Last modified on September 8, 2023
Resource locks ensure that a resource can be accessed by only one StrongDM user or service account at a time. Admins can require that users have a lock on a resource before they can access it, thus preventing other users from accessing it while it is locked.
Some resources may only allow one session to be connected at a time, and a new session automatically disconnects an existing session. Resource locks prevent this scenario from happening. Moreover, other sensitive resources may need to be restricted to one session at a time for maintenance reasons or to prevent conflicts from concurrent users. When locked, the resource is unavailable for use by any other user. When unlocked, the resource is available to be locked and connected to by any user who is allowed to access it.
Admins can see which user locked the resource and the amount of time that the user has had it. In addition, admins can forcibly unlock a resource. Users, however, can only see if a resource is locked and by whom.
Locking a resource prevents access to that resource through StrongDM by other StrongDM users. However, depending on your setup, it is still possible for a StrongDM user to be forced off a resource that they have locked.
By default, Windows only allows two concurrent logins for RDP sessions, so if a third user logs in and connects, it would force an existing user’s connection to terminate. This can occur if users are logging in to the server without using StrongDM, or if your organization has configured several resources in StrongDM that point to the same server.
You may wish to adjust your Microsoft Group Policy Object (GPO) settings to increase the number of concurrent users from the default two to the expected number of simultaneous connections. For more information, please see Microsoft documentation.
Resource Lock Management for Admins
Admins may use the Admin UI or CLI to manage Resource Lock-enabled resources.
Enable Resource Lock on a resource
Resource Lock is enabled on the resource’s configuration form.
- In the Admin UI, add a new resource or edit the settings of an existing resource.
- Fill in any required fields.
- Check the box for Resource Lock Required to allow only one user session at a time.
- Save the settings.
View resource lock status
In the Admin UI, resource pages have a Lock Status column that shows whether or not the resource is locked. If locked, the status shows the name of the user or service account that has it locked along with the time when it was locked (for example, “Alice Glick Today at 2:33 PM PST”). If unlocked, the status shows Unlocked. For an unsupported resource type (anything other than RDP), the status shows N/A.
Using the CLI, admins may view a resource’s lock status by running
sdm admin servers list --extended. For each resource, the Lock Status column shows one of the following possible status values:
locked by <USER> (<TIME_SINCE> ago)(for example,
Locked by firstname.lastname@example.org (3 hours ago))
Filter by lock status
In the Admin UI, you can filter resources based on their lock status by using the Lock Status filter button.
You may also type it into the Search field (for example,
From the Admin UI or the CLI, admins can unlock a resource by force, which causes the current user’s session to be terminated immediately.
To force unlock a resource using the Admin UI:
- Go to the particular resource page (for example, Servers).
- Click the Actions button beside the locked resource, and select Force unlock.
- From the dialog that displays, click Continue.
To force unlock a resource from the CLI:
sdm admin servers list --extendedto see which resources in your organization are locked. Resources that are locked have the status
locked by <USERNAME>(where
<USERNAME>is the user or service account that has it locked).
- Copy the name of the desired (locked) resource.
sdm admin servers unlock '<RESOURCE_NAME>', replacing
<RESOURCE_NAME>with the copied resource name.
To unlock the resource without prompting for confirmation, use the same command with the
sdm admin servers unlock --force '<RESOURCE_NAME>'
Resource Lock for users
Non-admin users can use the desktop app and/or CLI to interact with the Resource Lock-enabled resources that are available to them.
In the desktop app, all users can see a resource’s lock status and connect to the resource if unlocked. A resource that requires a resource lock can show one of the following statuses:
- Lock is required to connect
- Locked & connected
- Locked & not connected
- Locked by <OTHER_USER>
In addition to viewing status at a glance, users can do the following:
- Click the lock icon to lock an unlocked resource.
- Click the lightning icon to connect to or disconnect from a locked resource.
- When done using the resource, click the lock icon to unlock and disconnect the resource.
In addition, users may use the CLI to interact with the Resource Lock-enabled resources that they can access. Note that lock and unlock commands are separate from the connect and disconnect commands. They are separate actions. Users must first lock a resource before they can connect to it.
View lock status
Using the CLI, users can see the lock status of Resource Lock-enabled resources to which they have access, including whether or not the resource is locked and by whom.
Users may view a resource’s lock status from the CLI by running
The output’s Lock Status column shows one of the following:
locked by <USER>
All users can lock resources to which they have access, if the resource is unlocked and has Resource Lock required.
To lock a resource, run
sdm resource lock '<RESOURCE_NAME>' (for example,
sdm resource lock 'Kraken').
If you try to lock it but it’s already locked, you can’t proceed and the following reason is given: “Resource is currently locked by
If you try to lock a resource that’s not enabled to be locked, you see the “Resource does not support locking” message.
To unlock a resource that you’re using, run
sdm resource unlock '<RESOURCE_NAME>' (for example,
sdm resource unlock 'Kraken').
If you try to unlock it but it turns out to be unlocked already, you see the “lock does not exist” message.