FortiPAM - Permissions for template "Web Account"

ddiez · ‎04-29-2024

Hi there,

I did several tests but it seems - really?? - that the template type "Web Account" acts with completely different permission settings in the background than other launchers.

Testing with launcher like PuTTY or WinSCP or RDP ... I could test this with a user that should only be able to see the entry and can launch this - so using the permission type "Viewer" - without beeing aware ot the stored password nor can change this secret. So far, this is running fine with several launcher types.

The same scenario using a "Web Account" secret is not possible. It seems as "Launch target" could be possible for the test user (with "View" permission for this target as well as for the underlaying folder) because it is not greyed out in the secret list. But clicking on "Launch Secret" leads to the details of the entry - and there the mouse over message over the (now greyed out "Web Launcher") tells me that this launcher cannot be started because of not enough permissions.

(Attached two pictures)

So, this would mean that every user that only commit the launch for a web-target-secret must have at least "Editor" privilge status with the option to see the stored password?? I cannot imagine that this really meant to be the way, would be very dissapointing for me. We are using the actual version 1.3.0 of ForitPAM.

Looking forward to hearing from you. Thanks in advance.

Kind regards,

Daniel

KuC

Anthony_E · ‎05-01-2024

Hello Daniel,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎05-06-2024

Hello Daniel,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Anthony-Fortinet Community Team.

rbraha · ‎05-07-2024

Hi @ddiez

Launching secret using web account template should work ok with View permissions on FPAM version 1.3.0 , on the older version like FPAM 1.2.0 the permission should be "Edit"

ddiez · ‎05-07-2024

We started the test installation and all of the config directly with FortiPAM 1.3.0 ...

So this should not be the problem, I think.

KuC

lmarinovic · ‎05-07-2024

Hello,

You need to use targets on 1.3.0 and on target switch "Advanced Web Setting" to Enable. After that it will work with View rights for web account, otherwise PAM can not securely transfer the credentials via web so that is why that option is forbidden..

Best regards,

Lazar

Best regards

Lazar Marinovic

ddiez · ‎05-07-2024

Okay, I will have a look for this an check this!

KuC

ddiez · ‎05-10-2024

Hello,

unfortunately, I am not sure wheter to change or adjust anything more to this.

This are the options given for the target. Installation and configuration have been made directly with FortiPAM in version 1.3.0 from scratch.

Any idea?

Kind regards

Daniel

KuC

rbraha · ‎05-10-2024

Hi Daniel,

New Target created you will need to use it on the secret that you want to reach your destination , I will share with you with some screenshots , l did a test accessing FGT device.