Devolutions ForumDevolutions Forum

PAM accounts should be able to be set on folder level to allow for inheritance

Implemented

PAM accounts should be able to be set on folder level to allow for inheritance

0 vote

avatar
sysinit

Hi!

At the moment, it is only possible to assign PAM accounts directly onto RDP and SSH sessions. You cannot set them on folder level, so inheritance is not possible, which is quite cumbersome compared to using other types of credentials. One of our customers is using personalized PAM accounts instead of service-bound accounts, where each administrator is using its own PAM account, which he uses for a lot of different sessions. They set the PAM account in the user-specific settings and the sessions themselves don't contain any credentials. Right now, they are applying the user-specific settings with batch editing and it works, but setting it at the corresponding folder level and using inheritance would be much more elegant.

Thank you and best regards,
Daniel

All Comments (9)

avatar
David Savard

Hi Daniel,

Thanks for the feature request,
I thought it was already like you described, but no, you are correct, it's not on folders,
It must be something we forgot to do,

I'll add it on our to-do list and let you know when it's available

Regards,
David

David Savard

avatar
sysinit

Hi David,

great, thank you very much!

Best regards,
Daniel

avatar
ERLLC

I was also referred to this thread by support as we had the same request. I am posting a reply in order to get an alert when this addition is complete.

avatar
sysinit

Hi,

any update on this?

Thanks and regards,
Daniel

avatar
Richard Boisvert

Hello,

The engineering team is looking into adding a credential entry of the PAM DVLS (Devolutions Server) type in RDM. This way, it could be assigned to entries like regular credentials, and to folders.

Many PAM features are planned to be added to RDM in the 2021.3 and 2022.1 releases, making it easier to use directly from RDM.

Best regards,

Richard Boisvert

avatar
sysinit

Hi Richard,

thank you very much for this information!

Kind regards,
Daniel

avatar
Maurice Côté

Hello,

There will be a lot of activity in that area, for instance in the 2021.3 release we will have a new dashboard in RDM to allow many of the operations that could only be done in the web interface.

For the specific feature of this topic though, we will probably need to have a few iterations until we fulfill all of the requirements. I'm pretty sure that we'll be able to add the new credential entry type for DVLS PAM, but most likely with the following conditions:

  • If you have the EXECUTE permission only, the Privileged Account could be used only against "secure" entry types like RDP & SSH
  • If you have the VIEW permission, we will let you use it everywhere.


For "unsecure" technologies (AKA where there's a risk for the password to be divulged) we intend to have a "Usage Policy" layer that will allow the vault admin to specify exactly where the Privileged Account can be used. This is more likely to be delivered in 2022.1.

We have only 7 weeks remaining until "Code Complete" of the 2021.3 release, I hope we wont diverge for our roadmap as the release is right around the corner.

Best regards,

Maurice

avatar
sysinit

This is great news! Cannot wait to try the new features... ;-)

Kind regards,
Daniel

avatar
ryan16

Hello,
Any word on the release of this functionality? We anxiously awaiting the ability to add privileged accounts to the folder level or for users to be able to select their own privileged account when opening an RDP session.


Thanks,
Ryan