Skip to main content

Concurrent Access to Accounts - Hitachi ID Privileged Access Manager

Hitachi ID Privileged Access Manager can be configured to control the number of users who can simultaneously connect to a given privileged account. This is done using a checkout/checkin process, in a manner similar to checking a book out of a library and returning it later.

  1. Rather than simply granting access to a privileged account, a user may be required to check out access. Checkout is subject to policy control:
    1. A counter is incremented whenever access is checked out, indicating that one more person is allowed to sign into the account in question.
    2. The number of users who may concurrently access an account is limited -- for example, up to two at a time.
    3. The time interval during which a user may be allowed to sign into an account is limited -- for example, no more than two hours.

  2. Users are asked to check-in access rights when they are done using a privileged account.
    1. The account's checkout counter is decremented.

  3. If the maximum allowed checkout time has elapsed, Privileged Access Manager may automatically perform a checkin. This normally causes the account's password to be re-randomized.

  4. Checkout and checkin supports coordination among IT workers:
    1. Privileged Access Manager can notify users who have already checked out access to an account of subsequent checkouts (e.g., via e-mail or SMS).

    2. Privileged Access Manager can inform users who request a new checkout about already-active checkouts.

  5. Passwords are normally randomized whenever the checkout counter returns to zero. This ensures that access does not persist after the last user disconnects from a privileged account.

Read More:

  • Network Architecture:
    How user PCs, servers, network devices, multiple, replicated Privileged Access Manager nodes and other elements interact on the network.
  • Replicated Credential Vault:
    Replicated storage of passwords to privileged accounts in multiple, physically distant, encrypted vaults.
  • Included Connectors:
    Systems on which Privileged Access Manager can discover accounts, randomize passwords and launch login sessions.
  • Infrastructure Auto-discovery:
    Automatically finding and classifying workstations, servers, applications and network devices as well as privileged accounts and services on each one.
  • Non-target integrations:
    Integrations between Privileged Access Manager and IT infrastructure where it may not be managing passwords or privileged access -- such as e-mail systems, incident management applications and more.
  • Workflow Requests and Approvals:
    Enabling users to request and approve one-off access to sensitive accounts.
  • Concurrent Access to Accounts:
    Limiting how many administrators can simultaneously manage a system and keeping administrators informed of one-anothers activity.
  • Single Sign-on Mechanisms:
    Options for connecting users to privileged accounts, through credential injection, trust manipulation and temporary group membership, all without displaying passwords from the vault.
  • Server requirements:
    Sizing, configuration and number of servers on which to deploy Privileged Access Manager.
  • Scalability:
    Scaling to manage passwords across millions of devices.
  • Emergency access:
    Access to Privileged Accounts During Emergencies.
  • Language Support:
    A list of languages supported in the web portal.
page top page top