This reminds me of a problem that I wanted to solve in the future, but I don’t have the expertise.
The problem is when an organization has a single account on an external service which needs to be used by several people, and the organization wants to safely manage the access to the shared account on the external service, adding accountability: who was using the account at X time?
Users of the shared external account should not know the credentials of the account, so rotation of passwords when employees leave/change roles is not as necessary.
I thought of something like a proxy which could use a Selenium (or something else) script for each of the external website, which would handle the login/authentication flow for the external service.If this was a business, those scripts could be offered as a per-website/month package. An administrator would create the automatic flow for a specific service, and save the username and password somewhere in the script. Normal users of the external service’s singular account would then use the proxy using their individual credentials, to add accountability to accessing the external service.
Maybe someone in this realm could come up with something and market it.
You know what business use? SSO. The service doesn’t have SSO? Then not enough business are using it or you’re a startup who wants to save money.
Your audience is limited to handful of services and small startups while trying to add benefits that only big players need.
My experience from working in a 1,000 person tech organisation is that the hundreds or thousands of different affiliate programs, ad networks, and so on, provide simple user/password combinations. The solution before I discovered this was a Google Sheet that anybody in the organisation could use to login to the “company account”.
SSO also doesn’t solve the problem because that would mean each employee has a separate account, which may not be feasible for some companies that affiliate a single business to a single account.
No, it’s what I discovered was being used in the company at the time.
They ended up moving (by hand) everything to Bitwarden. It’s an improvement but not a major one IMO. It doesn’t solve the rotation problem at all (you still need to rotate all of the passwords that somebody could have taken with them), nor accountability (you can’t easily determine who was using the account at any specific time). I guess you can somehow export logs from Bitwarden to determine exactly which credentials were viewed by a specific user, but in this case, it would have nearly always been “all of them” for a few dozen employees.
Last workplace also used Google Sheets. The passwords were coloured white (same colour as the background) so that they would only be visible when selected.
We had an internal password manager at one company that a small team built for fun once. You could share the password with another team or even a single person. There was also an audit log, and when someone left, they just looked in the audit log and reset those passwords that person ever looked at.
But someone eventually created a chrome extension that would fill in the passwords for you...
I think the total dev time was somewhere in 4-6 person months. It probably would have been cheaper just to buy a 1password subscription if we had been a small company, because I'm pretty sure a 5k seat subscription for the business would have been waaay more money than 6 months worth of salary, one-time cost.
>Meanwhile, we have users fairly regularly starting browsers 24/7 for tasks such as generating PDF exports of dashboards.
This seema like a bizzare thing to pay for, i can think of probably 10 free tools that will so this. sure im a nerd but i assume a company that needs this 24/7 has some nerds on staff.
Its gotta be some fintech, health or, gov regulation thing right? All i can picture is some 80yo exec that was willing to learn pdfs but thats it no interactive dashboards lol.
I love hearing things like this though it really is motivational to hear about oppertunities out there to make money witb some saas product still have low hanging fruits.
In terms of free tools, ones like jsPDF that run client-side typically give inconsistent results. It's a better idea to use something server-side like Puppeteer, which gives more control over how it renders.
The issue is running it in prod, since using Puppeteer requires browsers to interact with. You typically end up running Puppeteer in your front end, and a bunch of Chrome browsers chewing through a separate server.
Browserless is there to provide the browsers for those free libraries to work with. Sure, you can manage them yourself, but it's a PITA.
This feels like it should be a built-in feature of HTTP servers and reverse proxies. But the application has to have a hand in identifying the client's quota (so to speak).
It’s always a good sign when an architecture diagram has Nginx + Lua in it. The Lua memory leak bug is a good example of why it saves SO MUCH time to use managed services like Browserless to do things at scale. When you DIY, you end up debugging a ton of these little things when there is much higher ROI code you could be writing.
This reminds me of a problem that I wanted to solve in the future, but I don’t have the expertise.
The problem is when an organization has a single account on an external service which needs to be used by several people, and the organization wants to safely manage the access to the shared account on the external service, adding accountability: who was using the account at X time?
Users of the shared external account should not know the credentials of the account, so rotation of passwords when employees leave/change roles is not as necessary.
I thought of something like a proxy which could use a Selenium (or something else) script for each of the external website, which would handle the login/authentication flow for the external service.If this was a business, those scripts could be offered as a per-website/month package. An administrator would create the automatic flow for a specific service, and save the username and password somewhere in the script. Normal users of the external service’s singular account would then use the proxy using their individual credentials, to add accountability to accessing the external service.
Maybe someone in this realm could come up with something and market it.
You know what business use? SSO. The service doesn’t have SSO? Then not enough business are using it or you’re a startup who wants to save money. Your audience is limited to handful of services and small startups while trying to add benefits that only big players need.
My experience from working in a 1,000 person tech organisation is that the hundreds or thousands of different affiliate programs, ad networks, and so on, provide simple user/password combinations. The solution before I discovered this was a Google Sheet that anybody in the organisation could use to login to the “company account”.
SSO also doesn’t solve the problem because that would mean each employee has a separate account, which may not be feasible for some companies that affiliate a single business to a single account.
To be clear, you are suggesting google sheet with passwords?
No, it’s what I discovered was being used in the company at the time.
They ended up moving (by hand) everything to Bitwarden. It’s an improvement but not a major one IMO. It doesn’t solve the rotation problem at all (you still need to rotate all of the passwords that somebody could have taken with them), nor accountability (you can’t easily determine who was using the account at any specific time). I guess you can somehow export logs from Bitwarden to determine exactly which credentials were viewed by a specific user, but in this case, it would have nearly always been “all of them” for a few dozen employees.
Last workplace also used Google Sheets. The passwords were coloured white (same colour as the background) so that they would only be visible when selected.
Or if a user chose "dark" color scheme?
That's when you install a device management profile on all corporate machines that locks them to light mode. For security.
We had an internal password manager at one company that a small team built for fun once. You could share the password with another team or even a single person. There was also an audit log, and when someone left, they just looked in the audit log and reset those passwords that person ever looked at.
But someone eventually created a chrome extension that would fill in the passwords for you...
I think the total dev time was somewhere in 4-6 person months. It probably would have been cheaper just to buy a 1password subscription if we had been a small company, because I'm pretty sure a 5k seat subscription for the business would have been waaay more money than 6 months worth of salary, one-time cost.
This sounds like a nightmare
Nope, this sounds like really really common problem outside of top 500 IT companies.
>Meanwhile, we have users fairly regularly starting browsers 24/7 for tasks such as generating PDF exports of dashboards.
This seema like a bizzare thing to pay for, i can think of probably 10 free tools that will so this. sure im a nerd but i assume a company that needs this 24/7 has some nerds on staff.
Its gotta be some fintech, health or, gov regulation thing right? All i can picture is some 80yo exec that was willing to learn pdfs but thats it no interactive dashboards lol.
I love hearing things like this though it really is motivational to hear about oppertunities out there to make money witb some saas product still have low hanging fruits.
In terms of free tools, ones like jsPDF that run client-side typically give inconsistent results. It's a better idea to use something server-side like Puppeteer, which gives more control over how it renders.
The issue is running it in prod, since using Puppeteer requires browsers to interact with. You typically end up running Puppeteer in your front end, and a bunch of Chrome browsers chewing through a separate server.
Browserless is there to provide the browsers for those free libraries to work with. Sure, you can manage them yourself, but it's a PITA.
This feels like it should be a built-in feature of HTTP servers and reverse proxies. But the application has to have a hand in identifying the client's quota (so to speak).
It’s always a good sign when an architecture diagram has Nginx + Lua in it. The Lua memory leak bug is a good example of why it saves SO MUCH time to use managed services like Browserless to do things at scale. When you DIY, you end up debugging a ton of these little things when there is much higher ROI code you could be writing.