PRA First User Login (Provisioning)

Hello ​@cschaller - it sounds like you may wish to look into setting up the SCIM (System for Cross-domain Identity Management) to automate user and group provisioning, with PRA.  

Details for this are here: https://docs.beyondtrust.com/pra/docs/scim

SCIM doesn't seem to address the main issue which is to assign personal vaults to users without having them sign into PRA first.

​@cschaller 

Using the API, you can add your users to the required group policies without them having to log in first. You could do that to create the user and, after that, add the Personal Vault credentials.

I have attached both the API script I use for that and the CSV file with the example. Since I do this in a batch, it was better to input the user information on the CSV and have the PowerShell script read and do the rest for me.

I have attached the script as a TXT file, but you can simply change the extension to PS1 to execute it. The script is properly documented with everything you will need to input, using < > as a substitute for where you will have to enter the information.

If this help, please mark as best answer!!!

Edit: the delimiter is “,” open the csv file and just change from the “;” for the script to run.

Assuming you are using SAML as an authentication method:

Our users are member of security groups in the SAML provider, these groups are then pre-provisioned in the configuration of the security provider in PRA and then linked to PRA group policies which contain the memberships for vault accounts / account groups.

When users log on for the first time the logon process contains their gorup claims and they are immediatly assigned to the correct group policy(s)

This article applies for Entra but the same principle holds for other SAML providers, specifically everything relating to the group claim config & step 7 at the end:

https://beyondtrustcorp.service-now.com/kb?id=kb_article_view&sys_kb_id=e9026337475076501bf1db37536d4347

• When using Entra ID Groups and assigning them to BeyondTrust group policies for permissions, the ObjectID of the group will need to be referenced and placed in the Available Groups section. Once this has been completed, the group will be available for assignment to a group policy for permission.

Hi aally1003

SCIM would exactly be the automation we are looking for reducing manual intervention when onboarding a new user (employee) into PRA.

Are you saying even with SCIM, PRA would only have a user “record” once the user logged in? Or would SCIM create such a “dummy” record beforehand, which then allows us to link to the personal vault account without waiting for the user to login first time