Best practices: credentials/passwords

riderc1

Member
What is the best advice for storing credentials (username/password) to production systems? The company I am working with would like to try to limit exposure to production systems as there is information that should be restricted. For development, we will have development systems that has similar but not "real" data.
When its time to move to production, the scripts should work as the development and production systems will have the same versions of software.
Currently, I was using Data Items to store these. Another developer suggested using a VBO with Blue Prism called Credentials - the username/passwords are stored in BP's database. I presume this limits my need as a developer to know the values.
Other benefits - I would assume we can update the BP database if the user password changes instead of having to modify the scripts.
I was also wondering if anyone uses any type of REST api calls to get username/passwords? However, the script would need to know the secret key to decrypt, so not sure this provides true separation of duties. I suppose with the Blue Prism VBO, another person could update the password. I'm still not sure how this prevents a developer from getting the password and pasting into a log file (or whatever).
We have system auditors that examine our processes. We are trying to implement best practices before we are reviewed. Thanks in advance for any feedback.
 

Sukesh Kumaru

Active Member
Hi,

For this purpose use the Credential Manager Feature in Blue Prism.

As login credentials stored in this CM no one can retrieve and nor change it.

As this Credentials can be restricted from User level, Resource level and Process level.

Create a Credentials with the same name which were there at Development environment in Production Environment.
 

VJR

Well-Known Member
Hi riderc1,

If you are using Blue Prism for the automation and if BP has already provided the feature of Credential Manager then it would make sense to make use of it.
Regarding the questions, @Sukesh Kumaru has already provided answers and regarding your doubt
"I'm still not sure how this prevents a developer from getting the password and pasting into a log file (or whatever) "
This will be the job of the developer to adhere to the security policies of not having any confidential information like passwords, credit card details, SSN, etc to display in the logs or wherever. Of course then it will be the additional responsibility of an higher authority to that developer (a Sr. Developer or a Lead or higher and even the Testing team) to do checks whether that is been followed or not.
 

riderc1

Member
Hi riderc1,

If you are using Blue Prism for the automation and if BP has already provided the feature of Credential Manager then it would make sense to make use of it.
Regarding the questions, @Sukesh Kumaru has already provided answers and regarding your doubt
"I'm still not sure how this prevents a developer from getting the password and pasting into a log file (or whatever) "
This will be the job of the developer to adhere to the security policies of not having any confidential information like passwords, credit card details, SSN, etc to display in the logs or wherever. Of course then it will be the additional responsibility of an higher authority to that developer (a Sr. Developer or a Lead or higher and even the Testing team) to do checks whether that is been followed or not.
Thank you for the reply. We are likely going to implement Credential Manager, although its possible the CyberArk Integration could be used instead (depends on how our IT department wants to manage it and comply with our current policies.)
Either way, this is a much better solution than me storing username/passwords as Data Items. I'm still new to Blue Prism, so it's a very good learning experience.
 

riderc1

Member
A follow up question to using Credential Manager. The current RPA work I'm doing access an account that expires the password every 90 days. Based on our IT policy, we cannot make this so the account does not expire.
I noticed in Credential Manager, there is an option called Expires - you activate it with a check box and select a date. I feel kind of dumb asking this, but what does it do when selected? I made a credential and set expires to the current date. I have no idea of what this setting is actually doing. It would be fantastic to get a reminder email or similar.
I think this is an area that Blue Prism could have better documentation. The data sheet does not mention it. Maybe I'm overlooking something that resides in other documentation? I also think they should have moved Credential Manager to their tutorials - I found out about these via consultants and not official documentation. Anyway, advice appreciated!
 

VJR

Well-Known Member
Hi riderc1,

Haven't used this before but I guess in the Options tab you also need to tick the below option which will then "Warn" in some way as the word suggests. Need to use and see what that way is.

View attachment 1532362798065.png
And yes I agree about there being a "single stop" destination for the documentation of all the BP features.
 

riderc1

Member
Hi riderc1,
Haven't used this before but I guess in the Options tab you also need to tick the below option which will then "Warn" in some way as the word suggests. Need to use and see what that way is.
Hmm...my system does not have the Warn option you shared in your screenshot. I have 6.2.1 installed. I'm on a development system, not production. The only option I see on the screen is a checkbox called "Marked as invalid". I am not seeing an Options tab. Strange!
 

kalam shaik

New Member
Hi
I have a challenge in my Process that the credentials like Password must b reset automatically when it comes to Expire.
Does anyone know how to implement the logic.

Thanks
 

zlutyslon

New Member
A follow up question to using Credential Manager. The current RPA work I'm doing access an account that expires the password every 90 days. Based on our IT policy, we cannot make this so the account does not expire.
I noticed in Credential Manager, there is an option called Expires - you activate it with a check box and select a date. I feel kind of dumb asking this, but what does it do when selected? I made a credential and set expires to the current date. I have no idea of what this setting is actually doing. It would be fantastic to get a reminder email or similar.
I think this is an area that Blue Prism could have better documentation. The data sheet does not mention it. Maybe I'm overlooking something that resides in other documentation? I also think they should have moved Credential Manager to their tutorials - I found out about these via consultants and not official documentation. Anyway, advice appreciated!
Hi,
in case the password is expired or marked as invalid Get Credentials action will return empty value for the password, I think. Additionally, expiry date and status of credentials is the output of Get Credentials action.
Best way to handle this is to add a decision prior to entering the password into the target application to see, if the credentials are still valid.
If not, trigger some change password steps to generate and set new password in both blue prism and the target application.

It's also useful to Generate new password (don't use Generate and Set action, only Generate Password), then change the password in target application and only then, once the change was performed successfully, update the password in Blue Prism. You don't want to lose your current password only because some exception occurs during the password changing.
 
Top