Skip to main content
Version: 3.25

Access Group Criteria

In the Criteria tab some attributes are arranged as lists and others as a free text field. Free text fields allow the use of wildcard or masks.

The wildcard character is the asterisk (*) and can be used anywhere in the value. Let's see some examples of wildcard uses in the Device field:

  • srv* will filter all devices whose hostname starts with srv;

  • *www* will filter all devices that have www in their hostname;

  • vmh*-db will filter all devices whose hostname starts with vmh and ends with -db; 

Some fields allow multiple values to be separated by a comma. The Device field is one of these. The values will be considered as an OR condition in the rule. So, will be considered a pattern/value or another pattern/value. Example for the Device field:

  • srv*,vmh* Allow hostnames that start with srv or vmh;

Another special value that can be used is the [#USERNAME#] mask, which will be replaced by the username of the logged senhasegura account requesting the operation. And you can use this mask along with wildchar and fixed texts. Example for the Username field:

  • [#USERNAME#] Allow only credentials whose username is equal to the requester's username;

  • [#USERNAME#]-adm Allow only credentials whose username is a composition of the requesting user's username plus the suffix -adm;

  • [#USERNAME#]-* Allow only credentials whose username is a composition of the requesting user's username plus a suffix that starts with "-" followed by any other value;

IMPORTANT

Create an access group only with the mask [#USERNAME#], if you have more than 5,000 credentials. The other criteria must be added in a second access group. This ensures that groups are processed quickly.

Access group form - Criteria tab

Examples

For the examples, we will use the credential list below:

IDUsernameHostnameDevice typeProductSiteTag
1rootsrvdnsServerRedHat 7.0LAX
2administratormsadServerWindows Server 2019LAX
3samssqlprdDatabaseWindows Server 2019NYCdba
4SystemOraprdDatabaseOracle 19cNYCdba
5administratorWS1092WorkstationWindows 10SEA
6administratorWS1035WorkstationWindows 10SEA
7administratorWS2018WorkstationWindows 10NYC
8peter.leeWS1092WorkstationWindows 10SEA
9peter.leemssqlprdDatabaseWindows Server 2019NYC
10john.ferrerWS1035WorkstationWindows 10SEA
11john.ferrerWS1092WorkstationWindows 10SEA
12rootvmh-wwwServerRedHat 7.0AWS
13root7vmh-cicdServerRedHat 7.0AWS
14rootvmh-fwServerRedHat 7.0AWS

Default Filter

  • Allow the ServiceDesk to have access only to the Administrator user of workstations.

    • Username: Administrator

    • Device type: Workstation

      As a result, only credentials 5, 6, and 7 will be made available.

Using Wildcard

  • Allow DBAs to have access only to privileged Oracle database credentials:

    • Device type: Database

    • Device model: Oracle*

    • Credential Tags: DBA

      As a result, only credential 4 will be made available.

  • Allow virtualization administrators to access only virtual machines hosted on AWS. By the rule adopted in this fictitious company, these machines receive the prefix vmh in their hostname:

    • Device name: vmh*

    • Website: AWS

      As a result, only credentials 12, 13, and 14 will be made available.

Using Masks

  • Allow users to have access to credentials that take their username, regardless of the device:

    • Credential username: [#USERNAME#]

      As a result, only credentials whose username is the same as the user logged in to senhasegura will be made available. If the username of senhasegura is john.ferrer only credentials 10 and 11 will be made available.

These are just a few examples that show how filters can be combined in creating some access groups.