The most common form of access control in the Privileged Access Manager is based on managed system policies. These policies are named collections of managed systems containing privileged accounts whose passwords may be randomized and access to which is controlled.
Managed systems may either be attached to a policy explicitly (e.g., "attach workstation WKSTN01234 to policy RGWKSTNS") or implicitly, using an expression. Expressions may be based on the operating system type, IP address, MAC address or workstation name (e.g., "attach every workstation running Windows XP in subnet 10.1.2.3/24 to policy X")
Managed system policies are configured with operational and access control rules, including:
Privileged Access Manager users are organized into user groups, either explicitly or implicitly. In a typical deployment, users are assigned to Privileged Access Manager user groups by virtue of their membership in Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific managed system policies. For example, "every user in group A may launch RDP sessions to privileged accounts on systems in policy B."
Business rules, such as segregation of duties between different sets of users, can also be enforced. This is done by examining, managing and limiting group membership on reference systems, such as Active Directory or LDAP, that can be simultaneously assigned to the same user.
(1)Privileged Access Manager can be configured to take advantage of an existing directory of users for identification, authentication and authorization of users:
Externalizing user identification, authentication and authorization can significantly reduce the administrative overhead of managing a Privileged Access Manager deployment and is recommended.
Privileged Access Manager also supports multi-step authentication. For example, a user may be required to type their AD password and then a PIN which was sent to their mobile phone via SMS.