This topic will cover setting up Device42 Admin Groups to control access to Device42 Secrets, and then we will sync AD users to these admin groups.
Sample Use Case
You would like to control secret access via Active Directory. When a user's Active Directory membership changes, their corresponding Device42 Admin Groups should change alongside with it (and therefore what secrets they can view & edit).
Create an admin group with the necessary permissions. This should mirror the AD groups.
- In Tools>Admins & Permissions>Admin Group.
- Click Add Admin Group.
- Enter in a name in the Name field. Recommended to name it the same as AD group name.
- Assign permissions to this group as needed. Should, at a minimum, have Password | Can view password permission. NOTE: This does not give the group permission to view all passwords. This basically only allows them to see the "Secrets" menu.
- Repeat for any more AD groups you have.
Create a Secret or modify an existing Secret and assign your newly created admin group to it
- Create a Secret or click Edit on an existing Secret.
- Modify View Groups/View Edit Groups/Use Only Groups permissions as desired by adding in your Admin Groups.
- Repeat for any other Secrets.
Create an AD sync job to pull members
- Go to Discovery>AD/LDAP Users and create a new sync job.
- Type has to be set to "Administrators", settings configured as follows:
- "Ignore existing Administrators" and "Clear any existing Administrator Permissions Groups" should be checked off since we are going to have multiple AD jobs here.
- Add an Auto Discovery Schedule item to run this discovery everyday (or multiple times a day) to update group memberships.
- Repeat for any more AD groups you want to sync.