Access Disclosure Mechanism
In a privileged access management system, authorized users are allowed access to privileged accounts. This simple statement raises an important question: how is that access granted? An access disclosure mechanism is a process that connects an authorized user to a privileged account in a secure, authenticated, authorized and auditable manner.
Hitachi ID Privileged Access Manager controls access by users and programs to privileged accounts on systems and applications. By default, that means that when a user is authorized to connect to a privileged account, the user is able to launch a login session directly to that account without ever seeing its password.
Display of current password values can be enabled through Privileged Access Manager policy configuration but is not normally recommended.
Access disclosure options include:
- IT staff can directly launch Terminal Services (RDP), SSH (PuTTY), VMware vSphere, SQL Studio, web browser/form login and other connections to target systems from the Privileged Access Manager web user interface, without displaying a password value.
- IT staff can use an ActiveX control embedded in the Privileged Access Manager web portal to place a copy of a sensitive password into their Windows copy buffer, again without displaying the passwords. This password is automatically cleared from their copy buffer after a few seconds.
- Privileged Access Manager can dynamically attach a recipient's Active Directory domain login ID to a local security group on a target system and later remove it. This eliminates the need to disclose passwords even to a software agent on the recipient's workstation.
- Privileged Access Manager can temporarily place a user's public SSH key into the target account's .ssh/authorized_keys file.
A policy defined for each set of managed systems in Privileged Access Manager determines which of these access disclosure mechanisms is available. For example, password display may be allowed for Windows workstations, since they may be inaccessible over the network, but RDP sessions with injected passwords may be mandatory on Windows servers.