Limit Concurrent Administrator Logins - Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager can be configured to control the number of users who can
simultaneously connect to a given privileged account. This is done
using a checkout/checkin process, in a manner similar to checking a
book out of a library and returning it later.
- Rather than simply granting access to a privileged account, a user
may be required to check out access. Checkout is subject to
- A counter is incremented whenever access is checked out,
indicating that one more person is allowed to sign into
the account in question.
- The number of users who may concurrently access an account
is limited -- for example, up to two at a time.
- The time interval during which a user may be allowed to sign
into an account is limited -- for example, no more than two hours.
- Users are asked to check-in access rights when they are done using
a privileged account.
- The account's checkout counter is decremented.
- If the maximum allowed checkout time has elapsed, Privileged Access Manager
may automatically perform a checkin. This normally causes the
account's password to be re-randomized.
- Checkout and checkin supports coordination among IT workers:
- Privileged Access Manager can notify users who have already checked out access
to an account of subsequent checkouts (e.g., via e-mail or SMS).
- Privileged Access Manager can inform users who request a new checkout
about already-active checkouts.
- Passwords are normally randomized whenever the checkout
counter returns to zero. This ensures that access does
not persist after the last user disconnects from a privileged
- Randomize Privileged Passwords:
Privileged Access Manager periodically randomizes passwords on privileged accounts.
- Launch Privileged Login Sessions:
Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
- Limit Concurrent Administrator Logins:
Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
- Record Administrator Logins:
Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
- Password History:
Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
- Audit Logs and Reports:
Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
- Eliminate Embedded Passwords:
Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
- Change Service Account Passwords:
Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.