Jump to content

Approval requests to security group


Buckit

Recommended Posts

Hi there,

 

Right now I'm still very much a newbie, so I hope this hasn't been requested yet. I'm in the process of running a limited PoC before moving towards the Enterprise level purchase. 

 

Instead of sending approval requests for password usage to one or two specific people, I would very much prefer the possibility to assign the approval request to a security group. This will allow us to designate a team of security officers to the task of approving password usage. I would also like the possibility to apply these requirements to a password list as a whole, or to specific security groups. 

 

E.G. Junior admins will always require approval for all their requests from all Linux lists, while Senior admins only require approval for Linux PROD but not for Linux DEV.

 

Cheers,

 

 

Buckit.

Link to comment
Share on other sites

9 hours ago, Buckit said:

Instead of sending approval requests for password usage to one or two specific people, I would very much prefer the possibility to assign the approval request to a security group. 

Correct me if I'm wrong, but password list admins get the approval requests for access to password lists.

So assign a security group as the password list admins, and all members of that group should get the approval requests.

The same applies for individual passwords, the administrators of the passwords parent password list get the approval or deny requests. 

9 hours ago, Buckit said:

E.G. Junior admins will always require approval for all their requests from all Linux lists, while Senior admins only require approval for Linux PROD but not for Linux DEV.

This comes down to how you setup the permissions.

Create a Junior Admins group, that group has no permission to any lists - they must "request access", the admins of that group then approve the access.

Senior Admins group get permissions (view or modify) to your development password lists, but must request access to your production lists.

 

Our passwordstate is setup with environment folders which then contain password lists - Dev, Prod, QA, Test etc. 
Password lists permissions (using your example) would mean Senior Admins can see and access the passwords/password lists in the dev folder, but not in prod, qa, test without requesting that access first.
Junior Admins wouldn't see anything besides those they've been granted access to that they've requested.

Link to comment
Share on other sites

Hi Buckit,

 

Sarge is correct that the approvers of such requests are the Admins of the Password Lists, and if there are no Administrators of on the Password List, then the request then fails over to any Security Administrator that has the Password List role.  Now you could put the "Security Team" as an Administrator on each list and this could possibly do as you need, but the requests would also be sent to any other List Administrator as well.  

 

We could put in a feature request, which would be a System Setting, and would be something like "Send all access requests for Passwords to the following Security Group:"  - You would then choose a Security Group from a drop down menu.  This would then overwrite the default setting of sending access to Password List Administrators, and instead send every single request to the Security Group that you chose.  Is this sort of what you are asking for?

 

Regards,

Support.

Link to comment
Share on other sites

You guys, that sounds like you're on the nose and like I need to read the manual from cover to cover. Sarge's suggestion sounds exactly like what I need! I'll go test some more! Apologies for making a needless thread.

 

On the other hand, Support's suggested Feature Request does sound like a good idea: defining a default target security group for request emails. 

 

Thanks guys!

Link to comment
Share on other sites

Thanks Buckit,  and thanks Sarge for the suggestion.

 

We haven't had another request for this feature yet, but we could consider it for a future release.  Could you maybe let us know how you go with Sarge's suggestion first as maybe that will be a suitable solution for you?

 

Regards,

Support.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...