What happens when a user creates Secrets and does not share them with anyone else, or if you are administrating Secret Server and need to re-organize your Secrets?
Secret Server’s “break the glass” feature, Unlimited Administration Mode, can help in those situations.
The Unlimited Administrator Mode allows designated users to manage Secrets they would normally not have access to. Administrators with the “Administer Unlimited Admin Configuration” role permission can enabled this by going to Administration > Configuration and selecting “Change Administration Mode”. Administrators can enter any optional notes explaining why they are enabling or disabling it, as well as creating an audit trail of this setting. A banner also appears in the header indicating to other users that Unlimited Administration Mode is turned on.
When enabled, users that have the “Unlimited Administrator” role permission can now access all Secrets and folders (with the exception of DoubleLocked Secrets), regardless of permissions, and all features of the Secret Server. Having a separate role permission allows administrators to specifically assign which users will be affected by the setting. Typically these should be very trusted people in the organization.
Unlimited Administration Mode is powerful, and can be locked down by to prevent abuse by ensuring no user has both permissions “Administer Role Permissions” and “Administer Unlimited Admin Configuration”. If no role has the “Unlimited Administrator” permission by default, then it will take two users to effectively turn Unlimited Administration Mode on: One user to enable it in configuration, and the other user to grant the permission to users or groups.
You can also have administrators notified by email when Unlimited Administration Mode is turned on or off by using event subscriptions. Our Knowledge Base article, How to protect the Unlimited Admin Mode using Event Subscriptions, details how to set that up.Leave a reply →