Multiple Privileged Accounts?
As an MSP we use RDM and Devolutions Server to access our customer infrastructures.
A few of our customers' environments require the use of personalized Administrators. This is where the problem begins.
As far as I know its not possible to setup multiple priviledged accounts in RDM and configure each entry to prompt what priviledged Account is to be used, since each customer has a different domain, admin naming scheme etc.
For clarification, we use a single vault to manage RDP/SSH Connections to our customers. The vault is divided into folders for each customer.
My current workaround is to use user-specific settings on the entries I frequently use and override the login with credentials from my personal vault. But over time this has become quite annoying and confusing.
Saving personalized admins in the folder of each customer and then prompting them on connection and choosing yours is also not viable as my colleagues and I shouldnt be able to eachothers credentials.
Perhaps im missing something here and someone can give me some pointers but it looks like this use-case isnt fully supported.
I've disregarded Devolutions PAM for now as it looks like it wouldnt work with remote connections and different domain environments but maybe im mistaken.
Recommended Answer
Hi,
Thank you for the detailed explanation.
For this use case, you should not need to rely on User-Specific Settings for each entry. A cleaner approach would be to configure the shared entries to use Find by name (User vault) as the credential source.
For example, on the shared RDP/SSH entry for CustomerA, you can set the credential mode to: Find by name (User vault)
Then, in the credential name field, enter something like: CustomerA - Admin
Each technician would then create their own credential entry in their own User Vault using that exact same name: CustomerA - Admin
When the shared entry is launched, Remote Desktop Manager will search the current user’s User Vault for a credential matching that name. This means each technician can use their own private admin credential without exposing it to colleagues, while the shared RDP/SSH entries remain common to the team.
You could then standardize this naming convention per customer, for example:CustomerA - AdminCustomerB - AdminCustomerC - Admin
The important part is that the credential entry name expected by the shared entry matches the credential entry name created in each user’s User Vault.
This should avoid the need to store personal admin credentials in the shared customer folder, and should also reduce the amount of per-user configuration required.
Best regards,
All Comments (2)
Hi,
Thank you for the detailed explanation.
For this use case, you should not need to rely on User-Specific Settings for each entry. A cleaner approach would be to configure the shared entries to use Find by name (User vault) as the credential source.
For example, on the shared RDP/SSH entry for CustomerA, you can set the credential mode to: Find by name (User vault)
Then, in the credential name field, enter something like: CustomerA - Admin
Each technician would then create their own credential entry in their own User Vault using that exact same name: CustomerA - Admin
When the shared entry is launched, Remote Desktop Manager will search the current user’s User Vault for a credential matching that name. This means each technician can use their own private admin credential without exposing it to colleagues, while the shared RDP/SSH entries remain common to the team.
You could then standardize this naming convention per customer, for example:CustomerA - AdminCustomerB - AdminCustomerC - Admin
The important part is that the credential entry name expected by the shared entry matches the credential entry name created in each user’s User Vault.
This should avoid the need to store personal admin credentials in the shared customer folder, and should also reduce the amount of per-user configuration required.
Best regards,
Hi,
Thank you for the detailed explanation.
For this use case, you should not need to rely on User-Specific Settings for each entry. A cleaner approach would be to configure the shared entries to use Find by name (User vault) as the credential source.
For example, on the shared RDP/SSH entry for CustomerA, you can set the credential mode to: Find by name (User vault)
Then, in the credential name field, enter something like: CustomerA - Admin
Each technician would then create their own credential entry in their own User Vault using that exact same name: CustomerA - Admin
When the shared entry is launched, Remote Desktop Manager will search the current user’s User Vault for a credential matching that name. This means each technician can use their own private admin credential without exposing it to colleagues, while the shared RDP/SSH entries remain common to the team.
You could then standardize this naming convention per customer, for example:
CustomerA - Admin
CustomerB - Admin
CustomerC - Admin
The important part is that the credential entry name expected by the shared entry matches the credential entry name created in each user’s User Vault.
This should avoid the need to store personal admin credentials in the shared customer folder, and should also reduce the amount of per-user configuration required.
Best regards,
@William Alphonso
Thank you for your explanation.
I've tested it with a colleague on a few customers and it works perfectly!