The most common form of access control in the Privileged Access Manager is based on managed system policies. These policies are named collections of managed systems containing privileged accounts whose passwords may be randomized and access to which is controlled.
Managed systems may either be attached to a policy explicitly (e.g., "attach system SYS0123 to policy MSP-A") or implicitly, using an expression such as "all systems of type Linux at 10.0.1.0/24 are attached to MSP-B". Expressions may be based on the operating system type, IP address, MAC address, system name or other metadata.
Managed system policies are configured with operational and access control rules, including:
Privileged Access Manager users are organized into user groups, also either explicitly or implicitly. Most commonly, users are assigned to Privileged Access Manager user groups by virtue of their membership in Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific managed system policies. For example, "every user in group A may launch RDP sessions to privileged accounts on systems in policy B."
Business rules, such as segregation of duties between different sets of users, can also be enforced. This is done by examining, managing and limiting group membership on reference systems, such as Active Directory or LDAP.
Externalizing user identification, authentication and authorization can significantly reduce the administrative overhead of managing a Privileged Access Manager deployment and is recommended.
Privileged Access Manager also supports multi-step authentication. For example, a user may be required to type a PIN which was sent to their mobile phone via SMS or a pass-code displayed on their OTP token, followed by their AD password.
Multi-factor authentication is strongly recommended for Privileged Access Manager deployments, as it protects logins into Privileged Access Manager against keylogging attacks on user devices.