cancel
Showing results for 
Search instead for 
Did you mean: 
NagarjunaAtukur
Level 4
Status: New
After fetching credential values from credential manager, a developer can easily view the password by using simple calculate stage.

37219.jpg

We are giving access to developers to utilize them for their automation process design. If a developer really want to view the password, he/she can easily view it with this loophole.

BP tool should prevent casting from password-type data items to text-type data items.

Thanks,
Nagarjuna A
3 Comments
John__Carter
Staff
Staff
Thanks Nagarjuna. This is an old topic that does not have a simple answer. Even if such a cast was prevented, the user would still need the ability to use Send Keys. This means they could write the password to a text field or an app like Notepad.

Perhaps a stronger LAM (logical access model) where devs are given their own app credential but do not have the ability to access, share or manage each others credentials, would help your situation.
AndreyKudinov
Level 10
If you dont trust devs with production passwords - don't let them develop on production environment? Even if Blueprism prevents that, there is nothing to stop them from getting the password in many other ways.
Password type is only really useful to prevent someone from peeking at the password over your shoulder and not having plaintext passwords in exported process/object (although when I got curious, it took me few minutes to find static XOR passphrase that blueprism is using).
mwulff
MVP
There is in my opinion no way to prevent developer misuse of a credential. The very nature of RPA allows for too many loopholes.

Securing the credential as suggested will only result in credentials no longer working for their intended purpose.