Skip to main content

Access Control Policy - Hitachi ID Privileged Access Manager

Overview of Access Controls in Hitachi ID Privileged Access Manager

The most common form of access control in the Privileged Access Manager is based on managed system policies. These policies are named collections of managed systems containing privileged accounts whose passwords may be randomized and access to which is controlled.

Managed systems may either be attached to a policy explicitly (e.g., "attach system SYS0123 to policy MSP-A") or implicitly, using an expression such as "all systems of type Linux at are attached to MSP-B". Expressions may be based on the operating system type, IP address, MAC address, system name or other metadata.

Managed system policies are configured with operational and access control rules, including:

  1. Which accounts' passwords to randomize on attached systems.
  2. How often to change passwords.
  3. How to compose random passwords (e.g., length, complexity, etc.).
  4. What actions to take after successful or failed attempts to disclose access.
  5. What access disclosure methods to offer authorized users -- e.g., launch a given type of client program with ID/password from the credential vault, display a password, copy buffer integration, temporary group membership or SSH trust, etc.

Privileged Access Manager users are organized into user groups, also either explicitly or implicitly. Most commonly, users are assigned to Privileged Access Manager user groups by virtue of their membership in Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific managed system policies. For example, "every user in group A may launch RDP sessions to privileged accounts on systems in policy B."

Business rules, such as segregation of duties between different sets of users, can also be enforced. This is done by examining, managing and limiting group membership on reference systems, such as Active Directory or LDAP.

External Identification, Authentication and Authorization

Privileged Access Manager can be configured to take advantage of an existing directory of users for identification, authentication and authorization of users:

  1. Users may sign into Privileged Access Manager with their Active Directory or LDAP login ID and password.
  2. Users may be required to authenticate with a two-factor technology, such as an RSA SecurID token.
  3. User membership in Privileged Access Manager security groups and consequently user privileges, may be based on user membership in AD or LDAP groups.

Externalizing user identification, authentication and authorization can significantly reduce the administrative overhead of managing a Privileged Access Manager deployment and is recommended.

Privileged Access Manager also supports multi-step authentication. For example, a user may be required to type a PIN which was sent to their mobile phone via SMS or a pass-code displayed on their OTP token, followed by their AD password.

Multi-factor authentication is strongly recommended for Privileged Access Manager deployments, as it protects logins into Privileged Access Manager against keylogging attacks on user devices.

Read More:

page top page top