Each managed system policy on Hitachi ID Bravura Privilege can be configured with group sets. A group set is a defined set of security groups, each of which may exist on any of the managed systems attached to the policy. For example, a group set called WINADM might be defined on a managed system policy that contains Windows servers. This group set could be specified to include any groups that happen to exist on each managed system attached to that policy, with a SID (Windows specific) ending in -512 or -544 or with the letters "adm" in its name.
Users can check-out a group set, rather than a privileged account. When a user checks out a group set on a managed system, all of the groups that are part of the group set are temporarily attached to the user's (pre-existing) account. The user account may be an Active Directory account or a login ID locally on the managed system in question.
Continuing with the above example, a user could check out the WINADM group set, which would cause the user's personal, normally-unprivileged account to be temporarily attached to the various administrator groups on the selected managed system.
Checking out group sets has pros and cons as compared to checking out access to shared accounts:
Pros | Cons | |
---|---|---|
Shared accounts
|
|
|
Group sets
|
|
|