Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Automate Credential Management

astrid.stollberger
Level 6

‎16-07-19 09:32 AM

​Hi - we'd like to automate the credential management, so that our developers / process admins can manage their (and only their) credentials themselves and are not dependent on our operations team. Since BPv5 doesn't provide a feature to restrict access on individual Credentials (and I believe BPv6 neither) we're thinking of implementing 2 processes:
1) a process which would allow our developers / process admins to add credential management (add/modify/delete) requests into a BP work queue.
2) another process which would run under a special account (and with permission to manage credentials) which would pick up these credential management requests from the queue, perform certain validation / authorization checks and then add/delete/modify the credential accordingly. 

We can achieve most of that using the functionality of the Internal "Credentials" object.
The one piece which is missing is the ability to defined the access rights (which Process / Ressource is allowed to access the (new) credential).

Any thoughts?

------------------------------
Cheers Astrid
------------------------------
Cheers [FirstName]
0 Likes
2 REPLIES 2

BimalSebastian
Staff
Staff

‎17-07-19 06:45 AM

Hi Astrid,

Have you considered the option of restricting credentials to certain roles. Blue Prism allows for restricting credential access to specific roles in addition to Processes and objects.
You might need to remember that this option is "Not valid for use with anonymous public Runtime Resources ". This seems like the best approach for you.

The solution you have recommended seems unorthodox. unless you test this, its difficult to confirm or deny if its the right approach. i see one problem though, unless you have very strict validations / controls and audits in the second process, how would you know if a developer requested for a credential that he is not allowed to access. there can be loop holes here.

If you elaborate your specific scenario on why each developers needs independent credentials, may be there could be some alternate solutions.

Thanks
Bimal

------------------------------
Bimal Sebastian
Consultant
Blueprism
Asia/Kolkata
------------------------------
0 Likes

astrid.stollberger
Level 6
In response to BimalSebastian

‎19-07-19 12:40 PM

Hi Bimal,

well, we'd actually like to allow everyone to manage their credentials themselves so that they can update passwords and access rights for the credentials autonomously and don't depend on our operations team to fulfill their requests.
The problem is that Blue Prism doesn't provide any functionality so that we can make sure they only update their own credentials. If a user has "Manage Credentials" permission, he/she could go in and update the PW and access rights of any credential, even if this doesn't belong to them. SInce it's not required to provide the current password in order to update any credential, there is quite a high risk just granting "manage credentials" permission to anyone...

The additional check for the current password could be implemented in the 2nd process I mentioned in order to ensure the request is only fulfilled if the person is authorized to update the credential (which can be assumed if the person knows the current password).

Cheers,
Astrid

------------------------------
Cheers Astrid
------------------------------
Cheers [FirstName]
0 Likes