Enhance/Expand "User Credentials"/"Local Credentials"
Enhance/Expand "User Credentials"/"Local Credentials"
1 vote
Currently, in "File" > "My account settings" > "User credentials" (or "Local credentials"), exists a limited set of entries intended for the user's unique credentials. Right now there is:
- My personal credentials
- My privileged account
- My personal SSH key
And, while "My personal SSH key" can only be a SSH key, the other two options can be:
- API key
- Certificate (X.509)
- Custom
- One-time password (OTP)
- Password list
- Secret
- SSH key
- Username and password
In environments where a user has multiple accounts (many reasons for this, such as separation of privileges, or regulatory requirements stating that certain user types cannot login to certain system types, etc), this is quite limiting. Not only could a user foreseeably require multiple different "personal credentials" as well as "privileged accounts", but each of those likely also have associated API keys, certificates, secrets, SSH keys, OTP entries, etc.
Existing documentation refers to the fact that these objects are stored in a Credentials.rdt file (https://docs.devolutions.net/rdm/commands/file/my-account-settings/my-personal-credentials/). Possibly, as a way to address this limitation, I think it would be good to see something like the User credentials section expanded to behave more like a typical vault, which is limited to Credential-type entries, and sessions in local datasources/advanced datasources (with local overrides)/etc, may perform an action such as setting the credentials to "Linked (Credential Vault)".
Something else I would like to see added (separately/independently of the above) is a check on-launch to see whether or not the user has got a "personal credential" and/or a "privileged account" set (ideally, there should be options to set the check for one or the other, or both). I imagine this check working a similar way to when the group policy for "Force login" is set -- if it is enabled without also configuring either "Force Windows credentials and currently logged on username and domain" or "Force application password", then on first launch, the user is prompted which of these two options they would like to use (and to set a password in the instance of application password).
All Comments (3)
Hello,
I'm wondering if for your scenario the User vault could also a possible solution.
Which kind of data source are you using?
Regards,
Min
Hi Min,
User Vaults certainly seem to fit the bill, however, that is only the case when an advanced data source is being used.
In my particular scenario, a lot of endpoints where RDM is installed don't necessarily have direct access or line of sight to an advanced data source but rather are used to jump into multiple other environments where an advanced data source would then be accessible. Large Service Providers would likely also encounter similar limitations, though it's largely dependent on how the management infrastructure is managed/interconnected with customer tenants.
User Vaults really just seem like what "User Credentials"/"Local Credentials" should be, without the need for an advanced data source. We have licensing, but yeah, User Vaults being tied specifically to advanced data sources is problematic.
Hello,
Maybe I misunderstand your environment, so please correct me if I'm mistaken, but from what I understand you're using a local datasource (SQLite I assume), is this correct? If so, a solution would be to make a folder in your SQLite datasource for your credentials, create any number of entries there, and link to them with your entries like RDP.
Is there a reason you're unable to use this as a solution?
Regards,
Hubert Mireault