Orchestrator Cyberark password vault integration design issue

orchestrator
i_considering
integrations

#1

With reference to my previous post (link below), as @badita mentioned Orchestrator Cyberark password vault integration is done in v2017.1.6547 but we didn’t find current integration design to be useful.

Current Integration Design: Orchestrator integrates with 1 Safe in Password Vault

Problem we see in current design: In our firm, BOT passwords are owned by Process / Business Teams. We want Business teams to be able to independently manage only their own BOT password themselves. As of now, Orchestrator integrates with 1 Safe - that means all user name & password will need to be in 1 safe. This would mean that theoretically, anyone who has access to safe can retrieve any password and this is problem from Audit prospective for us.

Design Suggestion: Orchestrator should integrate with multiple safes


#2

I think that assigning to the same user different roles (depending on the resource group) is something that will be achieved in the future.

I don’t see how having multiple vaults will allow us to achieve the different users - different resources - different permissions issue.

Now, I would not say that someone can retrieve the password. Only the robot service can retrieve that form Orchestrator and use it in order to open an interactive session. However, a user who has access to edit robot can not get the password. Maybe I’m missing something.


#3

Thanks for considering this suggestion.

Let’s focus on above quoted part for now. I believe all other questions will be answered if I am able to communicate problem we see.

In our firm, BOT passwords are owned by Business Teams. We have multiple business teams. Each business team has separate BOT User ID & only business team has password for this BOT User.

If Orchestrator can integrate with multiple vaults, each vault can be owned by separate business team. Hence from given vault, no other business team, apart from team which own given BOT ID stored in this vault, can retrieve password.


#4

I’m slowly beginning to understand :slight_smile:

  1. I think point 1 is to offer this separation in Orchestrator - resource base access instead of role based access. Partially this can be mitigated via tenants or organization units.

  2. Point 2 is integration with multiple vaults. Even with the same but multiple servers (Cyberark1, Cyberark2). This is possible only at tenant level.

  3. Point 3 I don’t get. Instead of asking UiPath to provide different access rights to different credentials why don’t you ask the credential provider to offer this separation. Let’s say you have only Cyberark within a tenant. Isn’t then possible to have different business users managing different credentials in Cyberark? If we’ll be going after this how will it work. Does not seem straightforward to implement.


How Robot can request credentials from CyberArk?
#5

I have tried to depict scenario in above picture. As per Password Vault team, lowest level of permission is Vault level and it’s not possible to have credentials level permission. That means, in above scenario, for Tenant 1, we will need to save password of all 30 BOT IDs in single vault. Which essentially mean that any of these 30 Team can manage any of these 30 BOT ID / passwords.

My understanding of this suggestion is - we can give objects (Robots, Process, Assets, Jobs, Schedules, Logs etc.) based access in Orchestrator. I think it solves the problem in someways but with this Business team will need to keep manage password separately in both Cyberark Password Vault & in Orchestrator.
Irrespective of above, I think, this is useful feature for Product roadmap anyways irrespective of Password Vault Integration. If it’s useful, I can submit this as separate idea on forum.

Understood your point but I believe it’s impractical. For example, in scenario depicted in above picture, we will need to create 55 Tenants.

As per Password Vault team, lowest level of permission is Vault level and it’s not possible to have credentials level permission. I believe speaking to Cyperark might be useful.


#6

I’d just like to highlight this design for consideration as well. My firm has several teams each utilizing their own tenant and each managing their own set of robot IDs and VMs. Keeping all Robot IDs in the same safe is problematic for my firm given the type of external system access IDs are granted for their various automation use cases. Additionally every team would need access to the safe to retrieve passwords for effectively building/managing/troubleshooting on robot machines.

+1 vote for multi-safe (per tenant) cyberark configuration