My User Vault Auto Configuration of Entries.
Current State:
RDM UI + DS data source
Users access the environment from RDM
We are onboarding our user accounts into PAM from multiple domains. Users are provided with contributor rights to their own entries.
Our Session entries are overridden by a single credential entry for each domain.
Users use User Specific Settings to override the above credential entry to establish their own credentials into the session.
Issue:
Currently, there is a limitation that user specific session credentials cannot be overridden directly from a PAM vault. As a result users need to to configure "my user vault" entries as a middle man step to allow their pam objects to override session credentials.
Our less technical users are struggling to successfully to correctly configure the user vault and user specific session overrides for the created object.
Questions:
Before we go down the path of creating a script from scratch:
- Are there any timeframes on allowing user specific credential session entries to be overridden directly from a PAM entry?
- Have any scripts been created to automatically generate My User Vault entries from PAM entries for which the users have permission and additionally link the entries back to a user specific credential session override?
- Are they any methods to execute a run once script within user context on launch of RDM?
All Comments (7)
Hello,
This is currently available in version 2023.3.37.0 of RDM.
Best regards,
87a45e74-9f8d-4cd7-a798-8d593b52589f.png
8760a1c4-4c45-42dc-8971-3a63db6f0cac.png
I am not seeing a privileged account option on a Username / Password Credential Management object. Is there an alternate Credential Management object type that has Privileged Account as an option?
Missing Options.jpg
Hello,
You are correct, the option is not available on a credential entry. This option is to overwrite the credential used on a session entry.
Best regards,
That would not be feasible in our case as we have ~5000 session entries that we override with ~5 credential entries.
To clarify the above,
We have one credential entry per domain that all session entries in the domain are overridden by. Users of the domain supply user specific overrides to that entry to gain access to all 1000+ systems in the domain with a single edit.
Following up on the above, have we seen any progress on allowing users to override a credential object with a PAM credential?
Hello,
Sorry for the long delay and inconveniences. We had a look why you can't select a PAM Account on a credential entry and we don't see any good reason to block it. I just created a ticket in our backlog to allow you to specify a PAM Account in the user specific settings of a credential entry. Of course, if that credential is linked with a session, that session will have to be allowed in PAM Usage Policies to be launched.
Meanwhile, I don't know if it could help you, but it is possible to set the user specific settings on a folder with a PAM Account. I don't know if you could set the password at the folder level and set the user specific settings there, but I wanted to let you know if it could help you before a fix is done in RDM.
Let us know if you have other questions, we will post back here once we have an update.
Best regards,
François Dubois
f0b366b6-8138-4eba-bce3-d6db7f9cc907.png
Hello,
That issue will be fixed in the next RDM release (2024.1.26.0). It will be possible to set a PAM Account in the User Specific Settings for a credential.
Best regards,
François Dubois