Jump to content

Feature request: security groups by MemberOf


Buckit

Recommended Posts

Hi guys!

 

The current implementation of AD-coupled security groups works well enough for us. However, in our current use-cases even the 5-minute fastest-sync-possible may not be fast enough at times. Our sysadmins need to jump through an RBAC-portal to activate certains roles and AD-groups before working on specific cases, which means that they don't have access to their PasswordState groups 24x7. In case of a huge fire / outage /end-of-the-world even five minutes may make a difference, no?

 

Would it be possible to change PasswordState's behaviour in such a way that it verifies the Active Directory MemberOf information for a user when he/she logs in? I realize this may lead to N-amount of hops with nested groups, but I reckon you should already have a way of resolving those anyway. So to sum it up: real-time verification as opposed to a synchronized list of groups in the local database.

 

Cheers,

 

 

Thomas

Link to comment
Share on other sites

Hi Thomas,

 

Thanks for your request, and if we get some more interest in this from the community, we can look into it.

 

If you can't wait the 5 minutes for the schedule, you can also perform a 'Manual' sync on the Security Groups screen - simply select this menu option from the Actions drop down menu.

Regards

Click Studios

Link to comment
Share on other sites

  • 2 weeks later...
On 29/12/2017 at 5:03 PM, Buckit said:

Understood, that's an option of course. But in this case we're looking at situations where zero personnel have their PasswordState admin rights activated and where all heck breaks loose.

 

Could you have some type of account that is held by a suitable person (CIO?) which has access to all passwords. In an emergency situation you would use this account to gain the required access.

Link to comment
Share on other sites

3 hours ago, Sarge said:

 

Could you have some type of account that is held by a suitable person (CIO?) which has access to all passwords. In an emergency situation you would use this account to gain the required access.

 

Yeah, we'll definitely look into having a break-glass account. The stupid thing is, usually PasswordState is where we keep our break-glass accounts! So now we have to find a new solution for that. A solution that will withstand the test of time, as employees will come and go while PasswordState is here to stay. 

Link to comment
Share on other sites

Hi Guys,

 

If needed, we can always assist in recovering your password for the Emergency Access login account as well - even if everyone in your organisation has forgotten it. Obviously we cannot do this without your help, but the option is there.

Regards

Click Studios

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...