Hi there,
I did several tests but it seems - really?? - that the template type "Web Account" acts with completely different permission settings in the background than other launchers.
Testing with launcher like PuTTY or WinSCP or RDP ... I could test this with a user that should only be able to see the entry and can launch this - so using the permission type "Viewer" - without beeing aware ot the stored password nor can change this secret. So far, this is running fine with several launcher types.
The same scenario using a "Web Account" secret is not possible. It seems as "Launch target" could be possible for the test user (with "View" permission for this target as well as for the underlaying folder) because it is not greyed out in the secret list. But clicking on "Launch Secret" leads to the details of the entry - and there the mouse over message over the (now greyed out "Web Launcher") tells me that this launcher cannot be started because of not enough permissions.
(Attached two pictures)
So, this would mean that every user that only commit the launch for a web-target-secret must have at least "Editor" privilge status with the option to see the stored password?? I cannot imagine that this really meant to be the way, would be very dissapointing for me. We are using the actual version 1.3.0 of ForitPAM.
Looking forward to hearing from you. Thanks in advance.
Kind regards,
Daniel
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Daniel,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Daniel,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi @ddiez
Launching secret using web account template should work ok with View permissions on FPAM version 1.3.0 , on the older version like FPAM 1.2.0 the permission should be "Edit"
We started the test installation and all of the config directly with FortiPAM 1.3.0 ...
So this should not be the problem, I think.
Hello,
You need to use targets on 1.3.0 and on target switch "Advanced Web Setting" to Enable. After that it will work with View rights for web account, otherwise PAM can not securely transfer the credentials via web so that is why that option is forbidden..
Best regards,
Lazar
Okay, I will have a look for this an check this!
Hello,
unfortunately, I am not sure wheter to change or adjust anything more to this.
This are the options given for the target. Installation and configuration have been made directly with FortiPAM in version 1.3.0 from scratch.
Any idea?
Kind regards
Daniel
Hi Daniel,
New Target created you will need to use it on the secret that you want to reach your destination , I will share with you with some screenshots , l did a test accessing FGT device.
Hello,
is there any chance to get strange behaviour become working or to unterstand this unexpected workflow in FortiPAM? I do not understand whetere there could be any error or at what point anything wrong is done in the settings.
Attached some further and complete screenshots of the settings, the first four out from the web console logged in as superadmin, the two last logged in as user with "View" permissions for this web-target-secret.
As noticed, access control changed to "List" results in the same way, changing the secret permissions to "Edit" finally will give the option to launch the secret for the user.
In other secrets using another target (like PuTTY, SSH, RDP, WinSCP) the user can start and use the secret as "View" user, like on your screenshot.
Maybe and further ideas for this?
Kind regards,
Daniel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.