Buckit Posted December 28, 2017 Report Share Posted December 28, 2017 Hi guys! The current implementation of AD-coupled security groups works well enough for us. However, in our current use-cases even the 5-minute fastest-sync-possible may not be fast enough at times. Our sysadmins need to jump through an RBAC-portal to activate certains roles and AD-groups before working on specific cases, which means that they don't have access to their PasswordState groups 24x7. In case of a huge fire / outage /end-of-the-world even five minutes may make a difference, no? Would it be possible to change PasswordState's behaviour in such a way that it verifies the Active Directory MemberOf information for a user when he/she logs in? I realize this may lead to N-amount of hops with nested groups, but I reckon you should already have a way of resolving those anyway. So to sum it up: real-time verification as opposed to a synchronized list of groups in the local database. Cheers, Thomas Link to comment Share on other sites More sharing options...
support Posted December 28, 2017 Report Share Posted December 28, 2017 Hi Thomas, Thanks for your request, and if we get some more interest in this from the community, we can look into it. If you can't wait the 5 minutes for the schedule, you can also perform a 'Manual' sync on the Security Groups screen - simply select this menu option from the Actions drop down menu. Regards Click Studios Link to comment Share on other sites More sharing options...
Buckit Posted December 29, 2017 Author Report Share Posted December 29, 2017 Understood, that's an option of course. But in this case we're looking at situations where zero personnel have their PasswordState admin rights activated and where all heck breaks loose. Thanks for taking the issue into consideration, I appreciate it. Link to comment Share on other sites More sharing options...
support Posted December 29, 2017 Report Share Posted December 29, 2017 Thanks Link to comment Share on other sites More sharing options...
Sarge Posted January 9, 2018 Report Share Posted January 9, 2018 On 29/12/2017 at 5:03 PM, Buckit said: Understood, that's an option of course. But in this case we're looking at situations where zero personnel have their PasswordState admin rights activated and where all heck breaks loose. Could you have some type of account that is held by a suitable person (CIO?) which has access to all passwords. In an emergency situation you would use this account to gain the required access. Link to comment Share on other sites More sharing options...
Buckit Posted January 9, 2018 Author Report Share Posted January 9, 2018 3 hours ago, Sarge said: Could you have some type of account that is held by a suitable person (CIO?) which has access to all passwords. In an emergency situation you would use this account to gain the required access. Yeah, we'll definitely look into having a break-glass account. The stupid thing is, usually PasswordState is where we keep our break-glass accounts! So now we have to find a new solution for that. A solution that will withstand the test of time, as employees will come and go while PasswordState is here to stay. Link to comment Share on other sites More sharing options...
support Posted January 9, 2018 Report Share Posted January 9, 2018 Hi Guys, If needed, we can always assist in recovering your password for the Emergency Access login account as well - even if everyone in your organisation has forgotten it. Obviously we cannot do this without your help, but the option is there. Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.