Using Secret Groups for Authorization

Authorizing a Request Server to access a single secret is a fine-grained way to manage authorizations using secret mappings. Although PAM supports this use scenario, it can become cumbersome and difficult to manage. For ease of management, a PAM administrator may choose to group a set of secrets (a secret group), a group of Request Servers (a request group), or both. Using groups lets the administrator apply authorization policies to multiple secrets and Request Servers more easily.
A group is a collection of secrets or Request Servers that meet specific filter criteria; for example, all secrets that have the identifier SSL in the Descriptor2 field. A single secret or Request Server might belong to multiple groups.
PAM supports two types of groups:
  • Static groups allow PAM Administrators to choose explicitly what is in the group. Group contents do not change over time.
  • Dynamic groups allow PAM Administrators to choose a set of rules which the request references to determine if something is in or out of the group.
Dynamic secret groups apply a logical
or
relationship for filters that use the same attribute. For example, if a group contains a vault filter with the Description1 “Test” and a vault filter for the Description1 “Production”, the resulting group contains all secrets with either
Test
or
Production
in their description.
Filters that use different attributes are applied using a logical
and
relationship. For example, if a group contains a vault filter for the Description1 “Production", and a Secret filter in Description2 with “SSL”. The resulting group contains only secrets with
Production
in Description1 and
SSL
in the Descriptor2 field.
On the pages where groups are defined, there is a
Show
button that provides a preview of the resulting data. This preview gives PAM Administrators the ability to check the results before saving.

Guidelines for Mapping Secret Groups

When you create a Dynamic Secret Group, the group contains all Secrets that satisfy the filter criteria. When you map a Secret Group that includes filters, be aware of chow you set the Check Execution Path and Check File Path check boxes:
  • If you select one or both check boxes, the authorization mapping is restricted to only those secrets that are in the database. The authorization mapping excludes any secrets that are not in the database.
  • If you clear the check boxes, all secrets in the group are included in the authorization mapping.

Adding or Updating a Secret Group

  1. Select
    Secrets
    ,
    Manage Secret Groups
    .
  2. On the Secret Groups page:
    • To add a new secrets group, click
      Add
      . The Secret Group modal appears.
    • To update an existing secret group, select the group to update and click
      Update
      . The Update Secret Group modal appears.
  3. Enter a Name and optionally a Description to identify this secret group and click
    OK
    . The group name must be unique.
  4. Select whether the group is dynamic or static from the Type drop-down.
  5. Add filters to the group. Repeat this procedure for each filter you want to add.
    1. Select the
      Not Specified
      link for the filter that you want to apply. The Define Filters dialog appears.
    2. Select the plus icon (+) to add an expression.
    3. Select the filter type (for example,
      contains
      ) from the drop-down list in the Operator field.
    4. Enter the filter expression (for example,
      SSL
      ) in the Value field.
  6. Select
    OK
    to save your changes.

View All Secrets Belonging to an Existing Secret Group

Use the following procedure to view all secrets belonging to an existing secret group:
  1. Select
    Secrets
    ,
    Manage Secret Groups
    .
  2. On the Secret Groups page, select the target group that you want to view and select
    Update
    .
  3. Select
    Show
    . The list of groups matching the criteria within the group displays.
  4. Switch between the Vaults, Secret Types, and Secrets tabs to view detailed information about the secrets that are assigned to this group.
  5. Select
    OK
    .

Copying a Secret Group

To copy a secret group into your clipboard:
  1. Select
    Secrets
    ,
    Manage Secret Groups
    .
  2. Select the secret group that you want to copy and click
    Update
    . The Copy Secret Type modal appears.
  3. Modify the secret group as required and click
    OK
    to save this secret group as a new secret group.

Deleting a Secret Group

Deleting a secret group removes it permanently from PAM. You cannot restore a deleted secret group. However, the secrets that are assigned to the group are not deleted.
To delete a secret group:
  1. Select
    Secrets
    ,
    Manage Secret Groups
    .
  2. Select the secret group that you want to delete and click
    Delete
    .
  3. When prompted to confirm the action, click
    Yes
    .