cwaters Posted November 15, 2017 Share Posted November 15, 2017 I realize this probably gets into account management territory, so bear with me, but I think there's a relatively easy to implement feature. I would like to have an action on a record to be able to lock an account. The password reset/validation scripts already provide most of the base functionality to do to this for the various supported types of systems/dbs. This function would use the privileged account already assigned to the record for the reset script and bypass any heartbeat checking. This would allow a non-privileged user the ability to quickly lock an account without needing elevated rights on a system/db (directly). Since all the other RBAC stuff would already be in place on the record, there's not change in the security model (if a user had modify rights to change an reset a password, they would have rights to lock that account). So maybe a checkbox for "Enable Account Lockout" with a new tab to select an appropriate lockout script on the record details page. My specific scenario involves an Ops center needing to disable accounts on terminations, role changes etc. There are a large number of DBs with named users that need to have to access prevented (Need to be able to show a locked status for auditing since accounts are not immediately removed. A password change isn't sufficient.) when those events occur, requiring direct DB access to perform. We'll have a form of discovery that updates accounts in a specific "lockout only" password list in which we can ignore the account's actual password value (it's not needed due to using the privileged account to perform resets or hopefully, locks). Happy to expand on that further if it helps convey the idea. Thanks Link to comment Share on other sites More sharing options...
support Posted November 16, 2017 Share Posted November 16, 2017 Hi cwaters, Thanks for the post and we do agree this is creeping into the account management area, which we currently have little features for. What sort of accounts are you referring to? Are the windows accounts, AD accounts or maybe something like local SQL accounts? When you say you Enable Account lockout on the password record, as soon as you check this box, and click Save, is this when you would require Passwordstate to reach out to the remote system and disable the account? We could possibly consider something like this when we get through our big back log of feature requests, and it would take some time to plan and develop. Regards, Support. Link to comment Share on other sites More sharing options...
cwaters Posted November 16, 2017 Author Share Posted November 16, 2017 I'm generalizing of course about the kinds of accounts this could be done on, but I was thinking it could apply to just about any account type where there's already a password reset script. The problem I was specifically trying to solve for was for some Oracle DB accounts and was provided a script block to try to test by modifying a reset script. I would say that a bulk of the work is already done in the sense the reset scripts are already talking to the system/DBs. The scripts would just need to issue the "lock" command vs. the reset command. As for the specific execution, I was thinking it could be from the "Actions" dropdown menu or adding button next to the password field in the Edit password panel for a record as is done for the generation, toggle vis etc. choices (This may be safer as it requires more explicit actions to get there). It could reference the appropriate lock script and privileged account referenced in a tab like is done with an account with resets enabled does. Hope that helps clarify, and thanks for the consideration. Link to comment Share on other sites More sharing options...
Buckit Posted November 21, 2017 Share Posted November 21, 2017 Another potential use-case would be remote-access user accounts for external support companies. You'd usually want these accounts locked out, only to be unlocked and a password to be set when there's a specific support case that the external party needs to work on. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now