โ09-25-2023 12:52 PM - edited โ09-25-2023 12:54 PM
Good afternoon all,
This question has vexed me for a while now. Take an HTTP connector where the authentication requires a username/password to be put in the body of a POST request. The existing connector will now allow that information to be put in the Connector, so it winds up in the action of a recipe. Another example is Workday's SOAP endpoint to return a report.
The docs say to use Environment Properties... but it's all or nothing, not just a single property that has the username/password you need. So you give people access to everything in there, or nothing.
One Workato consultant suggested using a Lookup table, but it has the same problem. Can't give access to only that one Lookup table, it's either all or nothing.
Another Workato consultant suggested making a separate project that houses the "secure" connectors or recipe steps, and then only give access to that project to the ones who need it. We were starting to set this up, but then realized that the users only get one Collaborator roles, not multiple. So it's not like you can set up a role that just gives access to the "secure" project and give that out as needed. Rather, you need a role to give a developer access to all the projects minus the secure one, then another role to give all the projects. Then if another need for secure connectors/recipes arises in a different functional area, we'd have a 2nd secure project and then need a role giving access to:
This would get more and more complicated if there were more secure projects, or other kinds of mixes or security needs.
What models have others adopted, or what do you WISH you adopted in hind-sight? ๐
Thanks,
Mike
Solved! Go to Solution.
โ10-04-2023 02:45 AM
Hi @mppowe , thank you for providing feedback on my response. Here are some quick comments:
Let me know your thoughts.
โ09-26-2023 02:54 AM - edited โ09-26-2023 02:56 AM
Hi mpow, very good questions. Please take a look at these two recent updates in the platform, Project-level properties and lookup tables, that allow users to control access to the potentially sensitive data in properties and lookup tables.
โ09-26-2023 06:20 AM
Thanks for replying @javier-riesco, I wasn't aware of those enhancements. However, I think we still run into the same issue. Limiting access to these passwords by project is similar to the "project-secured" option I described above in the sense that it still requires a bunch of custom roles to be created to cover every kind of wrinkle we'd want covered b/c each person can only have one role assigned. I think the long-term answer here is the ability to assign multiple roles to each user so specific assets can easily be protected and then just that one thing given as needed, rather than creating entire new roles for every kind of permission set needed.
Or maybe there's something I'm not thinking of? Given the scenario I described in my original post, where I have an HTTP connector with a password in the post body, and a Workday SOAP action to call a report that requires the username/password in the body. I want to restrict access to those credentials to as few people as possible, and also know that more of these kinds of connectors will come in time.
What is Workato's recommendation in dealing with those situations?
Also would love to hear other perspectives. Thanks!
โ10-04-2023 02:45 AM
Hi @mppowe , thank you for providing feedback on my response. Here are some quick comments:
Let me know your thoughts.
โ10-04-2023 06:35 AM
@javier-riesco thanks for the response. Good to know about the masking in the Properties, but it still feels like a workaround. Then developers who create the connection that requires sensitive handling need to get an admin to create the entry in the Environment properties, and if ever a change needs to happen an admin has to do it, even though these are credentials specific to a particular recipe/integration in one functional area.
In short, it seems that the current security model doesn't allow a straight-forward way to enforce the principle of least privilege. I was going to write an enhancement request but it seems one already exists: https://ideas.workato.com/app/#/case/230911, which is the ability to assign multiple roles.
If you're reading this post and think it would be a good idea to allow multiple roles to be assigned to a user as a means of enforcing the Principle of Least Privilege, please upvote that idea.
Thanks!