Skip to main content

Hitachi ID LinkedIn Page Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Workflow Requests and Approvals - Hitachi ID Privileged Access Manager

Workforce Flexibility

In many organizations, there are many IT workers who have the right skills to manage a wide range of systems, but whose normal responsibility is narrow. These people should not and normally do not have administrative access to systems outside their normal scope of responsibility.

Using Hitachi ID Privileged Access Manager, this pool of talent can be leveraged when needed -- during periods of high workload or in emergencies -- without having to grant large numbers of users permanent access to systems.

  1. Privileged Access Manager ensures that every administrator account has a unique, frequently changing password:

    1. Sensitive passwords cannot be shared, since they are always changing.
    2. It is possible to give out passwords for a limited time, since administrative access will naturally expire.

  2. Privileged Access Manager controls access disclosure using a variety of mechanisms, including a workflow engine that supports granting temporary or exceptional access:

    1. Business logic restricts which passwords can be requested.
    2. Authorization logic routes requests to application owners.
    3. Business users can authorize one-time access disclosure to technical users.

Some examples of this flexibility are common in specific industries:

  1. Universities and Colleges: computer science students can be asked to help with IT tasks.
  2. IT Outsourcers: one customer's support team can be asked to help with another customer's systems.
  3. In general: developers can provide assistance with production systems.

Workflow Engine to Authorize Privileged Access

Privileged Access Manager includes the same authorization workflow engine as is used in Hitachi ID Identity Manager. Workflow enables users to request access to a privileged account that was not previously or permanently authorized. When this happens, one or more additional users are invited (via e-mail or SMS) to review and approve the request. Approved requests trigger a message to the request's recipient, including a URL to Privileged Access Manager where he or she can re-authenticate and "check out" access.

The workflow process is illustrated by the following series of steps:

  1. User UA signs in and requests that access to privileged account PA on system S be made available to user UB at some later time T. UA may be the same person as UB (a self-service request).
  2. Privileged Access Manager looks up authorizers associated with LA on S.
  3. Privileged Access Manager may run business logic to supplement this authorizer list, for example, UA or UB's manager. The final list of authorizers is LA. There are N authorizers but approval by just M (M <= N) is sufficient to disclose the password to PA.
  4. Privileged Access Manager sends e-mail invitations to authorizers LA.
  5. If authorizers fail to respond, they get automatic reminder e-mails.
  6. If authorizers still don't respond, Privileged Access Manager runs business logic to find replacements for them, effectively escalating the request. Privileged Access Manager will invite replacement authorizers next.
  7. Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate themselves to the Privileged Access Manager web portal, review the request and approve or reject it.
  8. If any authorizers reject the request, e-mails are sent to all participants (UA, UB and LA) and the request is terminated.
  9. If M authorizers approve the request, thank-you e-mails are sent to all participants. The e-mail sent to the recipient includes a URL to an access disclosure page.
  10. UB clicks on the e-mail URL and authenticates to Privileged Access Manager.
  11. UB clicks on a button in the web portal to check-out privileged access.
  12. UB then may click on a button to do one of the following (the options available will vary based on policy):
    1. Display the password (rarely allowed).
    2. Place a copy of the password in the operating system copy buffer (sometimes allowed).
    3. Launch an RDP, SSH, vSphere, SQL Studio or similar login session to PA on S (most common).
page top page top