Reducing number of Connection object when using cyberark

[Vahr001]

Hi there,

lately we are a bit in a hassle with application startup times and clutter within our database enrivonment.

When introducing cyberark we needed to to multiply each server by at least 3 connection objects because cyberark is using functional users (inside cyberark safes) instead of personalized user (AD managed etc.).

Instead of being able to use the "Credential" feature inside ASG we are now forced to specify the user that is needed to connect within the "executable path" of the Connection object.
So we are using 3 (to n) functional users per department (called User1, User2, User3, UserX etc.)

Basically the Connections are clones of each other just differing in 1 letter/number within the Executable path (I attached a mockup of my idea to make it more clear)

So to reduce the clutter and get rid of multiple objects per server I thought about a right click menu that could dynamically control the username that is set within the executable path.

This would reduce the number of objects from 30k+ to only 10k (unique server objects) in our environment and make it more "readable" by reducing the number of "duplicate" objects, make it easier to maintain and also make the application startup faster and make it refresh faster (when pressing F5)

Dont know how it it would be to implement such a feature, but this would make it much easier to handle cyberark connections within ASGRD.

Willing to provide further infos and feedback for testing if needed :-)

Regards,
Tim

[DevOma]

Ok - I think we can do that - just to understand correctly - you have assigned credentials to login to the jump server - and need one more configuration for the internal user to use for Cyberark

Just my first idea - extension on connection objects - under category "Credentials" a new section with Cyberark - there you can configure the default value (or perhaps just assign a second credential object?) - so this would be used if you doubleclick the connection - and extend the context menu with sub menu "Cyberark" - we could add these functions in a Cyberark Plugin - so if activated you can see the new options - question is should we use "Global Variables" for it or a new section in Settings "Cyberark Users"? I guess own section is better than you would only see these variables / values in context menu and on the connection object - in connection properties then you would have a variable like %CyberarkUser% that you can use and that would be parsed

[Vahr001]

Hi Oliver,

your idea sounds great, the initial connect to the CyberArk PSM is made via MFA (Smartcard) after that the "correct" user for the connections is grabbed from within the corresponding cyberark safe and you only need to pass the "username" on the command line.
So we don't use any Credential objects within ASGRD at all, because the smartcard auth is handled from within windows (still dreaming about Smartcard Auth against ASGRD, for us to be able to cache the smartcard PIN within ASGRD to not being forced to enter the Smartcard PIN for each connection - as discussed here https://remotedesktop.rocketsoftware.com/showthread.php?tid=11330&pid=56139#pid56139 :-))

Having a own section to configure "CyberArk" Stuff would be the better idea than using global variables I guess, but this is totally up to you how it would be best to be implemented from the application side as long as it would be possible like described in my mockup ;-)
Would also be cool to have the same Default/Personal values option on that one, so the administrator could assign default values for all users, but it would also be possible to create own custom values if needed for end users (but this would only be optional)

[ponch]

Ok - I think we can do that - just to understand correctly - you have assigned credentials to login to the jump server - and need one more configuration for the internal user to use for Cyberark

Just my first idea - extension on connection objects - under category "Credentials" a new section with Cyberark - there you can configure the default value (or perhaps just assign a second credential object?) - so this would be used if you doubleclick the connection - and extend the context menu with sub menu "Cyberark" - we could add these functions in a Cyberark Plugin - so if activated you can see the new options - question is should we use "Global Variables" for it or a new section in Settings "Cyberark Users"? I guess own section is better than you would only see these variables / values in context menu and on the connection object - in connection properties then you would have a variable like %CyberarkUser% that you can use and that would be parsed

Hi Oliver,

Can we make the %CYBERARK_USER% variable default for RRD multiple use on a user basis? In this way, we assign the default cyberark user of each user and when the user makes a direct rdp connection, he will use his default defined cyberark user.

Best regards.