Access Control Policy - Hitachi ID Privileged Access Manager
Overview of access controls in Hitachi ID Privileged Access Manager
The most common form of access control in the Privileged Access Manager is based on managed system policies. These policies are named collections of managed systems containing privileged accounts whose passwords may be randomized and access to which is controlled.
Managed systems may either be attached to a policy explicitly (e.g., "attach workstation WKSTN01234 to policy RGWKSTNS") or implicitly, using an expression. Expressions may be based on the operating system type, IP address, MAC address or workstation name (e.g., "attach every workstation running Windows XP in subnet 10.1.2.3/24 to policy X")
Managed system policies are configured with operational and access control rules, including:
- Which accounts' passwords to randomize on attached systems.
- How often to change passwords.
- How to compose random passwords (e.g., length, complexity, etc.).
- What actions to take after successful or failed attempts to disclose a password.
- What access disclosure methods to offer users who wish to sign into privileged accounts on attached systems (e.g., launch remote desktop, launch SSH, temporarily place user in security groups, display current password to user, etc.).
Privileged Access Manager users are organized into user groups, either explicitly or implicitly. In a typical deployment, users are assigned to Privileged Access Manager user groups by virtue of their membership in Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific managed system policies. For example, "every user in group A may launch RDP sessions to privileged accounts on systems in policy B."
Business rules, such as segregation of duties between different sets of users, can also be enforced. This is done by examining, managing and limiting group membership on reference systems, such as Active Directory or LDAP, that can be simultaneously assigned to the same user.
External identification, authentication and authorization
(1)Privileged Access Manager can be configured to take advantage of an existing directory of users for identification, authentication and authorization of users:
- Users may sign into Privileged Access Manager with their Active Directory or LDAP login ID and password.
- Users may be required to authenticate with a two-factor technology, such as an RSA SecurID token.
- User membership in Privileged Access Manager security groups and consequently user privileges, may be based on user membership in AD or LDAP groups.
Externalizing user identification, authentication and authorization can significantly reduce the administrative overhead of managing a Privileged Access Manager deployment and is recommended.
Privileged Access Manager also supports multi-step authentication. For example, a user may be required to type their AD password and then a PIN which was sent to their mobile phone via SMS.