I only need to know if there is a way to understand from SPP if an asset is discovered by an asset discovery rule or if it is uploaded manually.
is there a way to understand it?
thank you
Hi Dario,
Go to Asset Management > Assets > Use the Export button to export the list of assets > in the Fields select the following boxes: Name and AssetDiscoveryJobName
Then click ok and click Export
This will give you the list of Asset names and if these have an Asset Discovery Job name then means these were discovered
Thanks!
Always Tawfiq...That' GREAT!!!
last question: is there a matrix where I can see all the attributes in the export and which fields they correspond to in SPP? this would also help me a lot in the future to understand immediately which attributes I have to display in the export and which one not.
Also, if i am sure that an asset has been uploaded automatically from asset discovery (where the attribute "CreatedByUserDisplayName" is Automated System) but in the export i see this attribute AssetDiscoveryJobName not valorised, does SPP delete it if in AD this asset is deleted? Or does SPP need this attribute to be valorised anyway to do the deletion from synchronisation?
thank you a lot!
Hi Dario,
I am not aware of a matrix documentation for this specifically but in general, the Asset list export without selecting any specific fields would include all Asset related properties similar to what the API would provide for the Asset endpoint then you can use and filter the data as needed.
Thanks!
ok Tawfiq, thank you and for this point:
"Also, if i am sure that an asset has been uploaded automatically from asset discovery (where the attribute "CreatedByUserDisplayName" is Automated System) but in the export i see this attribute AssetDiscoveryJobName not valorised, does SPP delete it if in AD this asset is deleted? Or does SPP need this attribute to be valorised anyway to do the deletion from synchronisation? "
thank you, i think that after for me is enough and i thank you so much
If the Asset has the Directory properties \ attributes populated correctly for example the Distinguished name of the computer object is populated then it will be synced with AD correctly
Otherwise, if the asset does not have directory properties \ attributes then it would be considered invalid and could get deleted as per the KB here:
https://support.oneidentity.com/one-identity-safeguard-for-privileged-passwords/kb/4226904/assets-deleted-unexpectedly-without-warning-by-directory-delete-sync
Thanks!
OK Tawfiq thanks.
I realised that the AssetDiscoveryJobName attribute is not the only one that needs to be specified for the asset to be synchronised with AD. As you say even with just the distinguished name the asset can be synchronised and deleted if it is deleted by AD. All correct? Or does the AssetDiscoveryJobName attribute have to be set anyway? If everything is correct then any asset is deleted in Safeguard if it comes from AD, whether it was loaded automatically from discovery or created manually. What do you mean in the specific when you say about directories properties/attributes?
It seems that a server that did not have this attribute valued (in the export from ASSETS tab) was deleted from Safeguard after being deleted from AD. Can you clarify this last doubt? Sorry me if i didn't understand everything perfectly.Thanks, I have to share it with the client.
Hi Dario,
The rule is If the Asset in SPP has all the following items populated then it would be considered synced with AD:
DirectoryProperties.DirectoryId
DirectoryProperties.DirectoryName
DirectoryProperties.DomainName
DirectoryProperties.NetbiosName
DirectoryProperties.DistinguishedName
DirectoryProperties.ObjectGuid
DirectoryProperties.ObjectSid
These attributes are auto populated when the Asset is discovered from AD but you could also have imported an Asset manually into SPP and manually populated these Directory properties which in this case would not have the AssetDiscoveryJobName populated but in both cases if the Asset is synced with AD (all Directory properties are correctly populated) then it will be deleted in SPP if that asset is deleted in AD.
There was another issue in older versions (Lower than version 6.6 and 2.11.2) where if the Asset had partially populated Directory properties then this caused these assets to be deleted as per the KB mentioned earlier and that has since then been resolved in newer SPP releases (2.11.2 and 6.6 or above) where the partial directory properties would be cleaned up rather than deleting the asset unexpectedly.
Thanks!
Hi Dario,
The rule is If the Asset in SPP has all the following items populated then it would be considered synced with AD:
DirectoryProperties.DirectoryId
DirectoryProperties.DirectoryName
DirectoryProperties.DomainName
DirectoryProperties.NetbiosName
DirectoryProperties.DistinguishedName
DirectoryProperties.ObjectGuid
DirectoryProperties.ObjectSid
These attributes are auto populated when the Asset is discovered from AD but you could also have imported an Asset manually into SPP and manually populated these Directory properties which in this case would not have the AssetDiscoveryJobName populated but in both cases if the Asset is synced with AD (all Directory properties are correctly populated) then it will be deleted in SPP if that asset is deleted in AD.
There was another issue in older versions (Lower than version 6.6 and 2.11.2) where if the Asset had partially populated Directory properties then this caused these assets to be deleted as per the KB mentioned earlier and that has since then been resolved in newer SPP releases (2.11.2 and 6.6 or above) where the partial directory properties would be cleaned up rather than deleting the asset unexpectedly.
Thanks!
