Skip to main content

Systems

The Systems page manages your target system inventory - the infrastructure that OrbisID scans for privileged accounts.

Systems

Viewing Systems

The systems table shows all registered systems with columns for:

  • Name - display name for the system
  • Hostname / IP - network address used for connections
  • System Type - classification (Directory Service, Server, Infrastructure, etc.)
  • OS Type - the scanning protocol used (Active Directory, Linux, SQL Server, etc.)
  • Status - Active or Offboarded
  • Last Scan - timestamp of the most recent successful scan
  • Scan Priority - execution order within scan policies

Use the search bar and filters at the top to find specific systems.

Adding Systems

There are three ways to add target systems.

Manual Entry

  1. Click Add System
  2. Fill in the required fields:
FieldRequiredDescription
NameYesA descriptive name for the system
Hostname / IPYesNetwork address OrbisID uses to connect
PortNoConnection port (auto-filled based on OS type)
OS TypeYesDetermines the scanning method (see below)
System TypeYesClassification category
CredentialYesThe stored credential used to authenticate
Scan PriorityNoExecution order (lower = scanned first, -1 = excluded)
  1. Click Test Connection to verify OrbisID can reach the system
  2. Click Save

CSV Import

  1. Click Import CSV
  2. Download the CSV template for the correct column format
  3. Upload your populated CSV file
  4. Review the preview and confirm the import

Active Directory Discovery

  1. Click Discover from AD
  2. Enter your domain controller connection details
  3. Click Test Connection to verify
  4. Browse the directory and select systems to import
  5. Click Import Selected

Supported OS Types

Each OS type determines how OrbisID connects to and scans a system.

OS TypeProtocolDefault PortEdition
Active DirectoryLDAP/LDAPS389/636Community+
LinuxSSH22Community+
WindowsWinRM (PowerShell Remoting)5985Community+ — requires a Scan Agent
SQL ServerJDBC1433Pro+
CSVFile import-Pro+
CSV PAMFile import-Community+
Custom ScriptScript execution-Enterprise

Active Directory

Scans domain controllers via LDAP to discover:

  • User and computer accounts
  • Group memberships and nesting
  • Administrative group members (Domain Admins, Enterprise Admins, etc.)
  • Service accounts
  • Account status (enabled, disabled, locked)

LDAPS (port 636) is recommended for encrypted connections.

Linux

Connects via SSH to discover:

  • Local user accounts (/etc/passwd)
  • Group memberships (/etc/group)
  • Sudo privileges (/etc/sudoers, /etc/sudoers.d/)
  • Running services (systemd)
  • Scheduled tasks (cron)

Requires a credential with sufficient privileges to read the files above (typically root or a user with sudo access).

Windows

Connects via WinRM (PowerShell Remoting) to discover:

  • Local user accounts
  • Local groups and memberships, including members that belong to an external domain
  • Windows services
  • Scheduled tasks (optional, off by default)

Windows scanning requires a Scan Agent. Unlike other OS types, Windows systems cannot be scanned directly by the OrbisID server — assign the system to an Agent Group running on a Windows host. See On-Premise Agent - Windows Scanning for prerequisites, including enabling PowerShell Remoting on each target.

SQL Server

Connects via JDBC to discover:

  • Server logins and roles (sys.server_principals)
  • Role memberships (sys.server_role_members)
  • Database-level permissions

When adding a SQL Server system, you must also specify the database name to connect to.

CSV

Imports account and entitlement data from a CSV file. Useful for systems that cannot be scanned directly. You configure:

  • Source type - Network path or file upload
  • Delimiter - Comma, semicolon, tab, or pipe
  • Has header row - Whether the first row contains column names
  • Data type - Which data the CSV contains (accounts, entitlements, identities)
  • Column mappings - Map CSV columns to OrbisID fields

CSV PAM

Similar to CSV but specifically for importing PAM tool account data for reconciliation purposes.

Custom Script (Enterprise)

Runs a user-provided script to scan any system type. Scripts can be:

  • Path mode - script is already present on the Scan Agent host
  • Upload mode - script is uploaded to OrbisID and pushed to the agent at scan time

Scripts receive connection details as JSON on stdin and must output results as JSON on stdout. See On-Premise Agent - Custom Scripts for the full specification.

Scan Priority

Scan priority controls the order in which systems are scanned within a policy execution.

PriorityBehaviour
Lower numberScanned first
Higher numberScanned later
-1Excluded from scheduled scan policies (can still be scanned manually via "Scan Now")

Default priorities by system type:

System TypeDefault Priority
Directory Service10
Server200
All others500

Directory Services are scanned first because they often provide identity context needed to link accounts discovered on other systems.

System Owner & Attestation

Each system can optionally be assigned a System Owner — the identity accountable for confirming which of the system's entitlements grant privileged access.

Assigning a System Owner

  1. Open the system and go to the General tab
  2. Select an identity from the System Owner dropdown — only active identities can be newly assigned (an owner who later becomes inactive is left in place rather than blocking unrelated edits)
  3. Click Save

Requiring Privileged Access Attestation

Once a System Owner is assigned, go to the Attestation tab to configure attestation for the system:

FieldDescription
Require Privileged Access AttestationEnables periodic and on-demand attestation for this system. Requires a System Owner to be assigned.
Attestation ScheduleHow often re-attestation is required: On-Demand Only, Quarterly, Semi-Annually, or Annually
Notify on new EntitlementSends a one-off attestation request scoped to just that entitlement whenever a new one is discovered during scanning

If the System Owner is later removed, attestation is automatically disabled for that system.

See PAM Inventory > Privileged Access Attestation for how requests are sent, answered by the System Owner, and reviewed.

Testing Connections

Click Test Connection on any system to verify OrbisID can reach it with the configured credential. The test:

  1. Establishes a connection using the system's protocol (LDAP, SSH, JDBC, REST API, etc.)
  2. Authenticates with the assigned credential
  3. Reports success or failure with diagnostic details

For Custom Script systems, the connection test runs the script with the --test flag. For Windows systems, the test is dispatched to the system's assigned Scan Agent (a direct test from OrbisID itself is not available — see Windows above). If any other system has an Agent Group assigned, its test is likewise dispatched to that agent instead of running from the OrbisID server — see On-Premise Agent - Connector Support for which connector types support this.

For cloud connectors that always talk to a fixed provider API endpoint rather than a customer-supplied host (AWS, GCP, Google Cloud IAM, Google Workspace), the Hostname / IP Address field is locked to that endpoint and isn't user-editable — the value shown is exactly what OrbisID connects to, so Test Connection reflects real reachability rather than an arbitrary address.

Offboarding Systems

Offboarding removes a system from the active scan scope without deleting its historical data.

  1. Select a system
  2. Click Offboard
  3. Confirm the action

Offboarded systems:

  • Are excluded from all scan policies
  • Retain their scan history, accounts, and entitlements
  • Can be re-onboarded later

To re-onboard, select the offboarded system and click Re-onboard.