Adding Accounts in AAPM

5 min

to use an aapm rest api, a profile should be created for aapm clients in the dynamic password controller these profiles are called aapm accounts in the single connect web gui to create an aapm account, follow the steps below navigate to aapm management > aapm management open the aapm accounts tab enter the application name , event user , and security level you can remove the event user if the account should not be related to any user in the system to enter the requester source ip address, click the edit button next to the application ip address in the pop up screen, enter single or multiple ips with cidr to link sapm account(s), click the edit button next to the sapm account field you can link a single or multiple sapm accounts to the aapm account linked accounts can be accessed with the same token accounts are searched by name and group full paths select any restrictions required from the restriction checkboxes you can set time and usage limits select the allow listing accounts checkbox if listing all linked sapm accounts and groups to the aapm token is required if you don't select this checkbox, the linked sapm accounts list cannot be retrieved through the /listsapmaccounts api enter any optional parameters listed according to your security level choice (details described below), and click save after this step, an aapm account is created, and the aapm authentication token is shown in the pop up window copy this token by clicking the text box (later, you’ll need to include this parameter in the rest api requests) parameter name parameter value app hash the md5sum value of the application’s executable file (used for basic + pin + path + hash security level) app path the path of the application using aapm (used for all security levels including path) application ip ip address of the requester application application name name of the application requesting the aapm passwords event user the user using the password (this value is logged in the sapm logs as the user of the password ) if the account should be independent of any user, the event user can be removed if an event user is set and the user permissions are not sufficient to reach the secret, the secret will not be retrieved through aapm os account the name of the account used by single connect while connecting and checking the path (used for all security levels including path) os account password the password of the account that will be used by single connect while connecting and checking the path (used for all security levels, including path, and applicable for manual user os credential type only) os credential type the credential type used by single connect while connecting and checking the path possible values sapm / manual user (used for all security levels including path) os type the operating system type of the server that hosts the application possible values windows / linux / mac os (used for all security levels, including path) pin sending port the port the client application is listening to single connect sends the pin to this port (used for all security levels, except basic) sapm account the sapm account used in aapm security level the security level for the aapm process the possible values are basic default, basic aapm flow the application requests the password via api single connect checks the application’s token and source ip, and sends back the password as the response if everything is correct basic + pin the application requests the password via api single connect checks the application’s token and source ip and, if everything is connected, sends the pin to a specific port the application sends a second request with the pin code and gets it basic + pin + path the application requests the password via api single connect checks the application’s token and source ip and, if everything is connected, sends the pin to a specific port the application sends a second request with the pin code single connect checks the path and name of the application and sends back the password if it is true basic + pin + path + hash the application requests the password via api single connect checks the application’s token and source ip and, if everything is correct, sends the pin to a specific port the application sends a second request with the pin code single connect checks the path, name, and md5sum of the application and sends back the password if it is true time limit the time limit checkbox enables the users to set an expiry date for the aapm token expiry date the expiry date field allows users to set a deadline for token usage usage limit the usage limit checkbox enables the users to set a limit for maximum usage maximum usage count the maximum usage count allows the users to define a maximum usage limit allow listing accounts the allow listing accounts checkbox enables the linked sapm accounts and groups to be listed through the /listsapmaccounts api