Devolutions ForumDevolutions Forum

Temporary group creation location per Privilege Set

Temporary group creation location per Privilege Set

0 vote

avatar
philippmarti

Hi there
It would be helpful if it would be possible to specifiy a "Temporary group creation location" per Privilege Set.
Today it's only possible to specify just one "Temporary group creation location" which is used for all Privilege Sets.
Best regards,
Philipp

All Comments (3)

avatar
François Dubois

Hello Philipp,

Thank you for your request. Could you elaborate on your use case to help me understand your needs better? I think it might be possible, but I can foresee a few edge cases. A privilege can be included in many different Privilege Sets. So, where would you like to create the temporary group when you ask to be elevated with that privilege that is part of many Privilege Sets? And if you request many privileges when you do the checkout, would you expect to create many temporary groups if you select privileges from different Privilege Sets?

Let me know how you see that, and we could look into how we might integrate such an improvement. Thank you again.

Best regards,

François Dubois

avatar
philippmarti

Hello François,
well, in our Active Directory we have a OU structure which separates different tiers. e.g.
root
|
|_OU: TIER_0
| |
| |_OU: TIER_0_GROUPS
| |_OU: TIER_0_ADMINS
|
|_OU: TIER_1
| |
| |_OU: TIER_1_GROUPS
| |_OU: TIER_1_ADMINS
|
|_OU: TIER_2
|
|_OU: TIER_2_GROUPS
|_OU: TIER_2_ADMINS

There's delegation of control configured between the tiers.

We mapped the tier structure to Dvls PAM and uses the Privilege Sets to separate the privileged PAM accounts between the tiers. We have a 1:1 relation between privileged accounts and privilege set.
From a logical but also security point of view it would be helpful, if the temporary JIT groups for let's say Privilege Set "TIER_0" accounts would create its temporary group in OU "TIER_0_GROUPS" and the Privilege Set "TIER_1" accounts would create its temporary group in OU "TIER_1_GROUPS".
Currently I can specify only one location for the temporary groups.I hope this clarifies the request.

But I understand that my request conflicts with such scenarios where a privileged account is included in many Privilege Sets (1:n). Maybe you guys have still an idea how both scenarios could be fullfilled.

Best regards,
Philipp

avatar
François Dubois

Hello Philipp,

Thank you for your answer. I understand your needs and see that it could work in a such configuration where you have 1:1 relation between accounts and privilege set. We will talk internally and see what could be done in a such situation. We will post back here once we have an update.

Best regards,

François Dubois