Using Secret Groups for Authorization
Authorizing a Request Server to access a single secret is a fine-grained way to manage authorizations using secret mappings. Although PAM supports this use scenario, it can become cumbersome and difficult to manage. For ease of management, a PAM administrator may choose to group a set of secrets (a secret group), a group of Request Servers (a request group), or both. Using groups lets the administrator apply authorization policies to multiple secrets and Request Servers more easily.
A group is a collection of secrets or Request Servers that meet specific filter criteria; for example, all secrets that have the identifier SSL in the Descriptor2 field. A single secret or Request Server might belong to multiple groups.
PAM supports two types of groups:
- Static groups allow PAM Administrators to choose explicitly what is in the group. Group contents do not change over time.
- Dynamic groups allow PAM Administrators to choose a set of rules which the request references to determine if something is in or out of the group.
Dynamic secret groups apply a logical
or
relationship for filters that use the same attribute. For example, if a group contains a vault filter with the Description1 “Test” and a vault filter for the Description1 “Production”, the resulting group contains all secrets with either Test
or Production
in their description.Filters that use different attributes are applied using a logical
and
relationship. For example, if a group contains a vault filter for the Description1 “Production", and a Secret filter in Description2 with “SSL”. The resulting group contains only secrets with Production
in Description1 and SSL
in the Descriptor2 field.On the pages where groups are defined, there is a
Show
button that provides a preview of the resulting data. This preview gives PAM Administrators the ability to check the results before saving.