Limit Concurrent Administrator Logins
Hitachi ID Privileged Access Manager fundamentally grants elevated access to users for short
time periods. Instead of granting someone Administrator or root
access indefinitely, such access is granted for one or two hours
at a time, with the access linked to an authorized user and a task.
Privileged Access Manager can be configured to control the number of users who can
simultaneously connect to a given privileged account. This is done
using a checkout/checkin process, in a manner similar to checking a
book out of a library and returning it later.
- Rather than simply granting access to a privileged account, a user
may be required to check out access. Checkout is subject to
- A counter is incremented whenever access is checked out,
indicating that one more person is allowed to sign into
the account in question.
- The number of users who may concurrently access an account
is limited -- for example, up to two at a time.
- The time interval during which a user may be allowed to sign
into an account is limited -- for example, no more than two hours.
- Users are asked to check-in access rights when they are done using
a privileged account.
- The account's checkout counter is decremented.
- If the maximum allowed checkout time has elapsed, Privileged Access Manager
may automatically perform a checkin. This normally causes the
account's password to be re-randomized.
- Checkout and checkin supports coordination among IT workers:
- Privileged Access Manager can notify users who have already checked out access
to an account of subsequent checkouts (e.g., via e-mail or SMS).
- Privileged Access Manager can inform users who request a new checkout
about already-active checkouts.
- Passwords are normally randomized whenever the checkout
counter returns to zero. This ensures that access does
not persist after the last user disconnects from a privileged
- Randomize Privileged Passwords:
Privileged Access Manager periodically randomizes passwords on privileged accounts.
- Launch Privileged Login Sessions:
Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
- Limit Concurrent Administrator Logins:
Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
- Record Administrator Logins:
Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
- Password History:
Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
- Audit Logs and Reports:
Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
- Eliminate Embedded Passwords:
Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
- Change Service Account Passwords:
Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.