Workflow Requests and Approvals - Hitachi ID Privileged Access Manager
In many organizations, there are many IT workers who have the right skills to manage a wide range of systems, but whose normal responsibility is narrow. These people should not and normally do not have administrative access to systems outside their normal scope of responsibility.
Using Hitachi ID Privileged Access Manager, this pool of talent can be leveraged when needed -- during periods of high workload or in emergencies -- without having to grant large numbers of users permanent access to systems.
- Privileged Access Manager ensures that every administrator account
has a unique, frequently changing password:
- Sensitive passwords cannot be shared, since they are always changing.
- It is possible to give out passwords for a limited time, since administrative access will naturally expire.
- Privileged Access Manager controls access disclosure using a variety
of mechanisms, including a workflow engine that supports granting
temporary or exceptional access:
- Business logic restricts which passwords can be requested.
- Authorization logic routes requests to application owners.
- Business users can authorize one-time access disclosure to technical users.
Some examples of this flexibility are common in specific industries:
- Universities and Colleges: computer science students can be asked to help with IT tasks.
- IT Outsourcers: one customer's support team can be asked to help with another customer's systems.
- In general: developers can provide assistance with production systems.
Workflow Engine to Authorize Privileged Access
Privileged Access Manager includes the same authorization workflow engine as is used in Hitachi ID Identity Manager. Workflow enables users to request access to a privileged account that was not previously or permanently authorized. When this happens, one or more additional users are invited (via e-mail or SMS) to review and approve the request. Approved requests trigger a message to the request's recipient, including a URL to Privileged Access Manager where he or she can re-authenticate and "check out" access.
The workflow process is illustrated by the following series of steps:
- User UA signs in and requests that the then-current password to login account LA on system S be made available to user UB at some later time T. UA may or may not be the same person as UB.
- Privileged Access Manager looks up authorizers associated with LA on S.
- Privileged Access Manager may run business logic to supplement this authorizer list, for example with someone in the management chain for UA or UB. The final list of authorizers is LA. There are N authorizers but approval by just M (M <= N) is sufficient to disclose the password to AZ.
- Privileged Access Manager sends e-mail invitations to authorizers LA.
- If authorizers fail to respond, they get automatic reminder e-mails.
- If authorizers continue to fail to respond, Privileged Access Manager runs business logic to find replacements for them, effectively escalating the request and invites the replacement authorizers as well.
- Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate themselves to the Privileged Access Manager web login page, review the request and approve or reject it.
- If any authorizers reject the request, e-mails are sent to all participants (UA, UB and AZ) and the request is terminated.
- If M authorizers approve the request, thank-you e-mails are sent to all participants. A special e-mail is sent to the recipient -- UB with a URL to an access disclosure page.
- UB clicks on the e-mail URL and authenticates to Privileged Access Manager and displays the password.
- UB clicks on a button to "check-out privileged access."
- UB then may click on a button to do one of the following (the options
available will vary based on policy):
- Display the password.
- Place a copy of the password in the operating system copy buffer.
- Launch an RDP, SSH, vSphere or similar remote control session to the server in question.
In other words, display of a sensitive password is not a mandatory or even recommended part of the solution.