Jump to content

Non-privileged and Elevated Privileged Functionality in PasswordState


Recommended Posts

Adding this to the forum's "Feature Requests".  I emailed support back on July 7, 2020 and was basically told, buy more licenses.  The response is not optimal and I hope it's voted upon as the use of "elevated privilege" accounts get more prevalence in environments.

 

Got a specific problem with how PasswordState works versus how our Information Security department wishes to protect passwords.

 

Today, we have two types of Active Directory accounts:  Non-privileged and elevated privileged.  Non-privilege is based on least-privilege and elevated privilege accounts protect sensitive/confidential data, such as service accounts and access to client data.

 

The problem we are running into is how to use PasswordState for end users to password vault their password, but only able to access sensitive passwords via elevated privilege accounts.  We feel that PasswordState should offer a functionality to link a user's non-privilege and elevated privilege account.  For example:

 

1.  Functionally, how to flag a password as either viewable to a non-privileged vs. privilege account in PasswordState. 

2.  How to default the PasswordState browser plug in to default to non-privilege but can access privileged passwords if the account is linked in PasswordState,

3.  Support recommends adding elevated privilege accounts, which blows up our licensing requirements.  Our CIO and COO are objecting to purchasing additional licenses for the same people.

4.  Report when privilege accounts are being used and by whom.  We need visibility on when elevated privileged accounts are being used, especially if leveraging the browser plug-in.

 

If anyone has solve this using the tool as is, please let me know or share here!

 

Thank you!

Link to comment
Share on other sites

Hi Jonathan,

 

We don't normally suggest to purchase more licenses, unless it's absolutely necassary - and this was one option we could think of to help assist with your specific requirement.

 

We did provide a possible work around, and your response was "That is a great idea!  Let me discuss with our team." I assume the rest of the team did not like the idea?

Regards

Click Studios

Link to comment
Share on other sites

  • 2 weeks later...

Hello Jonathan,

 

Below was my response to your support ticket:

 

"What if you stored these elevated privileged accounts in a Password List where 2FA authentication is enabled on the Password List, as per the screenshot below – do you think that might be an option so they only need to log into Passwordstate with a single account?"

 

plist1.png

Link to comment
Share on other sites

  • 1 month later...

How and where would I store these elevated privileged accounts in a Password List where 2FA authentication is enabled?  I see the Additional Authentication options but when selecting I see no place to add or store the privileged AD accounts to use for the 2FA of the password list.

Link to comment
Share on other sites

Hi Jeremy,

 

You do not store these 2FA options in a Password List - you go to your Preferences screen, and configure one of the 2FA options on there. For example, if using Google Authenticator or One-Time Passwords, you would scan the QR Code into an 'Authentication' app on your phone, and then use this to authenticate to the Password List. There are many OTP authentication apps you can put on your phone for free.

We hope this helps.

Regards

Click Studios

Link to comment
Share on other sites

 Share

×
×
  • Create New...