- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiPAM - Permissions for template "Web Account"
Hi there,
I did several tests but it seems - really?? - that the template type "Web Account" acts with completely different permission settings in the background than other launchers.
Testing with launcher like PuTTY or WinSCP or RDP ... I could test this with a user that should only be able to see the entry and can launch this - so using the permission type "Viewer" - without beeing aware ot the stored password nor can change this secret. So far, this is running fine with several launcher types.
The same scenario using a "Web Account" secret is not possible. It seems as "Launch target" could be possible for the test user (with "View" permission for this target as well as for the underlaying folder) because it is not greyed out in the secret list. But clicking on "Launch Secret" leads to the details of the entry - and there the mouse over message over the (now greyed out "Web Launcher") tells me that this launcher cannot be started because of not enough permissions.
(Attached two pictures)
So, this would mean that every user that only commit the launch for a web-target-secret must have at least "Editor" privilge status with the option to see the stored password?? I cannot imagine that this really meant to be the way, would be very dissapointing for me. We are using the actual version 1.3.0 of ForitPAM.
Looking forward to hearing from you. Thanks in advance.
Kind regards,
Daniel
- Labels:
-
FortiPAM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ddiez
Launching secret using web account template should work ok with View permissions on FPAM version 1.3.0 , on the older version like FPAM 1.2.0 the permission should be "Edit"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We started the test installation and all of the config directly with FortiPAM 1.3.0 ...
So this should not be the problem, I think.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You need to use targets on 1.3.0 and on target switch "Advanced Web Setting" to Enable. After that it will work with View rights for web account, otherwise PAM can not securely transfer the credentials via web so that is why that option is forbidden..
Best regards,
Lazar
Lazar Marinovic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I will have a look for this an check this!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
unfortunately, I am not sure wheter to change or adjust anything more to this.
This are the options given for the target. Installation and configuration have been made directly with FortiPAM in version 1.3.0 from scratch.
Any idea?
Kind regards
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Daniel,
New Target created you will need to use it on the secret that you want to reach your destination , I will share with you with some screenshots , l did a test accessing FGT device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
is there any chance to get strange behaviour become working or to unterstand this unexpected workflow in FortiPAM? I do not understand whetere there could be any error or at what point anything wrong is done in the settings.
Attached some further and complete screenshots of the settings, the first four out from the web console logged in as superadmin, the two last logged in as user with "View" permissions for this web-target-secret.
As noticed, access control changed to "List" results in the same way, changing the secret permissions to "Edit" finally will give the option to launch the secret for the user.
In other secrets using another target (like PuTTY, SSH, RDP, WinSCP) the user can start and use the secret as "View" user, like on your screenshot.
Maybe and further ideas for this?
Kind regards,
Daniel