Disable Checkout
Hello,
I am not sure if this is a Server or PAM "Feature" - I try it here...
Currently we use Delinea Secret Server without the need of a checkout to get the password of an account. Each user only has the ability to see the things he/she has permissions on - so there is no need for us to have this extra step.
How can I achieve this with Devolutions Server and PAM? I found the "Checkout Policies" and configured the approval mode to "None", but that did not change it.
So how can I completely disable the checkout?
Thanks a lot for your help!
Brgds Andreas
All Comments (4)
Hello,
Thank you for your request. Unfortunately, the checkout cannot be disabled. Setting the approval mode to 'none' will bypass the approval phase, but you still have to check out the account and check it in when you are done with the account. This step will force actions to be logged. Also, most of the time, you probably want to rotate the password after usage. Therefore, the rotation happens after the check-in. This is why the check-out/check-in process is mandatory. What you describe is could be done throught a simple entry username/password in a shared vault. Would it work for you? A PAM vault brings some requirements, and checkout/check-in is one of them. Otherwise, please don't hesitate to provide more information about your use case, and I will analyze it and let you know what could be done.
Best regards,
François Dubois
Hello,
Thanks for clarification.
Our use case is that we think about migrating away from Delinea Secret Server to get rid of the two different MFA prompts we currently must have. In Delinea we do password rotation by schedule and not after checkin and this we would like to keep.
Putting them just in a shared vault is not a solution for us as we want PAM to do password rotation. But on a schedule and not on checkin. I don´t want to annoy our users with a useless popup window. Our workflow is that we use RDM and associate the account from PAM to an entry - e.g. RDP or a website. Then we just open the entry, RDM pulls the credentials, injects them and the session starts.
Please consider this as a feature request. Or do I need to talk to Jean-Sebastien Goyette about this because with him I am in contact as our setup is just an eval at the moment.
Thanks a lot for your help!
Brgds Andreas
Hello Andrea,
Thank you for your answer, it helped me understand your use case. Since you do password rotation by schedule, using a shared vault is not an option, I agree. Now I understand the flow that you want, we will have a discussion internally to see how we could improve that and let you know once we have an update.
Best regards,
François Dubois
Hello François,
thanks a lot - I hope, this is possible! :)
Brgds Andreas