Devolutions ForumDevolutions Forum

Auditing PAM credential access

Backlog

Auditing PAM credential access

avatar
jm2

Hello,

Is there a way to generate a report that enumerates all groups (and members) who have access to each DVLS PAM credential, and the level/role of access?

I've tried using Get-DSPamFolders, but I dont see any security descriptor attribute that can be further enumerated to identify identities and respective access levels.

Please let me know if you would like any additional information.

Thanks
Joe

All Comments (5)

avatar
Nicolas Girot

Hello Joe!

After some research on my side, it indeed seems that there is no PowerShell command available to achieve what you are looking for.

However, does the information that you can access by going to a PAM credential, clicking on the three small dots at the top right, and selecting "View Resolved User Groups" correspond to the information you want (considering that you want it for all your PAM Credentials)?

Based on that, I will check on my side with the people in charge of the PowerShell module when and if it is possible for them to integrate this information.

Sincerely,
Nicolas

Nicolas Girot

avatar
jm2

Hi Nicolas,

Yes, the resolved groups info is what is required. Does that also include individual users and Application/API's who have been granted explicit access outside of group membership?

It would also be great is there was a 'view resolved users' option, that iterates the group members. Viewing the groups is great, but still requires a second step if you actually want to know which individuals have access.

Thanks
Joe

avatar
Nicolas Girot

Hello Joe,

yes this includes both users and applications added explicitly, however, I must admit that the information is not very clear on display.
Regarding the resolution of users belonging to the group in the UI, there indeed is no shortcut.

I will also ask the person in charge of the Pwsh module to add, if possible, a command to retrieve the result of this endpoint.
I understand that this is not ideal, but it should address your issue within a reasonably short time frame.

In this case, through PowerShell, you should be able to list your PAM credentials and then retrieve the information for each of them using the said command.
With the information received, you should also be able to resolve the users belonging to the group.

On my end, I will create a ticket for analysis, to request an improvement of the view and the creation of a feature to list the information for a set or subset of PAM credentials. However, I cannot give you a timeline for when this will be added to our queue.

Thank you very much for your feedback,
I will get back to you as soon as I have news regarding the addition of the command in PowerShell.

Best regards,
Nicolas

Nicolas Girot

avatar
jm2

Thank you Nicolas, appreciate the understanding and assistance

avatar
Nicolas Girot

I have discussed with the person in charge of the PowerShell module, and we should have something to help you out by the end of next week. However, I do have some reservations about this timeline considering the upcoming end-of-year holidays and some ongoing priorities.

Thank you for your patience :)

Nicolas Girot