Where the large majority of privileged access requests are auto-approved (e.g., platform administrators gaining routine access), it is reasonable to expect authorizers to do a good job deciding whether one-off requests are business-appropriate.

In Hitachi ID Privileged Access Manager deployments where there are many one-time requests, there is a risk that authorizers develop "approval fatigue" and rubber-stamp all requests that reach them, without paying close attention to what is being asked. In these cases, it can be helpful for Privileged Access Manager to mark requests that are unusual in any way, to help focus the attention of authorizers.

Privileged Access Manager can examine the details of a given request as well as request history for the same user or system and identify unusual patterns, where closer attention or possibly additional approvals are appropriate. Following are patterns that can be used for this purpose:

  1. The first request for a given user (never used Privileged Access Manager before).
  2. The first request for a given user for access to a given account (low score), system (medium score) or platform (high score).
  3. Requests by one user on behalf of another (in some organizations, most or all requests are self-service).
  4. Requests submitted during unusual hours or for a check-out that begins or ends at an unusual time period (middle of the night or during a black-out period).
  5. Requests submitted by a user using a device at an unusual location (IP address) -- i.e., the user does not usually sign into Privileged Access Manager from this location.
  6. Requests by a user who normally asks for systems in one IP address range (e.g., geographical area or data center), but where the new request is in another IP range. For example, an EU platform administrator requesting access to an NA server or vice versa.
  7. Requests for accounts or endpoint systems deemed to represent an unusually high risk.

The same 'unusual' patterns can be captured in Privileged Access Manager reports, so that even where authorization is not required or where it was required and was granted, unusual activity can be reviewed after the fact.