i know, it depends on your view of the world if thats a bug or a feature,
but as an windows-administrator said to me -
it is unexpected behaviour.
If you create domain-based roles in dps and you have to rename the domain-group, things get messy and nobody knows why.
Its because you handle the "Domain-Link" in DPS.
You use the CN of the domain group, where every other product in this world uses the objectSID to identify users and groups.
btw. the objectSID in active directory is by guarantuee unique.
so is it a bug? maybe not
but should a security product use a fakeable CN to identify security groups?
When we moved to identifying users by UPN, we felt it was sufficient at the time. We are aware of the concerns you mention, but I have the impression that the CVSS score would be on the low end, just because of the privileged access required to interact with AD. (Dont quote me on that, I can ask our CISO to calculate the score...)
Our security system is subject to a ton, and I do mean a ton, of discussions, both internally and with new customers. We compare ourselves with all of our PAM partners, while trying to keep our uniqueness and ease of use. That ease of use results in many customers not only buying a pricey PAM solution, but also insisting on putting RDM in front of it. But, I digress...
We are in the planning stages of refactoring our private vaults, which are closely tied to the login name, whichever authentication model you choose. I guess that as part of this project, it would not be risky to preserve the SID for an additional validation. Its easy on paper, we just need to identify the placement of this task within all of the other projects we are undertaking....
As in the other thread, is this a show stopper? Can it wait for a few months?
thank you for your detailed answers to our concerns.
No, the CN/UPN/Netbios-mapping is no "show stopper".
I was just very surprised after renaming one of our AD-Groups to meet CI-requirements and
I know you will do your best to overwork this base functionality.
It is very good that you have a CISO now that helps priorization and finding issues, I really appreciate working together with you guys.
regarding my other post - i'll get back to my customer with your reply and keep you updated.
About renaming a role in RDM no matter which advanced data source you are connected to, instead of manually modifying all permissions, you could use the PowerShell script published in this forum thread.
Thank you Erica,
that script would have helped me a lot ...
I'll give it a try next time...