Workflow Requests and Approvals - Hitachi ID Privileged Access Manager
In many organizations, there are many IT workers who have the
right skills to manage a wide range of systems, but whose normal
responsibility is narrow. These people should not and normally
do not have administrative access to systems outside their normal scope
Using Hitachi ID Privileged Access Manager, this pool of talent can be leveraged when needed --
during periods of high workload or in emergencies -- without having
to grant large numbers of users permanent access to systems.
- Privileged Access Manager ensures that every administrator account
has a unique, frequently changing password:
- Sensitive passwords cannot be shared, since they are always
- It is possible to give out passwords for a limited time,
since administrative access will naturally expire.
- Privileged Access Manager controls access disclosure using a variety
of mechanisms, including a workflow engine that supports granting
temporary or exceptional access:
- Business logic restricts which passwords can be requested.
- Authorization logic routes requests to application owners.
- Business users can authorize one-time access disclosure to
Some examples of this flexibility are common in specific industries:
- Universities and Colleges: computer science students can
be asked to help with IT tasks.
- IT Outsourcers: one customer's support team can be asked
to help with another customer's systems.
- In general: developers can provide assistance with
Workflow Engine to Authorize Privileged Access
Privileged Access Manager includes the same authorization workflow engine as is
used in Hitachi ID Identity Manager. Workflow enables users to request access to a
privileged account that was not previously or permanently authorized.
When this happens, one or more additional users are invited (via e-mail
or SMS) to review and approve the request. Approved requests trigger
a message to the request's recipient, including a URL to Privileged Access Manager
where he or she can re-authenticate and "check out" access.
The workflow process is illustrated by the following series of steps:
- User UA signs in and requests that the then-current password to
login account LA on system S be made available to user UB at
some later time T. UA may or may not be the same person as UB.
- Privileged Access Manager looks up authorizers associated with LA on S.
- Privileged Access Manager may run business logic to supplement this authorizer list,
for example with someone in the management chain for UA or UB. The
final list of authorizers is LA. There are N authorizers but approval
by just M (M <= N) is sufficient to disclose the password to AZ.
- Privileged Access Manager sends e-mail invitations to authorizers LA.
- If authorizers fail to respond, they get automatic reminder e-mails.
- If authorizers continue to fail to respond, Privileged Access Manager runs
business logic to find replacements for them, effectively escalating
the request and invites the replacement authorizers as well.
- Authorizers receive invitation e-mails, click on a URL embedded
in the e-mail invitation, authenticate themselves to the Privileged Access Manager
web login page, review the request and approve or reject it.
- If any authorizers reject the request, e-mails are sent
to all participants (UA, UB and AZ) and the request is terminated.
- If M authorizers approve the request, thank-you e-mails are sent
to all participants. A special e-mail is sent to the recipient --
UB with a URL to an access disclosure page.
- UB clicks on the e-mail URL and authenticates to Privileged Access Manager
and displays the password.
- UB clicks on a button to "check-out privileged access."
- UB then may click on a button to do one of the following (the options
available will vary based on policy):
- Display the password.
- Place a copy of the password in the operating system copy buffer.
- Launch an RDP, SSH, vSphere or similar remote control session to the
server in question.
In other words, display of a sensitive password is not a mandatory
or even recommended part of the solution.