Royal Apps

Hello,

I would like to create a shared document for my team. One caveat: Our company requires all server access to go through CyberArk PSMP. While this procedure has been already described in https://support.royalapps.com/support/solutions/articles/17000129922-integrating-cyberark-with-royal-ts-x- there doesn't seem to be a way to create a shared document this way (as I cannot reference credentials in personal documents as they would have to contain the hostnames).

Things I've tried:

- Using variables to dynamically set vault user and target user in the username field. Fails because I have no way to dynamically get the name of the target user, this would have to be filled manually for each host. Defeats the purpose.

- Using custom fields for vault user and target user: There is no place to save them outside of the shared document where one would have access to it in the shared document

- A custom appsettings.json would be possible, but I don't think there are custom fields allowed in it

Are there any obvious ways or workarounds I'm missing?

King Regards,

Merlin

I'll try my best to summarize it. First of all, this only works with the PuTTY pluign, as the Rebex plugin fails on parsing the hostname.

CyberArks guideline for SSH conncetion strings is:

vaultuser@targetuser#centralmanagement@targetmachine#targetport@targetpassword@proxyaddress

 On an SSH connection in the Shared Document, as "Computer Name", I set:

$EffectiveUsernameWithoutDomain$@$EffectiveUserdomain$@targetmachine@proxyaddress

This works because internally, username and hostname are "just" concatenized, so it shouldn't matter whether you put the username in the hostname field.

Afterwards, in the same shared connection, in the credential settings, I set up "Specify a credential name", and set that name to something generic like "cyberark". It is important that both "Omit Domain" and "Automic Logon" are unchecked, as the first would omit the target user we store in the domain field, and the second option would send the username when we already send it in the hostname field. All of my team members will have to have a local Credential called "cyberark" with their usernames.

The credential itself is stored in my local Royal TS document (i.e. non-shared). It looks like this:

The TL;DR seems to be: "When you need two usernames, just put one of them in the domain field". Obviously this fails to work when you really need a domain.

Hope this helps, don't hesitate if I can answer more questions!

Thanks for your time, I got it to work by using the connection string (involving both username fields) into the hostname box. I didn't think this was possible in Royal TS, but it works. Vault username and Target username are set as $EffectiveUsernameWithoutDomain$ and $EffectiveUserdomain$. This way, I can specify a credential by name, which sits outside of the shared document. In the (private) credential I used targetusername\vaultusername for the username, abusing the domain limiter to get two usernames into the field. It definitely is not pretty, but it seems to work rather well.

Thanks for the response! In this case, is it possible to have dynamic folders based off of "normal" folders? So that we can create the servers by hand and have the dynamic folder script automatically fill out the credential stuff?

Hi Stefanm

we're not using the Dynamic Folder script (as it is blocked through security restrictions and 2. doesn't offer a list of all relevant endpoints). Instead, we want to have the servers relevant for our team in the shared document. Right now I'm looking for a way to store the vault and target usernames in a way that they can be configured per-user, while still using the servers from the shared document in this CyberArk environment.