AAPM API
Axidian Privilege supports interaction with Application Password Management (AAPM) through the API.
Requests for retrieval and viewing of account data are logged in the Events section.
To obtain a list of accounts or their data, authenticate and obtain an access token.
info
To add an application and grant it access to account data, read the Applications section.
Authentication and Token Retrieval
Authentication and token acquisition occur via the OpenID Connect (OIDC) protocol using the Resource Owner Password Credentials (ROPC) mechanism. The application sends the login and password to the IdP component, and the IdP returns an access token.
To authenticate and obtain a token, send a POST request to the management server:
POST https://<PAM FQDN>/idp/connect/token
Request Parameters
| Parameters | Description |
|---|---|
Content-Type | Format for reading, processing, and outputting data. For working with data in JSON format, specify application/json. |
grant_type | Method of authentication and token acquisition. For application authentication by login and password, specify password. |
username | Name of the application added to Axidian Privilege |
password | Password of the specified application. The application administrator can view the password in the user console. |
scope | API access request. For access to Axidian Privilege API, specify pam-api. |
client_id | Identifier of the client application requesting the token. For application authentication on the IdP server, specify aapm-tool. |
Example of a token request
POST https://pam.server/idp/connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=MyApp&password=a4dGs22TfDpm31&scope=pam-api&client_id=aapm-tool
The response contains an access_token field, which contains the access token. Use it in requests to obtain:
- a list of available accounts
- passwords and SSH keys of accounts stored in Axidian Privilege
Response Parameters
| Parameters | Description |
|---|---|
access_token | Token for access to Axidian Privilege API |
expires_in | Token validity period in seconds |
token_type | Access token type:Bearer — any user possessing the token can use it. |
scope | API access permission:pam-api — the token is valid only for Axidian Privilege API calls. |
Response example
{
"access_token": "BB984E803AFAA449FD8C1",
"expires_in": 60,
"token_type": "Bearer",
"scope": "pam-api"
}
Retrieving Account Data
The request is sent to the Core component using the access token from the request to IdP.
To obtain account data, send a POST request to the management server:
POST https://<PAM FQDN>/core/accounts/<account identifier>/credentials-view
Copy the account entry identifier from the account profile URL.
Request Parameters
| Parameters | Description |
|---|---|
Content-Type | Format for reading, processing, and outputting data. For working with data in JSON format, specify application/json. |
Authorization | User authentication and access verification. Specify the Bearer authentication method and the access token obtained in the request to IdP. |
account-id | Application identifier for which account data is requested. The identifier is displayed in the URL address in the application profile. |
UserId | Service attribute in UUID format. Specify 00000000-0000-0000-0000-000000000000. |
Reason | Reason for obtaining account data. The reason specification is defined by the policy that applies to the account. |
Example of a request to obtain credentials
POST https://pam.server/core/accounts/5e852968-26ed-498c/credentials-view
Content-Type: application/json
Authorization: Bearer BB984E803AFAA449FD8C1
{
"UserId": "00000000-0000-0000-0000-000000000000",
"Reason": "get-data"
}
The response to the request contains account data: password, SSH key and their settings.
Response Parameters
| Parameters | Description |
|---|---|
Password | Account password |
Key | Account SSH key |
KeyPassphrase | Generated password for SSH key. Password generation is defined by the policy that applies to the account. If the Encrypt SSH key using generated password before showing to user option is disabled, the field indicates null. |
ResetCredentialsAfterShowing | Password reset setting after viewing:
|
ResetCredentialsAfterShowingAfterMin | Time after which the password is reset in minutes |
Response example
{
"Password": "Q1w2e3r4",
"Key": "", // SSH key can be set for the account, but it is not added at the moment
"KeyPassphrase": null,
"KeyFileName": "AXIDIAN-ID\\Administrator_20221013_160621Z.pem",
"ResetCredentialsAfterShowing": false,
"ResetCredentialsAfterShowingAfterMin": 60
}
Getting a list of accounts
The request is executed to the Core component using the access token from the request to IdP.
To get a list of accounts, send a GET request to the management server:
GET https://<PAM FQDN>/core/users/permitted-accounts
Request Parameters
| Parameters | Description |
|---|---|
Content-Type | Format for reading, processing, and outputting data. For working with data in JSON format, specify application/json. |
Authorization | User authentication and access verification. Specify the Bearer authentication method and the access token obtained in the request to IdP. |
Example of a request to get a list of accounts
GET https://pam.server/core/users/permitted-accounts
Content-Type: application/json
Authorization: Bearer BB984E803AFAA449FD8C1
The response to the request contains a list of accounts with settings of active permissions and policies.
Response Parameters
| Parameters | Description |
|---|---|
Account — account data | |
Id | Account identifier |
DisplayName | Account name |
IsKeySupported | For the account, adding an SSH key is available:
|
NextCredentialsReset | Account password and SSH key are reset after display the specified time.null — account data reset is not set by the policy. |
AreCredentialsResettingNow | During the request, the account password and/or SSH key is being changed:
|
HasPassword | Account password:
|
HasKey | Account SSH key:
|
PolicySettings — policy parameters that apply to the account | |
RequireCredentialsViewingReason | Require to specify the reason for viewing password and SSH key:
|
IsCredentialsViewingConfirmationRequired | Viewing password and SSH key requires administrator confirmation:
|
CredentialsViewingConfirmationTimeout | Waiting time for confirmation of password and SSH key viewing in minutes |
EncryptKeyBeforeShowing | Encrypt SSH key with generated password before showing to user:
|
IsUserCanSetAccountCredentialsIfNotSet | Allow PAM users to set account data for accounts if they are not set:
|
PermissionSettings — permission settings | |
IsCredentialsViewAllowed | Allow user to view account credentials:
|
IsCredentialsChangeAllowed | Allow user to manage account data:
|
Response example
{
"Accounts": [
{
"Account": {
"Id": "7c0616f5-9c60-432b-a644-b57bbd176e65",
"DisplayName": "UBUNTU-PAM.PAM-AD1.LOCAL\\root",
"IsKeySupported": true,
"NextCredentialsReset": null,
"AreCredentialsResettingNow": false,
"HasPassword": true,
"HasKey": false
},
"PolicySettings": {
"RequireCredentialsViewingReason": false,
"IsCredentialsViewingConfirmationRequired": false,
"CredentialsViewingConfirmationTimeout": "00:07:00",
"EncryptKeyBeforeShowing": false,
"IsUserCanSetAccountCredentialsIfNotSet": false
},
"PermissionSettings": {
"IsCredentialsViewAllowed": true,
"IsCredentialsChangeAllowed": false
}
}
]
}