Skip to main content
Version: 3.21

PAM Access Group

senhasegura has a permission system, where is possible to segregate the actions that a user can perform within the platform. With Access Groups you limit the data that the user can use or see within the module.

In this way, we add another layer of security to ensure the principle of least privilege. Access Groups act as a filter for entities from their properties. This allows the Administrator to deliver different levels of security to the same user within their assignments in each product.

Segregated entities and their properties

All screens that a user has access to display information from privileged entities are filtered by the Access Group. Actions that can be taken also affect these privileged entities. To avoid misuse, senhasegura queries the rules applied to the user that connects the privileged entity.

info

If the user has more than one access group that gives them access to privileged information, senhasegura will apply the most restrictive group rule.

Restriction levels are based on the number of steps and people who are aware of the operation:

  1. Allows access to information;

  2. Allow access by requiring justification of the requester;

  3. Allow access within a time range and an approver;

In the PAM module, the segregated entity is the SSH credentials and keys. And these entities have attributes that can be used as a filter:

  • Devices properties:

    • Name of the device to which they belong;

    • Model of the device to which they belong;

    • Device tags;

    • Device site;

    • Device type;

  • Credential properties;

    • Credential username;

    • Additional credential information;

    • Credential tags;

    • Credential type;

By using these combinations of attributes you determine what information a group of users will have access to. Some information allows the use of wildcard or masks. We'll talk better about this later.

For some examples, see the following credential list:

IDUsernameHostnameDevice typeProductSiteTag
1rootsrvdnsServerRedHat 7.0LAX
2administratormsadServerWindows Server 2019LAX
3samssqlprdDatabaseWindows Server 2019NYCdba
4SystemOraprdDatabaseOracle 19cNYCdba
5administratorWS1092WorkstationWindows 10SEA
6administratorWS1035WorkstationWindows 10SEA
7administratorWS2018WorkstationWindows 10NYC
8peter.leeWS1092WorkstationWindows 10SEA
9peter.leemssqlprdDatabaseWindows Server 2019NYC
10john.ferrerWS1035WorkstationWindows 10SEA
11john.ferrerWS1092WorkstationWindows 10SEA
12rootvmh-wwwServerRedHat 7.0AWS
13root7vmh-cicdServerRedHat 7.0AWS
14rootvmh-fwServerRedHat 7.0AWS

Let's take a look at some examples of groups that affect this relationship.

  • Allow the ServiceDesk to have access only to the Administrator user of workstations.

    • Username: Administrator

    • Device type: Workstation As a result, only credentials 5, 6, and 7 will be made available.

  • Allow DBAs to have access only to privileged Oracle database credentials:

    • Device type: Database

    • Device model: Oracle*

    • Credential Tags: DBA As a result, only credential 4 will be made available.

  • Allow users to have access to credentials that take their username, regardless of the device:

    • Credential username: [#USERNAME#] As a result, only credentials whose username is the same as the user logged in to senhasegura will be made available. If the username of senhasegura is john.ferrer only credentials 10 and 11 will be made available.
  • Allow virtualization administrators to access only virtual machines hosted on AWS. By the rule adopted in this fictitious company, these machines receive the prefix vmh in their hostname:

    • Device name: vmh*

    • Website: AWS As a result, only credentials 12, 13, and 14 will be made available.

These are just a few examples that show how filters can be combined in creating some access groups. Please note that we do not link users at this time and do not set what can be executed. The users can be linked to a diversity of groups, and each group can allow different actions and require different levels of restriction.