Authorizing Access to Privileged Accounts

Two models: permanent and one-time.

Permanent ACL

One-time request

Concurrency control

  • Pre-authorized users can launch an admin session any time.
  • Access control model:
    • Users ... belong to
    • User groups ... are assigned ACLs to
    • Managed system policies ... which contain
    • Devices and applications

  • Also used for API clients.

  • Request access for any user to connect to any account.
  • Approvals workflow with:
    • Dynamic routing.
    • Parallel approvals.
    • N of M authorizers.
    • Auto-reminders.
    • Escalation.
    • Delegation.

  • Coordinate admin changes by limiting number of people connected to the same account:
    • Can be >1.
    • Notify each admin of the others.

  • Ensure accountability of who had access to an account at a given time.