We have documents with more than 10,000 folders and many connection objects, and every folder has its own credential. We would like to put the document in lockdown mode to prevent users from viewing the passwords, while still being able to use them on command tasks, CLI applications, and PowerShell scripts. We understand that this is a security feature on your side, as anyone could create a connection and read the "EffectivePassword" in some way.
However, in our case, this would not be possible because the document is in lockdown mode and cannot be modified. Is it possible to create an extra flag that allows the use of the mentioned applications? This way, the admin could acknowledge the security issue in an extra warning pop-up and still use it as needed.
Thank you for your attention to this matter.
thanks for the feedback. An option like this would completely disable the security and make it obsolete. If we would allow this, it would be easily possible to get the passwords, even if the user is not allowed to edit the document or create new entries. The user could create a separate document, create a PowerShell connection which just writes the credential to the output and refer to an existing credential (from your other, locked down document).
We do have a policy which disables revealing passwords in general:
Maybe this is sufficient for you. Just keep in mind that the scenario I outlined above is still possible and users could get to the passwords this way.