Skip to main content

Emergency Access to Administrator Accounts

Business Challenge

Most systems have a small number of day-to-day administrators, who work during normal business hours to manage configuration, patches, security, storage, etc. If a problem arises during the normal work-day, these administrators are called and they fix the problem promptly.

If production systems experience problems at night or on weekends, stand-by staff need to be able to login and make corrective changes. At other times, stand-by staff should not have administrative access.

These requirements are contradictory: stand-by staff should get administrative access to systems in an emergency, but not normally.

Hitachi ID Privileged Access Manager Solution
  • Privileged Access Manager includes a workflow engine, designed to allow people who do not have regular administrative access to systems to request such access.
  • Users who want to see a particular password can ask for disclosure using the Privileged Access Manager web UI. This triggers an e-mail to one or more authorizers, such as application owners, asking for approval.
  • Authorizers click on an embedded URL, sign in and approve or reject requests.
  • Approved requests trigger another e-mail, to the password recipient.
  • The recipient clicks on an embedded URL, signs in and displays the password.
  • The process is expedited by naming multiple authorizers -- more than the minimum number required.
  • Reminders, automatic escalation and delegation also ensure prompt response.

Using Privileged Access Manager, one-time disclosure of passwords is convenient and secure.

Read More:

  • Infrastructure Auto-discovery:
    In large organizations, it is not feasible to configure Privileged Access Manager manually. Instead, an auto-discovery capability is needed to find servers and accounts where Privileged Access Manager should randomize passwords and control logins.
  • Static Passwords:
    One of the key benefits of Privileged Access Manager is to eliminate static passwords on privileged accounts by automatically changing these passwords -- by default, daily.
  • Service Account Passwords:
    Managing passwords on Windows service accounts is challenging because of the need to coordinate password changes among Windows, Active Directory, Service Control Manager and more. Privileged Access Manager automates this process and allows organizations to frequently change service account passwords.
  • Embedded Application Passwords:
    Privileged Access Manager includes an API designed to enable applications to replace embedded, plaintext passwords with secure access to the vault.
  • Emergency Access:
    Privileged Access Manager automates and secures the process of signing IT users into administrator accounts in the event of an emergency.
  • Reliable Deactivation:
    Privileged Access Manager helps organizations to promptly, reliably and completely deactivate the access of former IT staff.
  • Administrator Accountability:
    Privileged Access Manager makes IT staff accountable for changes they make to systems and applications by recording who connected to what system, when and even by recording their login sessions.
  • Forensic Audits:
    Privileged Access Manager can record login sessions to privileged accounts and replay these recordings in the context of a forensic audit.
  • Coordinating Administrative Changes:
    Privileged Access Manager controls administrator logins and so is able to notify administrators that sign into a system of one-anothers login sessions. This notification helps IT staff coordinate their work.
  • Temporary Privileged Access:
    There are often cases where users who do not normally require elevated privileges do need them temporarily. A typical example of this is developer access to production systems, to help with production migration or troubleshooting. Privileged Access Manager enables such temporary access in a secure and auditable fashion.
page top page top