[CyberArk] Add the possibility to select the connection component on each connection attempt.

Hello,

Have you taken a look into the CyberArk Dashboard entry ? It allows you to connect to any of your hosts, using a selected privileged account, and it also prompts you for the component.

You first specify the PSM server in the connection settings :



And then, after starting the session and selecting a vault, you can "Connect using PSM" and choose a component :



Please tell me if that would be a good alternative for you, otherwise we'll open a ticket to integrate your suggestion.

Regards

Hello,

thank you for your quick reply. To keep our current structure inside the rdm I am currently converting every single connection to go over the cyberark psm using the right component.
I exported everything as json, iterate over every connection and manipulate every element to achive this.
So a connection which was former of connectiontype 1(rdp) would be converted to connectiontype 110(psm connection) with PSMComponent PSM-RDP. A connection of type 8(putty) would result in something like this

 {
    "ConnectionType": 110,
    "Group": "Customer\\Cluster",
    "ID": "f3eb8adc-1e53-467a-9f54-9fc474bc433b",
    "Name": "server",
    "OpenEmbedded": true,
    "Stamp": "84f84887-3697-458e-87c4-0ef208a0818e",
    "CyberArkPSM": {
      "Component": "PSM-SSH",
      "ComponentList": [],
      "CyberArkJumpConnectionID": "1f10d47f-649d-4515-b090-4d25fad613be",
      "Host": "0.0.0.0",
      "PrivilegedAccount": "ahd"
    }
  },

So if i could add the components to the Key "ComponentsList", this would result in a drop down or something similar fron which i could choose at start of the connection, I would be very very happy.
Our main aim is to keep the known structure inside the RDM and add the cyberark functions to it.


Kind Regards

Hello,

Your scenario is indeed more specific than I imagined, so adding an option to open with a selected component would be the best solution.

We'll open a ticket to add this feature to RDM and come back to you once we have an update.

Regards

Hello,

We've started to look into adding this feature, and would like your input on the following : Would it be okay for you if the choice of components was based on the list saved on the PSM server entry instead of the PSM connection itself ?

Right now, the ComponentList property is not actually related to the PSM connection (it's a mistake on our part that you can even see it in the json, it shouldn't even be serialized). In theory, what you are suggesting would work, but since the component list is not visible in the PSM connection UI, we'd prefer to avoid it.

Let me know what you think!

Regards

Hi Jonathan,

sorry for responding a little late. I just returned from vacation.
It would be better if we could control the available components for each connection entry so we could avoid the possibility to try to connect to unix-systems with windows-only-components but if there is no other possibility we would appreciate the implementation to choose from the capabilities of the psm server entry.

Kind Regards
Benjamin

Hello,

Have you taken a look into the CyberArk Dashboard entry ? It allows you to connect to any of your hosts, using a selected privileged account, and it also prompts you for the component.

You first specify the PSM server in the connection settings :



And then, after starting the session and selecting a vault, you can "Connect using PSM" and choose a component :



Please tell me if that would be a good alternative for you, otherwise we'll open a ticket to integrate your suggestion.

Regards

This looks really interesting, is there any documentation on this?

Hello Richard,

The CyberArk dashboard documentation is not yet ready, but I can send you a link to download the draft we have via PM.

Best regards,

Hi,

is there any update on this?
I would love to hear some good news. :D

Kind Regards,

Benjamin

Hello,

We've talked about this internally, and don't really want to let users modify these kinds of settings manually. What we'll do instead will be along those lines :

• Add a right click menu "Connect with..." to all sessions
• This menu will list all available PAM dashboards (in your case CyberArk)
• From there, you'll be able to select the desired connection component

I don't have all the details at the moment, but these components will be based on the PSM server, so not something you'll be able to set on the PSM connection directly.

Something we might also do, is add a CyberArk infrastructure import feature, which would import all servers and fill their supported components automatically.

I'll update this thread once I have more information, as we should start working on this in the near future.

Regards

Hi,

is it possible to be more specific what "near future" means?

As the cyberark plugin seems to need an extra license since the last update, I would really appreciate that it fits our needs.

Kind Regards

Hello,

This feature is currently in development, so if everything goes well, it should make it into either the next release (2022.2.12.0) or the one after that.

I can't say for sure when these will come out exactly, but it shouldn't take more than 1 to 2 weeks. I'll come back here to confirm the specific version when it's confirmed.

Regards

Hello,

In version 2022.2.12.0, there will be a new right click menu "Connect using", which will allow you to connect to any session using the chosen component and the currently selected privileged account in an active CyberArk dashboard.

Please let us know if there is anything more we can do to improve your experience.

Regards

Hi,

right now I am on 2022.2.12.0 and missed the "connect with" -Button. After reading your last post once again I understand that this is only in the dashboard. The dashboard is no option for us. It is just every connection without structure. We want to preserve the tree structure from our current rdm-setup. Is there any possibility to add this "connect with"-functionality to the psm client connection type (110) ?

Kind Regards

Hello,

The dashboard is not connections, its only accounts which are just part of the equation for a remote connection.

That being said, it performs a critical role in :

• maintaining an active session against PVWA and only requiring 2FA once when you launch it.
• Allow for the exact same connectivity as the Connect button you have in PVWA.

The "old style" connections use the Alternate Shell capability, which we're told is limited as opposed to the connect action.

Right-Click connect on all connections will be available when there's a dashboard active, you will not need to interact with the dashboard other than selecting the current safe. I do not think we can improve the experience of the old-style PSM-Connection entries as they break RDM's ease of use of the "host" principle, it's too tied to the CyberArk implementation.

We can have a call if you'd like to discuss this further, simply drop me a DM.

Best Regards,