More granular PAM Vault permissions

Hello,

Thank you for your request. I just want to be sure that I understand your need correctly. It is not rare that you want to give access to only a few privileged accounts (PA) in a vault (and not all PA). Today, what you are doing, is :

• Give Reader role to those users at the vault level
• Set custom security on the account that you don't want them to access and add only users that you want

Am I right ?

The problem with that is when you import a new PA in the vault. The security will be set to inherited so all users will have access. You have to change the security to set custom security again.

You would like to be able to give only LIST as permission at the vault level and add set the security on PA that you want your users to access them as Reader. Am I understanding correctly ?

Let me know if I understand correctly and I will see how we could improve that.

Best regards,

Hello,
Yes, we have a setup with personal PA:s and with the READER role being inherited from the PAM vault to all newly imported personal PA:s is a problem for us. We also tried removing READER on the PAM vault but that makes the vault invisible and prevents the user from using his PA even if he has READER on the PA itself.

As I see it there are two viable solutions. Either a new ROLE that gives permission to connect to a vault or list all PA in a PAM vault, without being able to use the PA.

Or more control over inheritance, for example to disable it. Giving us the ability to have READER role on the vault, but prevents this being the default permission on all imported personal PA:s.

Regards,
Simon

Hello Simon,

Thank you for your answer. I understand your point. As workaround for now, you could give only the Log Reader role to your users on the vault, they will only have the "list account" and "read log" permission. Of course, they will be able to access the log, what you probably don't want, but I'm letting you know in case it could be acceptable for now.

We will discuss internally how we would like to solve this situation and let you know once we have an update.

Best regards,

Hello,
Thank you for the Log Reader role tip.

We did some more investigations. Apparently, you CAN, without having any vault permission WHILE having PA permissions, browse the PAM vaults to find your assigned accounts when creating a new DVLS Privileged Credential entry. The PAM vaults become visible if they contain PA:s that you have permission to use. However, the PAM vaults are NOT visible in the PAM tab or when using DVLS web GUI, so you can't check in your PA, rotate password etc. Check-out requests seems to be integrated though, but the rest isn't really available outside the PAM tab. Maybe we should just call this visibility issue bug and not to have to wait for a new feature :-P

With that being said I have to disqualify my earlier suggestions, any new LIST permission wouldn't be technically "inherited down to the PA:s", since you obviously can list your assigned PA:s once you can list the vault. And it wouldn't make much sense adding a LIST permission of PA:s you can't use or adding a new type of vault-only permission, considering how permission is designed in general. So I think the most straight forward, and simple solution would be that the PAM vault becomes visible to users that have permission on any PA in the PAM vault in question, aligned with how it works when creating new entries.

I've also thought through regarding control over inheritance, perhaps some kind of "Disable inheritance" option being available when importing accounts or on the vaults itself, but it would mess up the current permission architecture. Sorry for getting into solution mode.

Regards,
Simon

Hello Simon,

Thank you for your answer. You are right, I reproduced the situation where I had my Privileged Account listed even if my user didn't have any role at the vault level. I'm not sure if it is normal though. But I understand your point, we are also looking if we could give the list permission as soon as you have a role on a PA of the vault. We have to change that carefully because you can have a role on a PA but if there is a custom value on its parent (folder or vault), it can remove your rights.

Finally, I'm not sure to understand why you said that your suggestions of list permission would not work. It would be similar solution, but it would request user to explicitely add the role at the vault level and this is where we are wondering if it is a better solution or not. For sure, it would be safer and more explicit as solution.

We still need discussions internally about that. We will let you know once we have an update.

Best regards,

Hello,
Yeah, you would want a vault visibility attribute rather than a permission tied to roles, in my opinion. I consider the vault itself it's just a container, with a set of permissions which sole purpose is to be inherited down to any PA in that vault. So basically just another folder from a system point of view, for the sake of distributing permissions to it's respective content.

What I meant was that the PA:s that you have permissions to use are already "visible" on the account level, so nothing would technically be inherited from the vault if you were to introduce a new vault LIST permission or whatever, which makes this odd considering how the rest of the permissions work. Which brings me back to my point above that it's more similar to the "Hidden" folder attribute in Windows, rather than "List (all) folder content". At least that is how I interpret the behavior when browsing from vault entries, but not when using any PAM features directly which I still think should be treated as a bug :)

Anyways, kudos for looking into this

Regards,
Simon

Hello Simon,

I understand your point, thank you for precision, we will have a look how we could improve that.

Best regards,

Hello Simon,

I've had a discussion, and we now believe that a minimal role, limited to listing items, would be appropriate. Currently, in RDM/DVLS, accessing anything in a vault require having access to the vault itself. This is the standard operation, and we prefer to maintain it to avoid inconsistencies between shared and PAM vaults. We suggest creating a "Viewer" role that is restricted to listing items. This role would be similar to the existing Log Reader role, but with a key difference: the Viewer role wouldn't have access to read logs. Have you tried using the Log Reader role to see if it meets your requirements?

If it's beneficial, we could add a viewer role with exclusive listing capabilities. This access could be granted to users at vault level with specific roles assigned within each account. Would this approach be helpful to you?

Best regards,

I would ask for a different approach, since I have too many admins and reworking all the permissions to address this is out of scope for the near term.
Can we have a PAM role that we have to grant to admins to enable them to do PAM admin, otherwise admins could not see all the PAM accounts?
I currently have shared PAM vaults and would like each user to just see their accounts, even if they are admins for other reasons.

Hello,
Yes, that would benefit us, we would use VIEWER as the default permission of our PAM vaults and then proceed with
assigning exclusive OPERATOR to individuals without risking any unauthorized inherited usage permissions post-import.
When would this new feature be added?

Regards,
Simon

Hello Simon,

I've had a discussion, and we now believe that a minimal role, limited to listing items, would be appropriate. Currently, in RDM/DVLS, accessing anything in a vault require having access to the vault itself. This is the standard operation, and we prefer to maintain it to avoid inconsistencies between shared and PAM vaults. We suggest creating a "Viewer" role that is restricted to listing items. This role would be similar to the existing Log Reader role, but with a key difference: the Viewer role wouldn't have access to read logs. Have you tried using the Log Reader role to see if it meets your requirements?

If it's beneficial, we could add a viewer role with exclusive listing capabilities. This access could be granted to users at vault level with specific roles assigned within each account. Would this approach be helpful to you?

Best regards,

Hello Simon,

Great, now that I know it would help, I'm adding a ticket in our backlog. I would like to have a such role in our next major release plan for february 2024.

Best regards,

Hello @bild675,

We plan to improve our security to split the administrator role in a futur release. We plan to remove automatic rights on vaults for administrator. Today, as soon as you are an administrator, you can access all vaults, but we think that it could make sense to remove rights in the vault for administrators. You would have to give specific rights if that administrator require it. Administrator would see only his own Privileged Account and not all of them. I think it could fill your need. Don't hesitate to let me know if you have questions.

Best regards,

Hello François,

For this one, there is some crossover with thread https://forum.devolutions.net/topics/39585/custom-permission-sets-for-dvls-pam#177111

For regular RDM vaults, custom roles / permission sets are possible, would be great if this was extended to PAM.

Thanks
Joe

Hello Joe,

You're right, it is related. There is a small difference I think. We would like to add a built-in role available just to list account. It would help users who want to give access to only a few accounts in a vault and it makes sense for anybody. It could be added easily throught the database, but I tested and we have issues. So before adding it and adding a way to create your own roles, we have to be sure that the system will support it correctly. Thanks for the link between both threads.

Best regards,