Skip to main content

Limit Concurrent Administrator Logins - Hitachi ID Privileged Access Manager

Hitachi ID Privileged Access Manager can be configured to control the number of users who can simultaneously connect to a given privileged account. This is done using a checkout/checkin process, in a manner similar to checking a book out of a library and returning it later.

  1. Rather than simply granting access to a privileged account, a user may be required to check out access. Checkout is subject to policy control:
    1. A counter is incremented whenever access is checked out, indicating that one more person is allowed to sign into the account in question.
    2. The number of users who may concurrently access an account is limited -- for example, up to two at a time.
    3. The time interval during which a user may be allowed to sign into an account is limited -- for example, no more than two hours.

  2. Users are asked to check-in access rights when they are done using a privileged account.
    1. The account's checkout counter is decremented.

  3. If the maximum allowed checkout time has elapsed, Privileged Access Manager may automatically perform a checkin. This normally causes the account's password to be re-randomized.

  4. Checkout and checkin supports coordination among IT workers:
    1. Privileged Access Manager can notify users who have already checked out access to an account of subsequent checkouts (e.g., via e-mail or SMS).

    2. Privileged Access Manager can inform users who request a new checkout about already-active checkouts.

  5. Passwords are normally randomized whenever the checkout counter returns to zero. This ensures that access does not persist after the last user disconnects from a privileged account.

Read More:

  • Randomize Privileged Passwords:
    Privileged Access Manager periodically randomizes passwords on privileged accounts.
  • Launch Privileged Login Sessions:
    Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
  • Limit Concurrent Administrator Logins:
    Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
  • Record Administrator Logins:
    Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
  • Password History:
    Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
  • Audit Logs and Reports:
    Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
  • Eliminate Embedded Passwords:
    Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
  • Change Service Account Passwords:
    Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.
page top page top