Skip to main content

Application Commands

Application commands are used for managing application information in Key Manager.

Application information is used as part of the process for signing off application keys. For more information about application-key-signoff, see the PrivX Key Manager User Portal Manual.

count-applications

Syntax:

ssh-mgr-client count-applications [options] [-F <filter>] [-vvv] [-U <url>]

Returns the number of applications that match the given criteria.

For filtering (-F), you can use the same attributes that are available for the list-applications command (see list-applications).

Example for returning the number of applications in the managed environment:

$ ssh-mgr-client count-applications
4

Example for returning the number of applications with a certain classification:

$ ssh-mgr-client count-applications -F "classification=PROD"
3

create-application

Syntax:

ssh-mgr-client create-application -d <data> [options] [-vvv] [-U <url>]

Creates new applications.

To create new applications, you must provide the name, owner, contact, and classification of the application. You may optionally provide a description for the application as well.

Required data:

name

The name of the application.

owner

The name of the application owner.

contact

The email address of the contact person. This must be the email address that has been assigned to the contact person in your Active Directory (AD).

classification

A descriptive free-text classification for the application.

Optional data:

data

Internal data in JSON format.

description

A free-text description for the application.

For example, creating an application by providing data directly to the command line:

$ ssh-mgr-client create-application -d \
name="Example application",owner="John Doe",contact="john.doe@example.com",\
classification="PROD"

Alternatively, you can also provide the information from a file:

$ ssh-mgr-client create-application -f applications.txt

An example of what the data file could look like:

name,owner,contact,classification,description
Example application,John Doe,john.doe@example.com,PROD, 
Another application,Alice,alice@example.com,TEST,rabbit hole application

delete-application-owner

Syntax:

ssh-mgr-client delete-application-owner -i <id> [options] [-vvv] [-U <url>]

Delete the application owner that has the specified ID.

Example:

$ ssh-mgr-client delete-application-owner -i 99

list-applications

Syntax:

ssh-mgr-client list-applications [options] \
[-F <filter>] [-vvv] [-U <url>] [-o <format>] [-C <columns>] [-H]

The default command lists the applications in the Key Manager system:

$ ssh-mgr-client list-applications

Example App 1,,owner1,owner1@example.com,CLASS1,[u'example_tag1'],1
Example App 2,,owner2,owner2@example.com,CLASS2,[u'example_tag2'],1
...

The following columns can be used for filtering (-F) and output formatting (-C):

classification

Classification of the application

delegations

Delegations for this application. Only usable for output formatting (-C).

description

Description of the application

id

Internal PrivX Key Manager id for application

name

Name

owner_contact

Owner email for this application. Only usable for filtering (-F).

owner_upn

Owner UPN for this application. Only usable for filtering (-F).

owners

Owners for this application. Only usable for output formatting (-C).

policy_violation_counts

Policy violation counts for this application. Only usable for output formatting (-C).

roles

Owner roles for this application. Only usable for filtering (-F).

tags

Tags attached to the application

For example, to find all applications with a certain owner and classification:

$ ssh-mgr-client list-applications -F "name='Bob Page'&&classification=PROD"

list-application-owners

Syntax:

ssh-mgr-client list-application-owners [options] [-F <filter>] [-vvv] \
[-U <url>] [-o <format>] [-C <columns>] [-H] [-O <sort-order>] \
[-S <start-from>] [-M <max-results>] [-E <delim>] [-B]

The default command lists all the application owners defined in the Key Manager system.

$ ssh-mgr-client list-application-owners

The following columns can be used for filtering (-F) and output formatting (-C):

application

Application this owner is for

contact

Contact of this application owner

id

Internal PrivX Key Manager id for this application owner

is_external

Has this application owner been defined in an external source (eg. LDAP)

is_valid

Is this application owner record currently valid

last_validated

Last validated against an external source

name

Name of this application owner

roles

Owner roles of this application owner

upn

userPrincipalName of this application owner

For example, to find all the owners of a certain application:

$ ssh-mgr-client list-application-owners -H -F "application=test_application"

To find all the owners associated to a certain application-owner role:

$ ssh-mgr-client list-application-owners -H -F "owner_type=key_approver"

list-delegations

Syntax:

ssh-mgr-client list-delegations [options] [-F <filter>] [-vvv] \
[-U <url>] [-o <format>] [-C <columns>] [-H] [-O <sort-order>] \
[-S <start-from>] [-M <max-results>] [-E <delim>] [-B]

List the application delegations set in the Key Manager system.

The default command lists all the delegations defined in the Key Manager system.

$ ssh-mgr-client list-delegations

The following columns can be used for filtering (-F) and output formatting (-C):

application

Application this delegation is for

delegation_type

Type of this delegation

id

Internal PrivX Key Manager id for the delegation

request_type

Request type of this delegation

role

Owner role of this delegation

For example, to list all the delegations set within a certain application:

$ ssh-mgr-client list-delegations -H -F "application=test_application"

To find all the owners associated to a certain application-owner role:

$ ssh-mgr-client list-delegations -H -F "owner_type=key_approver"

set-application-delegations

Syntax:

ssh-mgr-client set-application-delegations \
-d <data> [options] (-F <filter> | -i <id>) [-vvv] [-U <url>]

Set delegations for the selected applications.

Specify delegations as input data (-d). Delegations are to be specified in application role=request/delegation format. Owners belonging to the role application role are granted the specified delegation for requests, the type of which is specified in request.

Available request types:

accept_keys

Grant delegations for the request type Accept.

authorization_request

Grant delegations for access requests.

provide_passphrase

Grant delegations for the request type Provide Passphrase.

remove_keys

Grant delegations for the request type Remove.

renew_keys

Grant delegations for the request type Renew.

restore_keys

Grant delegations for the request type Restore.

set_key_options

Grant delegations for the signoff-request type Restrict.

set_notes

Grant delegations for the Set Notes action.

set_passphrase

Grant delegations for the request type Set Passphrase.

set_validity

Grant delegations for the Set Validity action.

show_passphrase

Grant delegations for the Show Passphrase action.

Available delegation types:

approve

Allow approval of requests.

direct

Allow requests to be performed automatically, without the need for separate approval.

initiate

Allow the initiation of requests.

none

Remove all the delegations from the specified application owners regarding the specified request type.

skip-owner-approval

Allow the specified type of requests to skip application-owner approvals, moving directly to the admin-approval phase.

Select the application using its ID (-i). Alternatively, you can select multiple applications using filters (-F). For filtering (-F), you can use the same attributes that are available for the list-applications command (see list-applications).

Example:

$ ssh-mgr-client set-application-delegations -i 9 \
-d itmp=accept_keys/initiate

set-application-owners

Syntax:

ssh-mgr-client set-application-owners -d <data> [options] \
(-F <filter> | -i <id>) [-vvv] [-U <url>]

Set application owners for the selected applications.

Specify application owners as input data (-d). Application owners are to be specified in application-role=owner-email format, where the application-role identifies the application role of the owner (used primarily for setting delegations to owners), and the owner-email is the email address of the owner.

Select the application using its ID (-i). Alternatively, you can select multiple applications using filters (-F). For filtering (-F), you can use the same attributes that are available for the list-applications command (see list-applications).

Examples:

$ ssh-mgr-client set-application-owners -d key_approver=alice@example.com -i 9
$ ssh-mgr-client set-application-owners \
-d key_approver=alice@example.com,ao=bob@example.com -F 'name="Example App"'

show-application

Syntax:

ssh-mgr-client show-application -i <id> [options] \
[-vvv] [-U <url>] [-o <format>] [-C <columns>]

Displays the application with the given ID.

For output formatting (-C), you can use the same attributes that are available for the list-applications command (see list-applications).

Example:

$ ssh-mgr-client show-application -i 3

tag-applications

Syntax:

ssh-mgr-client tag-applications [options] \
(-F <filter> | -i <id>) -d <data> [-vvv] [-U <url>]

Tags selected applications.

Specify the tag by the name of the tag. If the tag does not exist, it will be created automatically. You can select an authorized key using its ID. Alternatively, you can select multiple applications using filters. For filtering (-F), you can use the same attributes that are available for the list-applications command (see list-applications).

For example, to tag the application that has the ID of 2, with the tag named example_application:

$ ssh-mgr-client tag-applications -i 2 -d tags="example_application"

update-application-associations

Syntax:

ssh-mgr-client [global_options] update-application-associations
-a <action> (-d <data> | -f <file>) [-B] [-T <timeout>]

Add and/or remove user accounts from applications.

Specify target accounts in a CSV file. For each target, the file must specify:

  • application: The name of the target application.

  • hostname: The name of the host where the target account is.

  • username: The name of the target account.

Example file format:

application,hostname,username
Example Application 01,host.example.com,alice
Example Application 02,host.example.com,bob
...

Also specify the action to be carried out on all targets:

add

Add target accounts to target applications.

set

Add target accounts to target applications. Remove all other accounts from target applications.

remove

Remove target accounts from target applications.

Example:

$ ssh-mgr-client -a add -f input.csv
note

update-application-associations only works on discovered user accounts. For example, users added after the last host scan are not affected.