# Resource Lock ### Overview {% hint style="info" %} At this time, resource lock configuration is available for RDP and SSH resource types. As such, the Admin UI and CLI only show lock status information for servers. {% endhint %} Resource locks ensure that a resource can be accessed by only one StrongDM user or service account at a time. Admins can require that users have a lock on a resource before they can access it, thus preventing other users from accessing it while it is locked. Some resources may only allow one session to be connected at a time, and a new session automatically disconnects an existing session. Resource locks prevent this scenario from happening. Moreover, other sensitive resources may need to be restricted to one session at a time for maintenance reasons or to prevent conflicts from concurrent users. When locked, the resource is unavailable for use by any other user. When unlocked, the resource is available to be locked and connected to by any user who is allowed to access it. Admins can see the name of the lock owner (that is, the user who locked the resource) and the amount of time that the user has had it. In addition, admins can set a timeout for a resource lock to automatically expire after a certain amount of time, freeing up the resource for other users to lock and access. At any time, admins also can forcibly unlock a resource. Users, however, can only see if a resource is locked and the name of the lock owner. {% hint style="info" %} Locking a resource prevents access to that resource through StrongDM by other StrongDM users. However, depending on your setup, it is still possible for a StrongDM user to be forced off a resource that they have locked. For example, for RDP resources: By default, Windows only allows two concurrent logins for RDP sessions, so if a third user logs in and connects, it would force an existing user's connection to terminate. This can occur if users are logging in to the server without using StrongDM, or if your organization has configured several resources in StrongDM that point to the same server. You may wish to adjust your Microsoft Group Policy Object (GPO) settings to increase the number of concurrent users from the default two to the expected number of simultaneous connections. For more information, please see Microsoft documentation. {% endhint %} Resource locks are supported for the following resource types: * RDP (Password) * RDP (Certificate Auth) * SSH (Customer Managed Key) * SSH (Certificate Auth) * SSH (Password) * SSH (Public Key) * SSH (Certificate Based with User Provisioning) ### Resource Lock Management for Admins Admins may use the Admin UI or CLI to manage Resource Lock-enabled resources. #### Enable Resource Lock on a resource Resource Lock is enabled on the resource's configuration form. 1. In the Admin UI, add a new resource or edit the settings of an existing resource. 2. Fill in any required fields. 3. Check the box for **Resource Lock Required** to allow only one user session at a time. 4. Save the settings. #### Set Resource Lock timeout Admins can choose whether locked resources get unlocked manually by the user or automatically by the system. Setting a Resource Lock timeout causes a Resource Lock to automatically expire after a specified amount of time. When set, the Resource Lock timeout applies to all Resource Lock-enabled resources across the organization. To set a timeout, follow these steps: 1. In the Admin UI, go to **Settings** > **Security** and click on the **Lock Settings** tab. 2. Under **Enforce Timeout?**, select either: 1. **No, resources must be manually unlocked:** When set, the lock on the resource never expires until the user manually unlocks it for use by another user. 2. **Yes, automatically unlock resources after a specified duration:** When set, the lock on the resource expires after the specified amount of time (see **Lock timeout duration**). 3. For **Lock timeout duration**, set the amount of time (in minutes, hours, or days) for the resource to be locked. The resource will automatically unlock after the duration is reached. 4. Under **Timeout type**, select either of the following. The resource will automatically unlock after the duration is reached, even if the connection remains active. 1. **Fixed timeout, resource unlocks after the specified duration** 2. **Inactivity timeout, resource unlocks after the specified duration without activity** 5. Click **Update** to save the settings. If a timeout is set, users who lock a resource will see, in the desktop app or CLI, how much time they have (for example, "Locked by you, expires in 3m"). #### View resource lock status In the Admin UI, resource pages have a **Lock Status** column that shows whether or not the resource is locked. If locked, the status shows the name of the lock owner (that is, the user or service account that has it locked) along with the time when it was locked (for example, "Alice Glick Today at 2:33 PM PST"). If unlocked, the status shows **Unlocked**. For an unsupported resource type, the status shows **N/A**. Using the CLI, admins may view a resource's lock status by running `sdm admin servers list --extended`. For each resource, the **Lock Status** column shows one of the following possible status values: * `locked by ( ago)` (for example, `Locked by bob.belcher@strongdm.com (3 hours ago)`) * `locked by (expires in )` * `n/a` * `unlocked` #### Filter by lock status In the Admin UI, you can filter resources based on their lock status by using the **Lock Status** filter button. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-020a902678f2c899a23ac6510745ae96e9685c73%2Ffilters-lock-status.png?alt=media) You may also type it into the **Search** field (for example, `lockStatus:locked`, `lockStatus:unlocked`, or `lockStatus:disabled`). #### Force unlock From the Admin UI or the CLI, admins can unlock a resource by force, which causes the current user's session to be terminated immediately. To force unlock a resource using the Admin UI: 1. Go to the particular resource page (for example, **Servers**). 2. Click the **Actions** button beside the locked resource, and select **Force unlock**. 3. From the dialog that displays, click **Continue**. To force unlock a resource from the CLI: 1. Run `sdm admin servers list --extended` to see which resources in your organization are locked. Resources that are locked have the status `locked by ` (where `` is the user or service account that has it locked). 2. Copy the name of the desired (locked) resource. 3. Run `sdm admin servers unlock ''`, replacing `` with the copied resource name. To unlock the resource without prompting for confirmation, use the same command with the `--force` option: ```shell sdm admin servers unlock --force '' ``` #### Resource Lock for users Non-admin users can use the desktop app and/or CLI to interact with the Resource Lock-enabled resources that are available to them. **Desktop app** In the desktop app, all users can see a resource's lock status and connect to the resource if unlocked. A resource that requires a resource lock can show one of the following statuses: * **Lock is required to connect** * **Locked & connected** * **Locked & not connected** * **Locked by \** * **Locked by \, expires in \** In addition to viewing status at a glance, users can do the following: * Click the lock icon to lock an unlocked resource. * Hover over the lock icon to view details about the lock status, such as who it's locked by and when the lock expires (if an expiration is set by an admin). * Extend a lock if a lock on a resource is about to expire. Users can extend the lock time by either clicking on the **Extend** button on a warning that appears at the top of the desktop app, or by clicking the icon next to the lock icon. * Click the connection icon to connect to or disconnect from a locked resource. * When done using the resource, click the lock icon to unlock and disconnect the resource. **CLI** In addition, users may use the CLI to interact with the Resource Lock-enabled resources that they can access. Note that lock and unlock commands are separate from the connect and disconnect commands. They are separate actions. Users must first lock a resource before they can connect to it. **View lock status** Using the CLI, users can see the lock status of Resource Lock-enabled resources to which they have access, including whether or not the resource is locked and by whom. Users may view a resource's lock status from the CLI by running `sdm status`. The output's **Lock Status** column shows one of the following: * `locked by ` * `locked by ( remaining)` * `n/a` * `lock required` **Lock resources** All users can lock resources to which they have access, if the resource is unlocked and has Resource Lock required. To lock a resource, run `sdm resources lock ` (for example, `sdm resources lock Kraken`). If a user tries to lock it but it’s already locked, they can’t proceed and the following reason is given: "Resource is currently locked by \" (for example, "Resource is currently locked by "). If it is locked by that user, the CLI returns the message "Resource is already locked." If a user tries to lock a resource that’s not enabled to be locked, the "Resource does not support locking" message is shown. **Extend a lock** If a timeout is set for a locked resource and that lock is about to expire, users may extend the lock to get more time. Users can extend the lock time by running `sdm resources extendlock ` (for example, `sdm resources extendlock Kraken`). **Unlock resources** To unlock a resource that you’re using, run `sdm resources unlock ''` (for example, `sdm resources unlock 'Kraken'`). If you try to unlock it but it turns out to be unlocked already, you see the "lock does not exist" message. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/resource-lock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.