Best Practices for Permission Management in a Large Remote Desktop Manager Environment
Best Practices for Permission Management in a Large Remote Desktop Manager Environment
Hey everyone,
we manage multiple vaults within Remote Desktop Manager and have already restricted access for different departments primarily at the vault level. Additionally, we also use a permission structure within each vault to grant access to specific Active Directory groups when needed, for example, to allow access to certain passwords.
However, we often find ourselves in situations where we need to duplicate entries or entire folders across different vaults. This frequently requires adjusting permissions at the folder or entry level, adding to the administrative effort. Our environment consists of more than 20,000 entries, making efficient permission management crucial.
We are considering simplifying our approach by enforcing permissions only at the vault level. In this scenario, we would adjust specific permissions directly on entries where necessary, such as using the "View Password" by just setting the permission to allowed (within selecting specific AD groups here). This might reduce the configuration effort within the vaults and make moving or duplicating entries easier.
What do you think about this approach? How do you, as the vendor, recommend handling this? Would shifting the permission management primarily to the vault level be a viable and efficient strategy?
We are using RDM Enterprise, Devolutions Server and on-prem AD accounts/groups.
Looking forward to your insights!
Thanks!
All Comments (4)
Hi,
Thank you for posting.
In most cases, I recommend setting permissions at the root level and using inheritance on folders as much as possible. It looks like you're doing this already to some extent.
Have you tried setting "Inherited" on sessions/credentials and keeping the permissions exclusively to folders?
If you used this method, you could move/copy entries around without having to modify permissions every time.
You could also test the method you mentioned on a test vault and see if you like the workflow.
Let me know if this helps.
Marc-Antoine Dubois
Hello,
Thank you for the quick response.
Yes, we are already working with inheritance and permissions at the folder level.
However, we face the challenge of moving an entire folder structure (e.g., per customer), including subfolders and some entries.
We had the idea of setting the basic permissions only at the vault/root folder level (based on AD groups) and simply setting special rights (e.g., view password) to ‘allowed’ when needed. Initially, it doesn't sound like best practice to only use ‘allowed’, but based on the vault and root folder permissions, there is already a restriction at the group level, which would make moving much easier.
I hope that was understandable.
Best regards
Hi,
I sent you a direct message as I'd like us to meet and go over your use case.
Have a great day!
Best regards,
Marc-Antoine Dubois
Hi,
In the event that other users find this thread and have a similar setup, here's a recap:
Since they were already applying permissions at the folder levels, then using inheritance, we found it safe to use the "Allowed" on "View Password" at the entry or lowest folder in the structure.
In the end, it's the same level of permissions as using "Custom", but using "Allowed" makes management easier for them since they can just move entries across vaults without modifying permissions every time.
I'm marking this as resolved.
Best regards,
Marc-Antoine Dubois