Goossens

+1
Please include Windows Hello (which is also FIDO2 certified)

We would like to request the same.  We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation.  The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions.
 
Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier.  We don't really care which standard is followed, so long as it is consistent.
 
Formats typically supported by SIEMs are:
 
LEEF CEF JSON Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2) We would be looking for the following information in the logs (not necessarily in this order):
 
For password operations:
Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to password list (group/folder structure) PasswordList ID PasswordEntry Title PasswordEntry ID PasswordEntry Username  
For authentication events:
 
Authentication could be split across multiple logs
Authentication against Primary Authentication Server Authentication against additional Authentication server (eg. MFA, token, etc) For these we would expect
 
Authentication Server Name Authentication Method (AD, LDAP, SAML, OAuth, etc) Auth status (success/fail) Auth status reason (if available) eg. account locked, account disabled, account does not exist, etc For host operations:
 
Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to host (group/folder structure) HostEntry ID HostEntry Hostname HostEntry Site HostEntry IP Connection Port Some additional information may be useful, but this would be among the minimum critical information.
 
Hopefully enough people are interested in this to make it happen.
 
Regards,
JohnB
 

We use PasswordState with the Devolutions product Remote Desktop Manager and have spent about a year working with them on changes to incorporate the new OTP API call you integrated last year. They have pointed out a shortcoming between the two products that they are asking me to pass along.
 
Because the OTP is a time sensitive response, the time in which it can be used or injected into a session causes an issue for useability. 
 
Could the API pass two details back:
1. The OTP result (As it is now)
2. The time remaining for valid use? 
 
#2 s subjective on the return, milliseconds may be better since its far more accurate than second, a time code to expiration would work but any differential in the time on the system making the request could make this a problem.

I'm worried about backwards compatibility so we are not sure if it would be an entirely new endpoint, whatever you come up with will be helpful!

Please add the ability to allow the folder level API key permissions to propagated to the lower level folders, lists, and passwords.  We would like to give some of our teams API access to all the items under their team folder without using the system wide API key or the Windows access API.

Hi,
 
Short Version: For automating permissions of folders i need the ability to view the currently configured permissions for a folder, this is an essential feature. Can you please create a report or a api method for getting folder permissions, thanks.
 
Long Version:
In another post you said, that we should use the predefined reports to get permissions of folders/passwords/passwordlists via the API.
But I cannot find a report where I can view the permissions of a folder. Only for Passwords and Password Lists.
 
Password Permissions: Report 43: https://passwordstate/winapi/reporting/43?SiteID=0
PasswordList Permissions: Report 23: https://passwordlist/winapi/reporting/23?SiteID=0
 
It seems to me that Report 23 is only for Password Lists, Report 43 is only for Passwords. Report 24 & 25 are for users and groups (reverse).
Report 38 is for folders, but the result is only a count on the administrators of the folder.
 

 
I had tested all permission reports, they work and I can use them for many purposes (thanks for this). But unfortunately, as I said, I'm missing a report about folder permissions.
Which report should i use? Or can't you introduce a new property in the API for this?

Thanks,
René

Hi
 
I would like to suggest a feature that lets me purge all groups and/or users permissions on a folder or passwordlist. By API or make it the default behavior when disabling inheritance on a new folder. Maybe with the added option to copy permissions from top,
 
My company uses a folder structure and advanced mode permissions in a model like the one below. My problem is that every time i create a new folder structure for a application or system I have to manually delete all the groups and users that is copied to the new folder from the top even though the inheritance is disabled.  The other solutions is to use the API to first get all the securitygroups then for each securitygroup try to delete it from the newly created folder, not a nice solution in my opinion.
 
Folders example:
 
Applications[every securitygroup(~50-100) can view]
-Application1 [inherit from top]
--Test [inheritance blocked, only securitygroup for the application and environment can view/modify]
--Acceptance [inheritance blocked, only securitygroup for the application and environment can view/modify]
--Production [inheritance blocked, only securitygroup for the application and environment can view/modify]
-Application2 [inherit from top]
--Test [inheritance blocked, only securitygroup for the application and environment can view/modify]
--Acceptance [inheritance blocked, only securitygroup for the application and environment can view/modify]
--Production [inheritance blocked, only securitygroup for the application and environment can view/modify]
 
Best regards
Patrik

We would like to be able to extract a list of individual password permissions via API. Right now, we can only add/update/delete, but not get the current permissions.
 
This would be a great help in our work to automate permissions handling via active directory for thousands of service accounts and similar if we were able to also get any current permissions.
 
Perhaps, it could be included as part of the data that's returned by the 'Retrieving a password' function, as a nested array. If we use  the example in your API documentation, it could look something like this (See bold text at bottom):
 
 
GET 'https://passwordstate/winapi/passwords/46411'
    # Response
    HTTP/1.1 200          
    [
        {
            "PasswordID": 46411,
            "Title": "forum4",
            "Domain": "",
            "HostName": "",
            "UserName": "login2",
            "Description": "My login to forum4",
            "GenericField1": "loginasa",
            "GenericField2": "",
            "GenericField3": "",
            "GenericField4": "",
            "GenericField5": "",
            "GenericField6": "",
            "GenericField7": "",
            "GenericField8": "",
            "GenericField9": "",
            "GenericField10": "",
            "GenericFieldInfo": [
                {
                    "GenericFieldID": "GenericField1",
                    "DisplayName": "Pin Number",
                    "Value": "0000"
                },
                {
                    "GenericFieldID": "GenericField2",
                    "DisplayName": "Surname",
                    "Value": "Reznor"
                }
            ],
            "AccountTypeID": 0,
            "Notes": "",
            "URL": "http://www.microsoft.com",
            "Password": "ZHn#3+A^yc",
            "ExpiryDate": "23/08/2012",
            "AllowExport": true,
            "AccountType": "",
            "OTP": "",
            "Permissions": [
                {
                    "UserID": "domain\\User1",
                    "Permission": "M"
                },
                {
                    "UserID": "domain\\User2",
                    "Permission": "V"
                }
            ]
        }
    ]
 
 

I'd like to see a GET method implemented for permissions so they can be retrieved.