Automatic data source configuration / assignment of credentials templates to users

Hello,

Thank you for your request. Custom installers can be used to automatically set up the data sources. Here is the documentation: https://docs.devolutions.net/rdm/installation/client/custom-installer-service/custom-installer-manager/

Regarding your second request about having a mandatory template, could you explain more about what is needed? I understand that you want to set up your user's vault with pre-configured entries, am I correct? Also, do you wish to update these entries frequently ?

Best regards,

Hi Francois,

We are already using custom installers, would it be possible to add additional switches for msi packages?

As for the second point - exactly, we would like to have a way to push templates to user's vault.

To put more information about our use case:

We have multiple teams that have their dedicated vaults (only connections are stored in those vaults, no secrets).
For those teams we built different templates that hold shared service accounts ("Delinea secret server (Credential)"). As we are adding new connections (new server or device gets provisioned/installed) we often update templates with new shared service accounts, and then we need to notify the user, to delete the "old" template and import a "new" template where new accounts are added.

If there would a possibility to create templates, that automatically get deployed and updated to user groups, that would fit our needs. Preferably, the template would be "locked" for editing for the users - so that only DVLS administrators or specific group can edit.

Hello,

For the MSI package switches, it would be useful to know what kinds of switches you would need, and why the custom installer doesn't work for your needs?
You might also be interested in the concept of the default.cfg file, which is what the custom installer uses to give users their default settings. You can distribute this file through other means you see fit. This article in our knowledgebase is about installing RDM in a terminal service environment, but the usage of the default.cfg file described in there is applicable in a non-terminal-service environment to give users a default configuration: https://docs.devolutions.net/rdm/installation/client/terminal-services/#workflow

For the 'templates' in your user vaults, would it be possible for you to give an example of what the admin pre-configures, and what the user then enters themselves in the credential entries? Credential entries that link with third party services like the Delinea entries usually have the "Use my account settings" checkbox:

The goal of this setting is so you can store this entry in shared vaults, but every user using this entry would be logging into the service with their own credentials, rather than a set of credentials the admin provides. You can of course configure the entry to be in "always prompt with list" if the users would want to access a different list of credentials than their colleagues.

Can you let me know if this is something you already explored, and if so, what made it so you couldn't use it in your environment or why it made it more difficult to use than your current solution?

Regards,

Hi Hubert

As for the point of custom installers, we have no issues with them per se. We are just looking in possibilities on how to decrease our efforts when patching the platform, which we do on very regular basis. As a part of this upgrades we are also pushing out the clients to be updated, meaning we manually need to create a custom installer and use that msi in the deployment. So if we could define the switches for the datasource that would perfectly suit our needs. We are interested in switches from the Data Sources -> General tab.

As for the second part of our conversation, we have dozens of credentials templates for different support partners. The reason to this is due to the policy that secrets should be in Delinea, not in RDM.

Here is an example of one such template:


And normally a new team member of the operations partner just needs to import this template once to his user vault -> when he is onboarded to RDM or Launcher, and he is off to the races.

What we would like to add to the templates functionality would be the possibility:

-That we can define groups, which will automatically receive a pre-defined template.
-That admin can add/edit/remove a secret/entry from a template -> and this will automatically be updated at the user vault of the users.
-Possibility to keep lock secrets from being editable by the user. Example in the upper template would be, that we only allow the user to edit A-Account and User account (since 75% of users are not members of our domain, we cannot use the %USERNAME% environmental variable).

If you would like, we can get on a short call, where i could showcase this?

Hello,

For the switches, we will have to investigate what we can do, but for now I would recommend using the default.cfg feature that I mentionned. Here is an updated help topic on the subject, since I felt the previous one had too much unnecessary information: https://docs.devolutions.net/rdm/kb/knowledge-base/cfg-file-usage-distribution/
This file can be distributed through MDM systems like Intune, and it can help you make large deployments and ensure that your users have the same default configuration on their first use of the application. In your case for example, you can distribute the configuration to their datasource that way. This avoids needing to use Custom Installers, instead you just need to distribute this lightweight file.

For the specific points you mention about the templates, we will have to think about it and discuss internally. The only way I see this working at the moment, it would be if these entries that were created from templates were un-editable, otherwise it would not be possible to ensure they were properly synchronized with the source. But, if they worked this way, it comes back to having the same behavior as using entries in a shared vault, but in a more restrictive way.


As for the setup with your Delinea accounts, from the environment you described, it should be possible to make these entries available in shared vaults, making sure to use the "use my account settings" configuration. The reason for that is that you could then easily update these entries or add new ones, as well as add permissions to restrict editing these entries for your users. You will not need to set up a variable like %USENRAME% (which would not work for you as you said), since checking the "use my account settings" configuration will let your users enter their credentials once for them to be saved and reused for all other entries of that type. These credentials they enter aren't shared with other users, so all of your users will have their own set of credentials to be used, which will then be used to fetch the information from Delinea.

I will ask one of our support agent to schedule a short session with you so you can show your environment and get a small demo of what I'm mentioning to see if it could work for you.

Regards,

Hello,

I created the ticket on your behalf. You should soon receive a link to book a support session.

Best regards,