Defining access disclosure plugins for a managed system policy

You must enable at least one access disclosure plugin for a managed system policy before users can access the password for accounts managed by that policy. You can set plugins for SSH key access, but this is not required; users can simply use their existing credentials with the temporary SSH trust relationship. You can set plugins for group set access, but this is not required; users can simply use their existing credentials with temporarily heightened privileges.

You can enable only one plugin to disclose old passwords for a managed system policy.

Bravura Privilege ships with the following native access disclosure plugins:

Run command: pswcmdrun is used with account set access requests. It allows users to run commands or scripts on multiple managed systems using managed account credentials.
When a user checks out an account set, Bravura Security Fabric displays a command execution window if any of the member systems support the run command operation.
Details: Run command: pswcmdrun
Command prompt: pswxcmd provides users with access to managed systems by executing an external program and providing credentials.
There are three types of command prompt controls; one is specifically for accessing managed accounts, and the other two are for temporary group membership, where the password can either be passed onto the command line, or specified upon connection to the remote server.
This plugin is compatible with session recording.
Details: Command prompt: pswxcmd
PuTTY over SSH
This is a preconfigured pswxcmd access disclosure plugin used for accessing managed accounts with SSH keys instead of passwords.
This plugin is compatible with session recording.
Details: PuTTY over SSH: pswxcmd
Copy: pswxcopy provides users with access to a password by copying it into the clipboard of the client workstation.
Details: Copy: pswxcopy
Remote desktop / Remote App RDP: pswxtsvc provides users with access to Windows server or client managed systems and RemoteApp programs using Remote Desktop Connection (RDC). The plugin provides automatic connection to the managed system without the need to enter the administrative credentials for the managed account.
This plugin is compatible with session recording.
Details: Remote desktop / Remote APP RDP: pswxtsvc
Display: pswxview provides users with access to a password by displaying it within the browser.
When the secure method is enabled, Bravura Security Fabric uses JavaScript to decrypt the privileged password embedded in the page.
If the insecure method is enabled, the browser can store passwords in plain text in the page source, and users can access the accounts in browsers that do not have JavaScript enabled. Users access the managed system by hovering their cursor over the View button.
Details: Display: pswxview

Bravura Privilege ships with the following Guacamole access disclosure plugins:

In-browser RDP: guacamole-rdp provides users with access to Windows server or client managed systems using Remote Desktop Connection (RDC).
Details: In-browser RDP: guacamole-rdp
In-browser Remote App: guacamole-remote-app provides users with access to a remote application (RemoteApp) hosted on a Windows server or client managed systems.
Details: In-browser Remote App: guacamole-remote-app
In-browser SSH: guacamole-ssh provides users with remote access to a server using Secure Shell (SSH).
Details: In-browser SSH: guacamole-ssh
In-browser telnet: guacamole-telnet provides users with remote access to a server using Telnet.
Details: In-browser Telnet: guacamole-telnet
In-browser VNC: guacamole-vnc provides users with remote access to a managed system with Virtual Network Computing (VNC) enabled.
Details: In-browser VNC: guacamole-vnc

All Guacamole access disclosure plugins provide automatic connection to the managed system without the need to enter the administrative credentials for the managed account and are compatible with session recording.

A Guacamole gateway is required in order to use Guacamole access disclosure plugins. See Installing and configuring Guacamole on how to set up a Guacamole gateway and configure the controls to use it.

Bravura Privilege ships with the following website access disclosure plugins:

Secure browser: securebrowser launches a dedicated program that automatically logs into a website using a configuration defined in a JSON file. This is compatible with session recording.
Requires installation of the Bravura Security Secure Browser program.
Details: Secure browser: securebrowser .
Web app privileged sign-on: pswxwebapp launches a separate browser tab that automatically logs into a website using a configuration defined in a JSON file. Requires installation of the Bravura Security browser extension extension.
Details: Web app privileged sign-on: pswxwebapp .

See also

Access Disclosure Plugins to learn how to configure global settings and default behavior, and to add custom plugins.

Enabling access disclosure plugins for a policy

To select and enable access disclosure plugins for a managed system policy:

Navigate to the Managed system policy information page .
Select the Access disclosure plugins tab.
Depending on the authentication types defined for the managed system policy, only applicable disclosure plugins can be added to the policy.
Click Select … .
Select the checkboxes next to the plugins you want to apply to the policy.
Click Select .
Select the checkboxes or radio buttons in the appropriate column for plugins to enable users to:
- Access SSH keys – Users with sufficient privileges can use the plugin to access a privileged account using their SSH keys. One or more must be selected.
- Access group set – Users with sufficient privileges can use the plugin to access a group set. One or more can be selected.
- Access current password – Users with sufficient privileges can use the plugin to access a privileged account. One or more must be selected.
- Access old passwords – Users with sufficient privileges can access password history. Only one plugin can be selected.
Depending on global settings, some options may not be selectable.
Select the checkboxes for plugins you want to provide access current passwords, if applicable.
Select the radio button for the plugin you want to provide access to password history, if applicable.
Click Update.

Example

Sometimes, installing a component for a particular system type is not enough to give a managed account on that system disclosure access, and we need to add the disclosure option to the managed system policy. In the following demonstration, this was the case for installation of the Scenario.pam_system_type_winnt and Scenario.pam_disclosure_rdp_local_account components. These components were installed to provide Remote Desktop Protocol (RDP) disclosure access to managed accounts on Windows systems, but there is still configuration missing for the disclosure access to work during checkouts. The remote desktop disclosure option must be added to the ONBOARDED_ACCOUNTS managed system policy where these accounts are managed.

Click below to view the demonstration.

Detaching access disclosure plugins

To remove a plugin from a managed system policy:

Navigate to the Managed system policy information page .
Select the Access disclosure plugins tab.
Select checkboxes next to the plugins you want to remove from the policy.
Click Delete.

Overriding global settings in managed system policies

Configuration settings for access disclosure plugins can be applied globally. This includes their description, selectability, and attributes.

You can override some access disclosure plugin settings at the managed system policy level.

Overriding an access disclosure plugin description

To override basic configuration settings:

Navigate to the Managed system policy information page .
Select the Access disclosure plugins tab.
Select the plugin you want to update.
Type the Overridden description to be used when displaying the plugin option for accounts or groups managed by this policy.
Optional: Select usage options as described in Table 1, “Access disclosure plugin configuration - managed system policy options” .
Click Update.

Table 1. Access disclosure plugin configuration - managed system policy options

Option	Description
Use this plugin to access SSHkeys	If checked, this plugin allows users with sufficient privileges to access the managed account using SSH keys.
Use this plugin to access group set sets	If checked, this plugin allows users with sufficient privileges to access the group set.
Use this plugin to access the current password	If checked, this plugin discloses the privileged password to users with sufficient access privileges
Use this plugin to access old passwords	If checked, this plugin discloses the old privileged password to users with sufficient access privileges

The options in the table above correspond to the checkboxes and radio buttons on the policy’s access disclosure plugins page. You cannot override global settings that prevent you from selecting a plugin for a certain use.

Overriding default attribute settings

To override access disclosure plugin attribute settings to control behaviors at the group level:

Navigate to the Managed system policy information page .
Select the Access disclosure plugins tab.
Select the plugin you want to update.
Select the attribute you want to update.
Set the plugin attribute options, as described in Table 2, “access disclosure plugin attribute options” .
See Access Disclosure Plugins for detailed information about default plugin behaviors.
Click Update.

To remove an override and revert to global settings, click Remove in the Attributes for this plugin table.

Cloning access disclosure plugins within a managed system policy

You can clone an existing access disclosure plugin if you want to run multiple instances of the plugin but with different settings.

To clone a plugin from a managed system policy:

Navigate to the Managed system policy information page .
Select the Access disclosure plugins tab.
Select the checkbox next to the plugin you want to add to the policy.
Click Select .
Select to update and modify an existing plugin.
Click Clone .
Specify a description and modify other options as needed.
Click Add.

Viewing attributes passed into ActiveX plugins

To view the attributes passed into the ActiveX control for debugging purposes, copy the logutil program onto the system and run it, specifying the instance "PPMClient ActiveX Controls" . You may need to generate an instance key to get logutil to capture ActiveX logs. Ensure the system initializing the ActiveX control does not have IE ESC turned on. See logutil usage details.

Use a plugin to define access disclosure plugins

You can use a plugin to determine which access disclosure plugins, and with what settings, will be available to a recipient when attempting to access a managed password. The recipient may be a product administrator with permissions to access a managed password, or a user with an approved request to access a managed password.

The PSW disclosure plugin is particularly useful when deciding what disclosure plugins should be given to which users, in scenarios where the policy-defined plugins have a conflict based on the managed system policy configuration. It is also useful to configure which disclosure plugins users can have access to based on various other attributes and values.

To use a PSW disclosure plugin:

Click Manage the system > Modules > Privileged access .
Type the name of the plugin in the PSW DISCLOSURE PLUGIN field.

By default, the following information is passed into the plugin:

Current manually configured disclosure plugins for the requested account or group set (based off of configured disclosure plugins for the managed system policies)
Managed account information (what account on which system, and which managed system policy settings its being checked out with)
Request ID
Requested plugin information (only available when users check out passwords using a URL)
Recipient of the request

Some data is not input by default. You must manually enable certain registry settings to allow the plugin to receive this information.

Note

Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt.

There is a sample PSW disclosure plugin, psw-disclosure-plugin.psl, available in the samples directory. By default it displays no controls. You must initially disable built-in controls before plugin-defined controls are available.

Access disclosure plugin registry settings

To enable additional PSW DISCLOSURE PLUGIN input, set these entries in the following key:

HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\idarch

default plugin attributes
This input is useful to determine what disclosure plugins are already available on the system, and what values the attributes they use are.
Entry name plugin_psw_disclosure_default_plugins
Value 0—1
Data type Reg_Dword
Default 0
discovered computer attributes
This input provides the attributes of the discovered managed system that the managed account is on.
Entry name plugin_psw_disclosure_found_comp_attrs
Value 0—1
Data type Reg_Dword
Default 0
discovered computer multi-valued attributes
This input provides the multi-valued attributes of the discovered managed system that the managed account is on.
Entry name plugin_psw_disclosure_found_comp_mv_attrs
Value 0—1
Data type Reg_Dword
Default 0
groups
This input provides which managed group the requester is a member of.
Entry name plugin_psw_disclosure_groups
Value 0—1
Data type Reg_Dword
Default 0
user profile attributes
This input provides the profile attributes of the requester.
Entry name plugin_psw_disclosure_profile_attrs
Value 0—1
Data type Reg_Dword
Default 0

Write a custom access disclosure selection plugin

Requirements

See Writing plugins for general requirements.

Execution points

The plugin is called on any page where a user is granted access to a managed password or group set that they have successfully checked out.

Inputs

The plugin will receive the following input:

"" "" = {
      "default-disclosure-plugins" "" = {
          "disclosure-plugin" "" = {
              "description" = "<plugin description>"
              "id" = "<plugin ID>"
              "name" = "<plugin name eg. pswxtsvc.ocx>"
              "attributes" "" = {
                  "<attribute key> "" = {
                      "<attribute key>" = "<attribute value>"
                      ...
                  }
                  ...
              }
          }
          ...
          # Repeats for each default disclosure plugin available.
          # if plugin_psw_disclosure_default_plugins regkey is set
      }
      "disclosure-plugins" "" = {
          "disclosure-plugin" "" = {
              "description" = "<plugin description>"
              "id" = "<plugin ID>"
              "name" = "<plugin name eg. pswxtsvc.ocx>"
              "attributes" "" = {
                  "<attribute key> "" = {
                      "<attribute key>" = "<attribute value>"
                      ...
                  }
                  ...
              }
          }
          ...
          # Repeats for each disclosure plugin configured for this managed
          # password based on the managed system policy that it is requested from.
      }
      "ead_computer_attributes" "" = {
          "mv_attributes" "" = {
              "<attribute key>" = "<attribute value>" #0 or more
              ...
          } # If plugin_psw_disclosure_found_comp_mv_attrs regkey is set
          "sv_attributes" "" = {
              "<attribute key>" = "<attribute value>"
              ...
          } # if plugin_psw_disclosure_found_comp_attrs regkey is set
      }
      "groups" "" = {
          "<targetid>" = "<groupid>"
      } # if plugin_psw_disclosure_groups regkey is set
      "managedaccount" "" = {
         "accountid" = "<Managed Account ID>"
         "msp" = "<Managed System Policy>"
         "resourceid" = "<Managed System>"
      }
      "request" "" = {
         "requestID" = "<Request ID>"
      }
      "requested-plugin" "" = {
         "address" = "<address value>"
         "name" = "<requester ID>"
         
      } # Only available if user checks password out using URL method. See (comment about checking out passwords using URL. ticket 120127-010)
      "viewer" "user" = {
         "id" = "<Profile ID>"
         "attribute" "<Profile attribute key>" = {
             "value" "" = {
                 "value" = "<Profile value>" # 0 or more
                 ...
             }
         }
         ...
         # if plugin_psw_disclosure_profile_attrs regkey is set
      }
}

Output

The plugin returns:

#KVGROUP-V1.0
"" "" = {
    "retval" = "0"
    "errmsg" = ""
    "disclosure-plugins" "" = {
         "disclosure-plugin" "" = {
              "description" = "<plugin description>"
              "id" = "<plugin ID>"
              "name" = "<plugin name eg. pswxtsvc.ocx>"
              "attributes" "" = {
                  "<attribute key> "" = {
                      "<attribute key>" = "<attribute value>"
                      ...
                  }
                  ...
              }
          }
          ...
          # Repeats for each disclosure plugin returned.
    }
}

In this section: