Each managed system policy on Hitachi ID Privileged Access Manager can be configured with group sets. A group set is a defined set of security groups, each of which may exist on any of the managed systems attached to the policy. For example, a group set called WINADM might be defined on a managed system policy that contains Windows servers. This group set could be specified to include any groups that happen to exist on each managed system attached to that policy, with a SID (Windows specific) ending in -512 or -544 or with the letters "adm" in its name.

Users can check-out a group set, rather than a privileged account. When a user checks out a group set on a managed system, all of the groups that are part of the group set are temporarily attached to the user's (pre-existing) account. The user account may be an Active Directory account or a login ID locally on the managed system in question.

Continuing with the above example, a user could check out the WINADM group set, which would cause the user's personal, normally-unprivileged account to be temporarily attached to the various administrator groups on the selected managed system.

Checking out group sets has pros and cons as compared to checking out access to shared accounts:

  Pros Cons
Shared accounts

  • Does not require users to have a pre-existing account on the system or for the system to be connected to a directory, so works well in cases where many IT users need access to stand-alone systems.
  • It is possible to require users to launch a login session through Privileged Access Manager and to record or disconnect that session as required.

  • Audit logs on the system show activity by the shared account, not the real user. Have to check with Privileged Access Manager who was using the account at the time in question.
  • If multiple users checked out the same account on the same system at once, it becomes difficult to say who did what.
  • Users have to connect through Privileged Access Manager -- cannot login directly (unless passwords are displayed, which is not recommended).
Group sets

  • Group sets can be granted fine-grained privileges, rather than full administrative rights.
  • Audit logs show the real user who performed local actions, not the shared account.
  • Users can connect with whatever tool from whatever location they like -- not just through Privileged Access Manager.

  • Users bypass session recording by connecting from another PC or the console of the system in question.
  • Assumes the user already has a local account or an account on an integrated directory -- otherwise, many new IDs will have to be created.