I'm working on an effort in which the client wishes to migrate several thousand 'Secrets' stored in Power Keeper (PK) to PAM.
These secrets can be anything and are meant to be temporary and volatile in nature. Furthermore, these secrets are 'disjointed' from any target system/device, and therefore, vaulted in PAM as 'Generic' accounts.
The current design behind the PK vault is such that each secret is linked to a 'Container' and each Container has 'Limited_Admins', 'Approvers' and 'Requestors'. Access and privileges to each PK Container is determined by role based access ACLs maintained on the PK System.
We've managed to design something very similar in PAM; a setup that would offer a familiar experience and minimize user adoption time frame. That design is the following:
1. One device: 'Vaulted-Accounts' Enabled for Password Management Only;
2. One Application Per PK Container, each linked to the same, single device above;
3. One Target Group per PK Container - Filtering on the Application Name and Device Name - yielding only the secrets in that container/application.
4. Vault Secrets in PAM as Generic Accounts, linked to respective Application (PK Container)
5. Up to 3 Credential Manager Groups Per PK Container (Filtered by respective Target Group and Role Limited_Admins, Approvers and Requestors)
Each user having access and privileges in Power Keeper, would then be granted the same CM Group Membership. This would yield the best user experience in terms of searching, pwd viewing, account administration and request approval. No Policies involved.
We are running into an issue in which multiple users have access to > 10 CM Groups. The system doesn't seem to allow more than 10 CM Groups to be assigned to a PAM User.
we see the following errors:
Any pointers would be appreciated.
------------------------------
Services Architect
HCL Technologies Ltd
------------------------------