Right now, I have the URL for web administration of a host set up in the External Links section of the host. When I need to access the web UI of a system, I can click that link, and when the new window launches, the browser extension automatically fills the user name and password.
To be able to specify which users are recorded
I think it should be any user that clicks the link in Passwordstate. If there was a desire to specify which users are recorded, that could be done in the PasswordState interface, and the extension would check to see if the user was in the list of users to record the session.
Prevent the users from turning off the recording i.e. uninstalling a browser extension
It's possible they could uninstall the browser extension, but then they would have to check out the password since the browser extension wouldn't be available to fill in the current password. I suppose you could make it more secure by launching a reverse proxy of the site through the Passwordstate server that interacts with the browser extension to allow access. Actually, this would be pretty much like the Browser Based Launcher for SSH. You could place the button for the web administration for a host in the Remote Session Launcher section, along with the notification of recording. Not sure if this would work with something like an Azure or 365 portal, though.
Have the recordings sent to a network share, so they can be replayed back from the UI in Passwordstate
Not sure how the above extensions work, as far as where the recordings are saved. I know an open source application called Posthog can be used by webmasters, where a javascript is added to the web page, and sessions are recorded and saved on the Posthog server.
Thanks!