Devolutions ForumDevolutions Forum

Password Checkout - In Emergency Break Glass

Implemented

Password Checkout - In Emergency Break Glass

0 vote

avatar
support11

Hi Team
I asking to see if a feature could be added so that our team members could unlock or checkout a password.
We currently have most passwords in RDM, protected so the staff are unable to view them. This is working really well, but there are time when the staff need to know the password. Maybe to give it to a third party, sometimes we need to connect to a hyper-v/vmware console so we need to type in the password.
So the situation I’d like to see if it is possible.
1/ Users normally can’t see passwords.
2/ If they need access, they can force a reveal the password. Then they can see and use the password. This audited so the security team can review the case and reset the password once the job is complete.

I guess this is kinda a “in emergency break glass” situation. So it is clear when and who the passwords was given out.

I hope this makes sense


Thanks
Darren

All Comments (5)

avatar
David Hervieux

Just to understand and verify how we could do it.

We could add a permission for a user like Allow View Password (Emergency Break Glass) (to make sure that it's not possible for everyone to do it if not required).

We could add a button different than the View Password with a label like View Password (Emergency Break Glass) and this will create an entry in the logs and it could also change the state of the entry to something like Change Password Required?

What do you think?

David Hervieux

avatar
support11

Hi David
That’s pretty much it.
I agree it would be best if this was a separate permission, as you may have users that you do not want to give this right to.
Not sure if it needs to be a separate button, I’m guessing if you don’t have rights normally to view the password the button to view password could be the same, only with the revised functionality, but I guess that is a design/programming decision.
Maybe it needs to have some pop up asking for reason too, similar to the “prompt for comment on open”?


Thanks
Darren

avatar
bjanz

Hello David,

I am looking for a similar solution.

I think I have a quick way to solve this.
When I create a RDP session, I have the option via "Properties --> Events --> Before connecting" to have different options.
In this case I display a message window that contains a variable text. e.g. "This access is only allowed in the most urgent emergency, an email will be sent, should you still access" and then the window can be accepted or you can cancel the process.

If it had this option also for the "username + password" entries, that would be fantastic. For us it is essential.

4822cb01-767d-482b-a713-541c054accce.png

avatar
David Hervieux

Hello,
This is more complex for username and password since it's available in many different plateform: DWL, Workspace, Web UI of Hub and DVLS. I will verify what we could do for that.

Regards

David Hervieux

avatar
bjanz

For anyone who has been looking for something similar. This function has now been released in version 2024.2. See also https://docs.devolutions.net/rdm/kb/rdm-windows/knowledge-base/sealed-entries/

I Think the case can now be closed.