Usage Policy support for additional entry types
0 vote
Hello,
While trying to use a DVLS PAM credential for an RDM entry type of 'System Information Report', it responds with an error that this entry type doesnt support the use of privileged accounts.
Would it be possible for the following features to be added:
1) Enable support for the use of privileged accounts for RDM 'System Information Report' entries
2) Add an option in DVLS PAM to allow usage for 'Any' type of entry, so the described limitation can be temporarily overcome while waiting for a feature request to be available/deployed
Please let me know if you would like any additional information.
Thanks
Joe
25bad1b0-e1ca-4c6e-8f5b-914aaa040e3f.png
All Comments (14)
Hello Joe,
Thank you for your request. I think what you have requested makes sense. For the #2, you would like an option to ignore all the usage policies and allow PAM usage on all entries, am I right ? Or only on entry type that are not listed ?
Best regards,
François Dubois
Hello François,
Thanks for assisting with this. Re #2, there just needs to be a way to allow an RDM entry to use a PAM privileged credential if the corresponding entry type is not present in the policy list, so a simple setting to disable/ignore PAM usage policies would be sufficient.
Ideally every entry type supported in RDM would also be in the PAM usage policy list, and the usage policies per type could be assigned to groups, but for now a simple fix would be fine.
Joe
Hello Joe,
Thank you for your answer. I created a ticket in our backlog. We will post back here once we have an update.
Best regards,
François Dubois
Thanks François. Is it #1 or #2 or both that is in the backlog? Currently its not possible to use the 'system information report' in conjunction with privileged PAM accounts, so ideally one of the features could be implemented sooner rather than later.
Hello Joe,
To be honest, I added both in the same ticket, but added a note saying that if we have to prioritize one, I suggested to work on #2 first since it will allow you to use all entry types. Do you agree or would you prefer #1 first ?
Best regards,
François Dubois
Thanks François. Agreed #2 would provide more flexibility so that would get my vote for priority.
Eventually #1 may be required for use cases needing to restrict the types of connections that can use PAM accounts via usage policies for security reasons.
Thank you Joe for your quick reply, I totaly agree with your comment, that makes sense.
Best regards,
François Dubois
Hello François.
Any update on this one? With the release of the new PowerShell cmdlet Get-RDMSystemInformationReport, the ability to utilize PAM accounts is somewhat prohibitive to automating the collection of asset info.
Thanks
Joe
Hello Joe,
It is planned to work on that before the next major release 2024.3 planned in September. So you can expect to have that available at that moment. Sorry for the delay.
Best regards,
François Dubois
sounds good, thanks François
Hi Joe,
I’m happy to inform you that we’ve just implemented the features you requested in DVLS 2024.3. Here’s a quick summary of the updates:
- You can now disable all PAM usage policies
- You can now allow or disallow the "System Information Report" entry type
The BETA is available here:
DVLS 2024.3 BETA - September 9, 2024
Thank you for your valuable feedback.
Best regards,
Geoffrey Gaspari
Thanks Geoffrey, looking forward to testing this out when the official release is available.
Joe
Hi Geoffrey,
Confirmed this works with 2024.3.2. Thanks for your help on this one.
Joe
Hi Joe,
Glad to hear everything works fine. Thanks for your feedback.
Geoffrey