Forum / Remote Desktop Manager - Feature Request

Permissions structure feature request

  • Create an Issue
  • Cancel

I would like to submit a feature request for a more robust security permissions setup in RDM, which is something near and dear to me, as I currently have to work around this using security groups and multiple data sources.

I included a full example below, but in summary, it would be nice to be able to use AD groups, assign connections in RDM to multiple security groups, and then assign permissions per-security group instead of per-user. Sorry for the lengthy post, though. I know it is a lot of text to read, but hopefully it provides enough details about exactly what I'd like to see in the future of RDM.

In this example, let us say that you have the following users:
-John.Doe
-Jane.Doe
-Bob.Smith
-Susan.Smith
-Jason.Mann
-Judy.Mann

The users are in AD groups as follows:
-Noc.Technicians-Local
-John.Doe
-Noc.Technicians-Remote
-Jane.Doe
-Systems.Engineers-Local
-Bob.Smith
-Systems.Engineers-Remote
-Susan.Smith
-Internal.IT
-Jason.Mann
-Provisioning
-Judy.Mann

There are connections in RDM as follows:
-Customer1
-Server1
-Server2
-Server3
-Customer2
-Server1
-Server2
-Server3
-Internal.IT-Machines
-Server1
-Server2
-Server3

The permissions needed are as follows:
-Customer1
-Noc.Technicians-Local
-View
-Connect
-Edit
-Noc.Technicians-Remote
-View
-Connect
-Systems.Engineers-Local
-Add
-View
-Connect
-Edit
-Delete
-Systems.Engineers-Remote
-Add
-View
-Connect
-Edit
-Internal.IT
-Nothing
-Provisioning
-Add
-View
-Connect
-Edit
-Delete
-Customer2
-Noc.Technicians-Local
-View
-Connect
-Noc.Technicians-Remote
-View
-Connect
-Edit
-Systems.Engineers-Local
-Add
-View
-Connect
-Edit
-Systems.Engineers-Remote
-Add
-View
-Connect
-Edit
-Delete
-Internal.IT
-Nothing
-Provisioning
-Add
-View
-Connect
-Edit
-Delete
-Internal.IT-Machines
-Noc.Technicians-Local
-Nothing
-Noc.Technicians-Remote
-Nothing
-Systems.Engineers-Local
-View
-Connect
-Systems.Engineers-Remote
-View
-Connect
-Internal.IT
-Add
-View
-Connect
-Edit
-Delete
-Provisioning
-Nothing

In the above example, I kept the number of users down to a minimum, but as you can probably imagine, it can become tedious as each of those groups grows in member count. Especially when, currently, the best solution I've found to assigning permissions like above is to create a separate data source for Customer1, Customer2, and Internal.IT-Machines, then add users with their specific permissions into each data source manually.

In my humble opinion, I think that at least being able to utilize an AD group instead of an AD username would make RDM a much more attractive solution for large organizations. With that ability, more than one data source may still need to be created to support as complex of a permissions set as the example contains, but adding a user wouldn't require configuring every data source, since the user would inherit permissions based on their AD group membership.

I tried using AD groups when I first installed RDM (back in version 5.8), and it did not work. It would be absolutely wonderful news if that feature is already in place, and I just missed the announcement of it, though I would have to beat myself up a little for working harder instead of smarter for all this time.

Clock8 yrs

Hi,
Thank you for the post. It's not possible yet to use the AD groups, so your haven't miss anything. We are aware of the problem your describe and this is something we want to implements. It's only a matter of time and it's depend how quick we can find a easy way of implementing this type of structure. This is more complex than what it seems but it's definitively something we want in our product.

David Hervieux

signaturesignature

Clock8 yrs

It is definitely good news that you're already looking into the problem, and I definitely understand the difficulty in getting it implemented since you can't just create an AD group login in SQL as far as I know.

A suggestion on a method to implement AD group authentication, though, would be to use a shared SQL login to authenticate to the database. Once authenticated, you could look at the real username instead of the SQL username, and resolve group memberships. Looking through connection logs, it looks like you already have the SQL and real usernames detected and logged.

Assigning permissions the way I'd love to see them and having computers be a member of multiple security groups would definitely be a big change, though.

Clock8 yrs

David,

It has been a couple of months now, so I wanted to check in with you to see if you had any estimate on when utilizing AD groups for permissions would be available. Hopefully very soon, I'll be rolling out RDM to 100+ users, and this feature would make that deployment very easy, since at this time, the way I'll be deploying users is by creating each user by hand in 15 different data sources so that permissions can be controlled properly.

If there isn't an ETA on this, is there perhaps a method of adding users to the data source (specifically AD-Integrated users) via the CLI that I could utilize in a script? I suppose I could try to hack a SQL script in that would add users, but a supported method of mass user creation would be better.

Clock8 yrs

Hi,
If you are interested, maybe I could do a small script generator to at least create your users or maybe a could add a batch create users? When do you plan to deploy? For what you suggested below, we plan to do that in our Server edition, we already have started the development. We will have more flexibility with the user management.

David Hervieux

signaturesignature

Clock8 yrs