a prompt.
var result = sshExpect(["Prompt> $"]);
if (result.MatchIndex < 0) {
ErrorInvalidUserPassword
}
// Password is OK.
return Success;
}

You can now create a new resource profile with this script and start adding systems of this type. This script allows you to create systems and accounts with vaulted passwords, control who has access to those accounts, initiate workflow for requesting temporary access to a system, and audit use of an account.