System administrators rarely work on just one system at a time. For example, they may need to patch a group of servers, or add a new policy rule to multiple servers, or diagnose a problem in an N-tier application, including web front ends, transaction servers and databases.
Checking out access to one account at a time is unnatural when performing these kinds of tasks. It slows down work and causes administrators to push back against use of the privileged access management system. It is better to allow administrators to check out multiple accounts at once and either launch multiple login sessions or push commands to multiple systems at once.
Hitachi ID Privileged Access Manager supports check-out of multiple accounts at once and pushing commands to those accounts:
- An account set may be defined in advance or created implicitly by selecting multiple accounts from search results.
- Pre-defined account sets may include accounts on managed systems either by selecting them individually or by defining search criteria. If search criteria are used, then accounts that are included in the set are identified only at check-out time. This allows for systems and accounts to be onboarded after the account set is defined and before it is used and still be included in check-outs.
Examples of account sets may be:
- An OS account plus a DB account, used by a given application.
- Every account with an ID of 'Administrator' on systems with OS type == Windows Server and IP in a given subnet.
- Every account with an ID of 'dba' on systems of type MSSQL with a hostname matching a regular expression.
Account sets can be defined by any Privileged Access Manager user and may be either private or shared with other Privileged Access Manager users.
Once an account set has been defined, it can be checked out. This allows a Privileged Access Manager user to check out more than one account at a time. Once a check-out has been authorized (pre-approved or via workflow), the user may:
- Launch multiple administrator tools, connecting to each account. For example, launch several RDP windows, several SSH sessions, etc. This is convenient for managing complex systems and applications.
- Push commands to be executed on the checked out accounts, all at the same time and retrieve their results. This is supported on Windows servers (PowerShell commands), Unix/Linux and network devices (SSH connections) and database systems (SQL).
Using this mechanism, Privileged Access Manager users can perform bulk actions, such as
patching several (up to about 100) systems at once, retrieving system
health or other metrics from multiple systems, starting or stopping
hypervisors and guest VMs, etc. In short, with account sets, Privileged Access Manager
becomes a power tool for system administrators.