Credentials Access Control

  • 2 minute(s) read
Prev Next

Introduction

Catchpoint's Credentials Library enables you to centrally store and manage credentials, including Tokens, Username/Password pairs, and Certificates, for use in your tests. Once a credential is added to the Library, portal users can access them when configuring a test, folder, or product. This makes it easier to use the same credentials across multiple test configurations, and it improves security as stored credential values are never displayed in cleartext within the portal UI once saved.

We have also built an Access Control feature for the Credentials Library, which lets you choose whether each credential will be accessible to all portal users that can create and modify tests, or limited to a custom list of portal users. This can help prevent excessive or inappropriate use of credentials, as well as unauthorized exposure of credential values when they are passed to other systems for authentication.

The Access Control option is not available by default, but may be turned on for your portal upon request. The reason for this is that limiting access to a token has significant implications for test access and management, which portal administrators and users need to thoroughly understand in order to avoid potential pitfalls. This article explains these issues so that you can successfully plan and implement your credential-management strategy.

How Credentials Access Control Works

When you add a credential to the Library without access control, any portal user with this permission in their user role - Manage Tests > Create and Modify - can access it when configuring the 'Requests' section of a product, folder, or test. When you enable Access Control, you choose specific portal users that may access the credential. Portal users that have not been explicitly granted access to a credential will not see it listed when editing the 'Requests' section, preventing them from using it in any test configurations.

Implication of Limiting Token Access

Limiting access to a credential has two consequences which you should take into consideration:

  1. It is only possible to apply an access-limited credential to individual tests, not to products or folders. This is because if one were added to a product or folder, a portal user without access to the credential could create a test within that product or folder, enable inheritance of the Requests section, and the test would then inherit and use the credential. This would defeat the purpose of the access limit.
  2. Once an access-limited credential is applied to a test, only portal users with access to it can edit the properties of that test. Without this limitation, a malicious individual could edit the test location to point to a server that they control, thereby exposing the credential. It is important to be aware of these effects and communicate them clearly to your portal users before enabling and using the Access Limits. This can help avoid confusion or frustration due to unexpected loss of ability to add some credentials to products and folders, or to edit certain tests.