Forum / Remote Desktop Manager - PAM Partners

Cyberark Privileged Access Solution

  • Create an Issue
  • Cancel

Thank you for continuing to update us on the CyberArk Developments, I have it working but came up against a huge stumbling block, it seems to have been developed with the Expectation that everyone using it would use the same Privileged Account!

I would like to see the ability to tie this Private vault search item as a feature request. However the inability to edit user settings in the current state is a bug imho

dev_CA_Bug.png
Clock3 mths

Hello,

You are indeed free to call this a bug, but we are driven by community requests and have gone in line with feature requests of our user community, while being subject to approval of architectural decisions by the CyberArk team.

As this stage, we are working on adding "Prompt with list", which is a huge advancement in our integration.

After that release, we very well could implement having a CyberArk PAS entry in your private vault, this would be better then a private vault search because their API has now moved to using accountIds, which allows us to add that hard link to a specific safe/account combination. Their textual search returns a list of entries when there is a partial match and it would prevent us from being able to use an entry in this case.

Best regards,



Maurice Côté

signaturesignature

Clock3 mths

What would be required to allow users to use the Edit "User Specific Settings" here so that people could specify the "Privileged account" they should be using?

the PSM integration is working great, with the exception of this option.

Clock11 days

Hello,

I have a call with the CyberArk team on thursday to get approval on our newest iteration of our integration. I'll ask them to pre-approve the feature before we start thinking about it.

I'll get back to you next monday.

Best regards,



Maurice Côté

signaturesignature

Clock11 days

Hi all,
@Maurice if you're driven by community request, then please add my name to the request list.
@Vincent03 : For CyberArk PSM Connection types we've followed the following feature from a tip I also got on this forum (don't know the link by heart):

  • in your folder structure create a folder or subfolder for you CyberArk Privileged accounts, We use folder name: Credentials\CyberArk\NPA\<environment> (see picture below, where NPA = Non personal Account)
  • in this folder create a number of credential entries; one for each privileged account, of type: Username/password only containing name and Username fields. The Username is filled with: accountname@ADDRESS as is found in CyberArk so CyberArk can find the account.
  • In your CyberArk PSM Connection :
  • in the General - Privileged account box, enter: $TOOL_USERNAME$
  • in the Management tools - Credentials tab enter: Credential repository - Prompt on connection. in the link below browse to your folder above

If you now start the connection, it will give a popup listing all accounts from the folder created, lets you select one and the 'username' field is used !


CyberArkPSMConnection.1.png
CyberArkPSMConnection.2.png
CyberArkPSMConnection.3.png
Clock8 days

@Ben05, thank you for sharing that information. It gets us closer but still doesn't exactly meet our needs.

@Maurice can you share any updates with us, or did you mean Monday the 24th?

Clock3 days


@vincent03

UPDATE


FYI to anyone else, I just created a blank template with no settings and applied it to this PSM Server entry and they subsequent PSM Session entries started working. I would still like some information on why you would put in this template or what purpose it is to serve though.

Agree that the inclusion of a template seems pointless.

Thank you so much for this! Just one less hurdle to get this working with SSH connections.


Clock1 day

Hello,

  • The meeting has been cancelled for reasons unknown, I am waiting for a response.
  • The feature request to have a « user specific setting » to allow a user to use a specific account is on the board, but I cannot say when we’ll have that capacity to tackle it.
  • As for the template, RDM has existing mechanisms and structures. The factor that steered us toward using that template system was the ABSOLUTE requirement to support ALL of the features allowed by the RDP type. I hope that most would agree that adding yet another tab to the RDP window and repurposing it into a PSM server entry was a choice, but it would break all of our other mechanisms that allow for refactoring/inheritance/user specific settings, etc. We elected to implement that type while respecting our existing structures. I must say that I’m a bit baffled by the strength with which you reject this simple requirement, it’s a dependency that you set once per PSM server and most of the customers that I have worked with have a single PSM cluster. I really do not want to get into a lengthy back and forth on our architecture and mechanisms that we have to work with. I will be happy to jump into a call if you have further concerns on that topic, but I would rather prioritize working on features that add value to all of our community rather then rewriting our PSM integration.

Best regards,



Maurice Côté

signaturesignature

Clock16 hrs

I don't think we reject it with the strength you think we do. My problem with the template was it was not intuitive as to what was needed. If it was documented that 'just create a blank template because of architecture" I'd of been fine! When I had to create it, it just added confusion in my roll out.
Also "User Specific Settings and Inheritance" are currently broken for Cyberark PSM entries. So not sure what you mean there, unless you mean it without the template it would break it for all other non-Cyberark related entries? Then Gotcha, that qualifies as "Because Architecture" for me!
I love RDM I really do! The frustration for us is that CyberArk is being forced upon us and we can't use our favorite tools with it. We are "This close" but it seems the timeline to get a few key things resolved is TBD which does not inspire hope.
There are 3 solutions that could resolve these current issues.
1. Enable User Specific Settings - I can imagine how difficult that would be and imagine it would take time
2. Enable Per User Custom Variables - I wouldn't think this would be too difficult and would be a great feature in adding flexibility to a great tool.
3. Programmatic Access to ALL OS Environment Variables - I am surprised this feature doesn't already exist. I'd think it would be more difficult to limit access to the specified Variables (%username%, %appdata%,etc) rather than just all Variables. This way I could create the Variable for PrivAcct in my OS then in RDM use %PrivAcct% in the Connection.
All said as a NON Developer, so I am very likely over simplifying.
Regardless I appreciate the responses and updates immensely!

Clock16 hrs