Devolutions ForumDevolutions Forum

Set Default Vault Permissions

Implemented

Set Default Vault Permissions

avatar
Andreas

Hi

I need to edit the Default Vault Permissions.
Right now, there is "View Password" and "Passwor history" set to "Default (Disallowed).
I didnt find an Option, to set this Value via RDM or Website.

Can you please tell me, where i can set this Permissions?

Thanks,
Andreas

All Comments (17)

avatar
James Lafleur

Hello Andreas,

Thank you for contacting us on that matter!

To change this permission, you will need to go under Administration -> Vault Settings -> Permissions -> Change the "Inherited Permissions" from "Default" to "Custom". From there, you can change the "View Password" and the "Password History" to "Custom" as well and assign the proper "User Groups" and/or "Users":
forum image

For more information, please consult this link: https://help.remotedesktopmanager.com/administration_usermanagement.html

Best regards,

James Lafleur

avatar
Andreas

Hi James

Thanks for your Answer, but we want to change the Default Settings, because we have right now 119 Vaults (will be more in future).
I also didnt found an Option via Powershell and changing 119 Vaults is a little too much.

So is there an Option to change the Default Permissions or mass Update via Powershell?

Best Regards
Andreas

avatar
Erica Poirier

Hello,

We can get the permissions for a specific vault using the Get-DSEntriesPermissions cmdlet of the DVLS PowerShell module but no method to update those yet.

I will verify with an engineer and will keep you posted.

Thank you for your patience.

Best regards,

Érica Poirier

avatar
Andreas

Hi Erica

Thanks for the Input.
Yes, this Command shows me the defined Permissions of the Vault. But it looks like, that this Command loops trough for every Entry in this Vault.
When there are Vaults with thousands of Entries, like on my side, then this command will run in a timeout because it seems like it loops trough every entry because its calling Get-DSEntriesTree.
If you have more than 200 Entries, it will run after some Minutes in a timeout and you will receive an SQLException - Timeout Expired.
With about 40 Entries it needs about 1min to receive the permissions.

Would be great if there would be an option to read only the root Permissions of the specified vault!

Please let me know if you need more Informations or if i can assist somehow.

Best Regards,
Andreas

avatar
Richard Boisvert

Hello Andreas,

Here is a basic example, using the RDM PowerShell module ( you can use Tools > PowerShell (RDM CmdLet) ), to change the rights in all your vault. Please keep in mind it will overwrite the currently set rights, so we recommend you do a backup beforehand.

$(Get-RDMRootSession).Security.Permissions will give you the currently configured permissions of the root of the vault.

#retreive the vaults
$vaults = Get-RDMVault

#change the name of the user group you want to give view password rights
$role = @("user_group")

$properties = @{
    Override="Custom"
    Right="ViewPassword"
    Roles=$role
    RoleValues=$role
}

#loop to every vault and modify the permission at the vault level
foreach($vault in $vaults){
    
    $RDMroot = Get-RDMRootSession
    $RDMroot.Security.RoleOverride = "Custom"
    $RDMroot.Security.Permissions = $properties
    $RDMroot | Set-RDMRootSession
}

Update-RDMui


Best regards,

Richard Boisvert

avatar
Andreas

Dear Richard

Thank you for your Snipped.
Can you please tell me, how to set "Default" and "Everyone" for a specific permission?

I tried the following, get no errors, but doesnt change any permission:

$RDMroot = Get-RDMRootSession

$setPermissions = @{
	"Add" = "Default"
	"Edit" = "Default"
	"Delete" = "Default"
	"Execute" = "Default"
	"EditSecurity" = "Default"
	"ViewPassword" = "Everyone"
	"PasswordHistory" = "Everyone"
	"ConnectionHistory" = "Everyone"
}


$properties = @()
foreach ($perm in $setPermissions.GetEnumerator()) {
$properties += New-Object PSObject –Property @{
	Override="$($perm.Value)";
	Right="$($perm.Name)";
	Roles={};
	RoleValues="";
}
}

$RDMroot.Security.RoleOverride = "Custom"
$RDMroot.Security.Permissions = $properties
$RDMroot | Set-RDMRootSession

Update-RDMUI


The Goal is to overwrite the Vault to this setting:
forum image

Thanks a lot,
Andreas

avatar
Richard Boisvert

Hello Andreas,

The Roles={}; seems to be causing the issues, I replaced it with Roles=@(""); and now it works as expected on my end.

Here is the code I used (only the mentioned lines above was changed):

$RDMroot = Get-RDMRootSession

$setPermissions = @{
    "Add" = "Default"
    "Edit" = "Default"
    "Delete" = "Default"
    "Execute" = "Default"
    "EditSecurity" = "Default"
    "ViewPassword" = "Everyone"
    "PasswordHistory" = "Everyone"
    "ConnectionHistory" = "Everyone"
}


$properties = @()
foreach ($perm in $setPermissions.GetEnumerator()) {
    $properties += New-Object PSObject –Property @{
        Override="$($perm.Value)";
        Right="$($perm.Name)";
        Roles=@("");
        RoleValues="";
    }
}

$RDMroot.Security.RoleOverride = "Custom"
$RDMroot.Security.Permissions = $properties
$RDMroot | Set-RDMRootSession

Update-RDMUI


Best regards,

Richard Boisvert

avatar
Andreas

Thanks Richards, looks good so far (im just wondering, why i didnt saw that i used an invalid array...).
But It looks like, that RDM still ignores settings to get back to "Default". Is there another "Override" param for "Default"?

Thanks,
Andreas

avatar
Richard Boisvert

Hello Andreas,

My pleasure!

Changing the permissions to default is working on my end. For my test, I set everything to never before running the script.

What version of RDM are you using? Also, if your data source is Devolutions Server, can you also specify its version?

Best regards,

Richard Boisvert

avatar
Andreas

Hey Richard

It looks like that ive found whats the Problem on my side: it doesnt matter what i configure on my side. The "view" field in General always returns "Override: Default". I cannot override it, but via RDM it works.
forum image

Can you reproduce that on your side?

Best Regards,
Andreas

Edit: Sorry, forgot the Versions:
RDM: 2021.1.41.0
DS: 2021.1.20.0

avatar
Richard Boisvert

Hello Andreas,

The view override is actually set in a different way from all the others, you would need to assign it with:

$RDMroot.Security.ViewOverride = "Default"


If you are curious, if you set it to custom and would want to assign a role to it, it would be done with $RDMroot.Security.ViewRoles = "name_of_group".

Best regards,

Richard Boisvert

avatar
Andreas

Thanks Richard, that did the trick!
It works this way.

Will this feature be implemented into DS PS Module?
RDM PS Module is really good and has much functions, but its incredible slow.

Best Regards,
Andreas

avatar
Richard Boisvert

Hello Andreas,

Great!

With the 2021.2 release of RDM, the PowerShell module was rewritten for PowerShell 7 (core), it should help and make it multi-platform.

As for the DS module, we have an engineer that is currently working on it, being able to set permissions on entries should be added in the short term.

Best regards,

Richard Boisvert

avatar
Andreas

Hey Richard

It looks like that the Code above is broken with the Module 2021.2.0.30
When i try to update the Root Folder (Vault Permissions), then the Code just runs fine without errors but the Vault has still the Inherited default Permissions set.
When i try to update a Subfolder (Folder Permissions), then the Code reutnrs me a session name Error:

WARNING: Unable to save the entry; invalid data sent

The session name is required


Root Folder Code:

$DataSource = Get-RDMDataSource -Name "DataSourceName"
Set-RDMCurrentDataSource $DataSource
Update-RDMUI
	
if ($DataSource.IsConnected -eq $true)
{
	$RDMVault = Get-RDMRepository -Name $Vault.name
	Set-RDMCurrentRepository -Repository $RDMVault
	
	$setPermissions = @{
		"Add" = "Default"
		"Edit" = "Default"
		"Delete" = "Default"
		"Execute" = "Default"
		"EditSecurity" = "Default"
		"ViewPassword" = "Everyone"
		"PasswordHistory" = "Everyone"
		"ConnectionHistory" = "Everyone"
	}

	$properties = @()
	foreach ($perm in $setPermissions.GetEnumerator())
	{
		$properties += New-Object PSObject –Property @{
			Override="$($perm.Value)";
			Right="$($perm.Name)";
			Roles=@("");
			RoleValues="";
		}
	}
	
	$RDMroot = Get-RDMRootSession
	$RDMroot.Security.ViewOverride = "Default"
	$RDMroot.Security.RoleOverride = "Custom"
	$RDMroot.Security.Permissions = $properties
	$RDMroot | Set-RDMRootSession

	Update-RDMUI
}


Subfolder Code:

$DataSource = Get-RDMDataSource -Name "DataSourceName"
Set-RDMCurrentDataSource $DataSource
Update-RDMUI
	
if ($DataSource.IsConnected -eq $true)
{
	$RDMVault = Get-RDMRepository -Name $Vault.name
	Set-RDMCurrentRepository -Repository $RDMVault
	
	$setPermissions = @{
		"Add" = "Default"
		"Edit" = "Default"
		"Delete" = "Default"
		"Execute" = "Default"
		"EditSecurity" = "Default"
		"ViewPassword" = "Everyone"
		"PasswordHistory" = "Everyone"
		"ConnectionHistory" = "Everyone"
	}

	$properties = @()
	foreach ($perm in $setPermissions.GetEnumerator())
	{
		$properties += New-Object PSObject –Property @{
			Override="$($perm.Value)";
			Right="$($perm.Name)";
			Roles=@("");
			RoleValues="";
		}
	}
	
	$RDMsess = Get-RDMSession -Name "Folder Name"
	$RDMsess.Security.RoleOverride = "Custom"
	$RDMsess.Security.Permissions = $properties
	$RDMsess | Set-RDMSession

	Update-RDMUI
}


Can you help me finding what changed and causing the Problems? Or is there maybe already an option to set the permissions via dvls module? I didnt found something so far on Github.
Thank you in advance!

Best Regards,
Andreas

avatar
Andreas

Hi All

I just tested some more and it looks like when i create or modify a Vault via RemoteDesktopManager PS Module, then everytime some magic happens and the "Vault Settings" are going back to "Data source (Disallowed)":
forum image

When this happens, im not able to modify any Permission Values via Powershell. If i set the Vault Settings in RDM to "Everyone" (as you can see in screenshot above), then im able to run the set permission snipped once. After that, the Vault settings are back to Data source and im again blocked for this Vault until i set it manually back.
I also noticed that im not able anymore to set the "ViewPassword" Permission to Everyone. This is the only Param which will be ignored:
forum image

Can anyone reproduce my problem? Or maybe has a Solution?

Im using the following Versions:
PS RemoteDesktopModule 2021.2.0.30
DVLS Server 2021.2.14.0
RDM Enterprise 2021.2.26.0
Powershell 7.2.1

Best Regards,
Andreas

avatar
Richard Boisvert

Hello Andreas,

I was able to reproduce your issue, the Vault settings always go back to Data Source (Disallowed), even with the latest version of the module (2021.2.0.34).

I will open a ticket with the engineering team to have a look.

Best regards,

Richard Boisvert

avatar
Richard Boisvert

Hello Andreas,

The engineer in charge of the RDM PS module had a look and by adding the following it should save the permissions properly: $RDMroot.Root.Permissions += (New-Object PSObject -Property @{Override="Everyone"; Right="Root";Roles=@("");RoleValues="";})

The end of your root session script would then look like this:

$RDMroot = Get-RDMRootSession
$RDMroot.Root.Permissions += (New-Object PSObject -Property @{Override="Everyone";Right="Root";Roles=@("");RoleValues="";})

$RDMroot.Security.ViewOverride = "Default"
$RDMroot.Security.RoleOverride = "Custom"
$RDMroot.Security.Permissions = $properties
$RDMroot | Set-RDMRootSession

Update-RDMUI


Best regards,

Richard Boisvert