[insouciance586]

Another great open source asset management system to check out is Snipe-IT. https://github.com/snipe/snipe-it

I have used it for years both self hosted and with them hosting and it's been a great low cost solution for asset management.

[batrat]

We have more than 6k assets, 2k+ users, hundreds of licences, component's, and it's still fast. LDAP, api, tons of filters and exports possibilities, selfhosted. Best solution IMO.

[sdesol]

It also has a healthy community around it as the following shows:

https://devboard.gitsense.com/snipe/snipe-it

Full disclosure: The insights are from my tool.

[rapnie]

If I may provide a bit of feedback: Provide more background about GitSense. Who is behind it, what is the privacy policy. Things like that.

[sdesol]

Thanks. DevBoard just came out of stealth mode, but there are still things that need to be done, like those that you pointed out.

[CarlosVirreira]

Devboard looks nice, congrats!

[sdesol]

Thanks!

[trog]

Thanks for this recommendation. Been looking at asset management systems so Shelf caught my eye but the install process looks too painful, whereas this one I can just drop easily onto an existing LAMP server.

[ticoombs]

Pay them to host it. $400/year. Literally a rounding error. Works out cheaper than a cloud compute and SQL server

[trog]

I have a $6/mo VPS on which I think I can run Snipe quite happily. I get that some people are OK to pay significantly more for services like this but I have the resources and interest in self-hosting to make it worthwhile.

[manapause]

If your company is of type "enterprise" i.e. large enough to have a compliance department or security-conscious enough to go through a pre-sale vendor assessment, and you intend to "sync" users from LDAP/AD with the intent to use your AD user to log in, I strongly urge against hosting on their cloud platform. The LDAP Sync job pulls the password plaintext using the OpenLDAP protocol encrypts it with an APP_KEY they control, and stores that password in the Snipe-IT database. If you ever had an AD user who couldn't log into SnipeIT, then you "sync'd" users And it magically worked - chances are that user changed their password and the correct password needs to be re-acquired before the LDAP user-bind will be successful.

In our assessment we found that these APPKEYs are also included in the backup file - which makes the SnipeIT backup ZIP files a vector for exposing all users and passwords (as well as all encrypted fields data) because of a default setting by the framework's backup provider.

That said - if you are concerned about security, you will be on-prem or within your own cloud provider to begin with. The SnipeApp company offers an "enterprise" level support at a somewhat reasonable rate for big companies, and they were a great help assisting with our installation and integrating the SnipeIT API to import new devices and licenses automatically in a way that we can control from say a PO.

This password issue may not be a problem for you as I understand they now have connectors for SSO or another OAUTH provider. That and the fact that they asked us to share our backup via email during onboarding and they did not specify to keep the secrets out of the backup made our decision to go in-house. Still a good, scrappy product, and when we asked them if they had access to our company's passwords that was not disclosed, we didn't get a response. That's OK - and it was a good lesson for my team in evaluating an open source framework behind the product vis-a-vis "trust but verify."

Its always going to be a vector of our own partial design (and/or someone we are paying), a rogue backup source of truth that is ejected into the ether like atoms forming salts in an acid-base reaction.