I'd like someone to comment/confirm that PMP Premium Edition
can meet the following use case/requirements:
Environment: I have multiple internet-facing Linux-based SFTP file transfer servers that are accessed by multiple external companies (per SFTP server) that push and/or pull files securely.
I do not wish to have Linux admins manage the SFTP server accounts & passwords, I want to have a web-based system for these functions.
Absolute separation of these external companies' SFTP server access (and administration of their SMTP server account passwords) must be maintained by the web-based access control product.
Below, I am using the terms "PMP administrator", "Password administrator", "Password auditor" and "Password user" based on my understanding of the PMP product from this page of PMP user role definitions .
Environment: I have multiple internet-facing Linux-based SFTP file transfer servers that are accessed by multiple external companies (per SFTP server) that push and/or pull files securely.
I do not wish to have Linux admins manage the SFTP server accounts & passwords, I want to have a web-based system for these functions.
Absolute separation of these external companies' SFTP server access (and administration of their SMTP server account passwords) must be maintained by the web-based access control product.
Below, I am using the terms "PMP administrator", "Password administrator", "Password auditor" and "Password user" based on my understanding of the PMP product from this page of PMP user role definitions .
- For each external company using the SFTP server, I wish to create
a "password administrator" role & account which will
be the sole manager of the password for the company user account(s)
on the SFTP server.
- The password admin role (for a company) CAN NOT create or
delete accounts on the SFTP server - they will only be able to
manage the password for the company-specific SFTP server account(s)
that they are granted access to by the PMP Administator.
- The password admin role (for a company) will be able to
create/manage/remove their own "password users" which can
can retrieve the username and password for the company-specific SFTP
server user account(s).
- The password admin (for a company) will be able to maintain an
email address for each password user.
- When the password admin (for a company) changes the password for
the SFTP server account, each of the password users will receive an
automatic email notification that the password has been changed, but
the email MUST NOT contain the new password. Each password user will
need to login to their PMP account to view the newly changed password.
- The password admin (for a company) will be able to view a log of
each of their password user activities: (a) Successful and failed
logins to the PMP [including the source IP address of the password
user] (b) viewing of the password for the SFTP server account(s),
(c) when email was sent to the password user(s) from the PMP
application. Maybe I'm talking about the role of "Password
Auditor" here.
- The PMP administrator can enforce password rotation of the PMP
accounts used by the company password managers.
- The PMP administrator can (optionally) grant the password admin
this ability.
- Logging/viewing of logs by the PMP admin for all activities of
password admins and password users, including (a) Successful and
failed logins to the PMP [including the source IP address of the
password users or password admins] (b) All activities initiated by a
password admin or a password user, and (c) when emails were sent to
the password users and password admins from the PMP application.
Maybe I'm talking about the role of "Password Auditor" here.
- The PMP application will run under Linux (RHEL), and will update a
"/etc/passwd" and "/etc/shadow"
style files that are used by the SFTP application for
user account info, but these two files are stored in "an
alternate location" (i.e. NOT in /etc directory as usual with
Linux local accounts) used by the SFTP application.
- PMP administrator, password administrators, password users and
password auditors can do all of their functions via https server
(Apache) on a Linux system.
- Optionally... the PMP administrator, password administrators,
password users and password auditors will have to use multi-factor
authentication (such as Google Authenticator or RSA keyfob) to
perform their roles under the PMP application.
- For each PMP user login, role-based access/privileges can be defined.
The following would be "nice, but not required" features:
- Each external company PMP password admin can (from within their
PMP access screen), view a text log file of successful and failed
logins to the SFTP server application. This textfile of SFTP server
login failures could be periodically shipped to the PMP server, or
could reside on the SFTP server itself.
- Same as #1 above, but would be for each PMP password user or
password auditor.
I'm sorry if this is so long... if I need to discuss this via a sales engineer, please post the appropriate contact info.
Thanks!
LR