Permissions detail in the RDM UI and Audit needs for Vault permissions reporting
Permissions detail in the RDM UI and Audit needs for Vault permissions reporting
0 vote
We are called on to summarize Vault permissions from time to time. When that happens we need to be able to either 1) go to a screen which
summarizes permissions which are applied to the subject Vault, as in the case of a tech manager holding discussions w/ vault admins, or for an Audit request, 2) a PDF/CSV/XLSX report which is easily understood by the internal or external audit team. As I see the product, we don’t have either of those with the current UI or Reporting. We have less than 200 vaults but the number is growing and we need to be able to better review manage and audit permissions in a streamlined fashion.
Re: case 1), we can "kind of" get a view of the data from an administrator type view by using the Security > Inherited Permissions view, then mouseover each area, going through each tab for each area of permissions (General, Security, Attachments, etc). A single summary pane-of-glass dialog would be easier to assess. (We make heavy use of inheritance which in the dialog boils down to a single line in the UI). From that point we need to work backwards to assess. For example a summary grid with permissions listed would help. I do appreciate the level of detail afforded by the 5 tabs, but discussing and quickly grasping permissions doesn’t happen with this screen layout. The new permissions descriptions in the 2024.x releases do help with understanding permissions, but with inheritance the underlying detail is left out.
Re: case 2), we have been required to produce reports such as; what do users/groups have access to in Vault XYZ, or with a vault by vault report – to audit teams. Auditors require a very concise listing. I don’t see that as available. If I had to prioritize the request, I would choose audit first.
Could these be considered for feature requests? Thank you,
Phil
All Comments (7)
Hello,
There maybe some crossover here with https://forum.devolutions.net/topics/40824/auditing-pam-credential-access#185067
While the other thread pertains to auditing PAM access, there is a collective requirement to be able to automatically generate a detailed report of individual's access to entries for auditing purposes. Often in larger companies, auditors request detailed information on who has access to what in RDM/DVLS/PAM, and being limited to retrieving this info via GUI screenshots is cumbersome and not easily repeatable, nor scalable when there are thousands of entries.
Joe
Hello Phil,
Thank you for your feature request. The timing is really good because we are currently working on new reports to show user's access. Those reports will be useful for audit purpose for sure. Here is a list of reports that we plan to add :
- Administrators: List all users with administrator rights on the server
- System Permissions: List all users configured in system permissions
- Gateway Access: List all users who have access to a specific gateway
- Vault Access: List all users who have access to a specific vault
- Connection Permission: List all users with access on root + custom permission
What you are looking for is probably Connection Permission. You want to know who has access to what in your vault, am I right ? Our plan for that report was to list users with permission on the root. Then list all the connnections under the root that are configured with Custom. All connections configured with Inhirited would be ignored and not list to avoid too much information in the report. So if you have Edit permission on the root, it means that you have Edit permission on all connections. But if you don't have Edit permission at root level, you could have Edit permission on a specific folder/entry so that one would be added to know that you have Edit permission on that enty. A such report, is it something that could help you ? As soon as I can have a draft of that report, I will send it to you with a direct message because I would really appreciate if I could get your feedbacks to be sure that we are going in the right direction to cover your case.
Best regards,
François Dubois
Hello Joe,
Thank you for your input in that thread. As I wrote in my previous message, we are working to have a report to list connection permissions. It should work for PAM vault as well since we are currently working to handle PAM accounts the same way as shared entries. It means that we are removing PAM roles to move in the permission system directly on the account like we have in shared vault. It means that having a report where we list all PAM roles for vaults/accounts doesn't make sense anymore. Our goal is to remove as much as possible difference between shared vaults and PAM to avoid two different systems in parallele where it duplicates our work.
In conclusion, I wanted to let you know that we will cover PAM permission as well with Connection Permission report. It will allow your to specify a vault (shared or PAM) and we will list all user with permissions on the root and all users with custom permissions in entries in that vault.
Don't hesitate if you have questions,
Best regards,
François Dubois
Hi François,
Thanks for the update. Sounds like some great progress is being made with reporting on permissions. Looking forward to testing it out when available.
Joe
Hello François,
Is there an ETA for the PAM credential access reporting, given 2024.3 seems to have reduced the discrepencies between PAM and regular shared vaults?
Thanks
Joe
Hello Joe,
The Entry Permission report should be updated soon to allow you to select PAM vault and see all permissions assigned in the vault. Same thing with the Vault Permission report where PAM vault will be available in that report. They should be updated for the next release planned in 1-2 weeks.
Best regards,
François Dubois
ok, thats great, thanks François