How are you managing access controls in Wayk Bastion

Hi,

Today, the only way to manage permissions is via the web interface. But there is a few things to help :

• User groups : You can create user groups and give permissions to the group so when you have a new user, you only have to add your user to the right groups.
• Permissions are possible at different level : You can assign a permission to a user or a group at different level. First, you can give access to a user to all machines, it means the full subscription. But you can restrict the permission to a specific tenant, a specific unit, a specific machine group or even, to a specific machine.

From what I understood, you already have the information on who should access to what in a different format, am I right ? You said that you have hundreds of permissions, what is the format of those permissions ? We could analyse what could be possible to help you with that. Would it help if we could synchronize Active Directory groups and give permissions to these groups ? We don't support that for now, but it is something that have already been discussed. We don't have prioritized that task for now.

Best regards,

We have 3 technical Teams and many individual users who need access to specific machines. The use cases are either they're a true technician on a technical team, or they are an end user who needs remote access to their work device.

The 3 Technical Teams will either have access to all machines or a subset of machines depending on which team they're on.
Where this falls apart is for our individual users. We have a couple hundred user's who need to be able to access machines 1:1.

There are also a handful of other configurations that will need to be done where non-technical team users may need access to another person's machine, but those could feasibly be done by hand.

Unfortunately because of this even synchronizing AD groups will not be of help for this.

Hi,

If I understand correctly, the issue is more with the individual users. You would like them to be able to access their own machine, correct ? Other than that, your technical teams need permission on almost all machines so I assume you could restrict for the few cases that you don't want to give access. And you said that you have a few cases of non-technical team users who may need access to another person's machine, but that could be done by hand since it is probably a few cases only.

So at the end, if we would find a way to assign a user to a machine easily, it would work or do you have other cases that would be an issue ? On your side, do you already have that information of who is the owner of a machine ? We will discuss that in team and see how we could improve that.

Best regards,

Your first paragraph is correct. At the end if there was a way to update who has access to what machine easily, it would work, but anything that requires me to interact via a web interface is less desirable than something I can do programmatically. We do already have all the information about who is assigned to which machine, so even a one time dump would be helpful, but really for this to be viable long term, tools that let us Create, Update, and Remove as needed on demand would be ideal.

Hi,

I understood your needs. Would it work for you if you could add permission via the PowerShell module ? We have already talked about improving our PowerShell module to be able to do many operations that you can already do via the web interface (add/delete user, add/remove licence, assign license, ...). We could probably think that it would be possible to add permission via that powershell interface. We know that a lot of people like to automate all their operations so it could be useful to do operations via PowerShell module. It is not a task that we have prioritized for now, but I will keep that in mind.

Best regards,

A powershell Module would be preferable, but I mean any sort of REST API would also be fine.

Hi,

Good, we keep that in mind, as I said, it is not prioritized for now, but we will see what could be done to help in similar situation.

Best regards,