Concurrent Access to Accounts - Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager can be configured to control the number of users who can simultaneously connect to a given privileged account. This is done using a checkout/checkin process, in a manner similar to checking a book out of a library and returning it later.
- Rather than simply granting access to a privileged account, a user
may be required to check out access. Checkout is subject to
- A counter is incremented whenever access is checked out, indicating that one more person is allowed to sign into the account in question.
- The number of users who may concurrently access an account is limited -- for example, up to two at a time.
- The time interval during which a user may be allowed to sign into an account is limited -- for example, no more than two hours.
- Users are asked to check-in access rights when they are done using
a privileged account.
- The account's checkout counter is decremented.
- If the maximum allowed checkout time has elapsed, Privileged Access Manager
may automatically perform a checkin. This normally causes the
account's password to be re-randomized.
- Checkout and checkin supports coordination among IT workers:
- Privileged Access Manager can notify users who have already checked out access
to an account of subsequent checkouts (e.g., via e-mail or SMS).
- Privileged Access Manager can inform users who request a new checkout about already-active checkouts.
- Privileged Access Manager can notify users who have already checked out access to an account of subsequent checkouts (e.g., via e-mail or SMS).
- Passwords are normally randomized whenever the checkout counter returns to zero. This ensures that access does not persist after the last user disconnects from a privileged account.