Request one-time access
- During an emergency or during a one-time event such as a production migration, users can request access to privileged accounts.
- Requests are subject to validation (e.g., does the request include a valid incident number?) and authorization.
- A powerful workflow engine is built into Hitachi ID Privileged Access Manager.
- The approval process supports:
- Inviting multiple authorizers at one time.
- N of M approvals.
- Reminders, escalation and delegation to replace non-responsive authorizers with alternates.
Approve one-time access
- Authorizers are invited to review requests via e-mail.
- Requests are approved or rejected via a secure, authenticated web form.
- Authorizers who don't respond promptly will receive reminder e-mails.
- The approvals UI is works with small web browsers, such as on smart phones. This means that requests can be approved any-where, any-time.
Launch one-time session to a privileged account
- Once a session has been approved, the request's recipient can launch a login session to the privileged account.
- As with routine administrator access, Privileged Access Manager is normally configured to launch SSH, RDP and similar sessions rather than displaying a password value.
- Passwords are normally re-randomized when a session completes and access is “checked in.”
- Checkout/checkin controls can limit the number of people connected to the same administrator ID at one time.
- Late users are shown the names of people already connected to the same account.
Request, approve, and playback recorded session
- Recorded sessions may contain sensitive of private data. They are protected in Hitachi ID Privileged Access Manager by a combination of access controls and workflow approvals. An auditor must first request the right to perform a search of recorded sessions. Once this has been approved, he must select a session and request access to the recording. Only when this second request is approved can he download and play back the session.
- Securing access to recorded sessions.
- Search using meta data and keyboard input.
- Approvals for both search and play-back.
Hitachi ID Privileged Access Manager API CMD
- Command-line execution of FTP client.
- Plaintext password replaced with credentials from secure vault.
- Video shows establishment of trust relationship.
- Authentication into Privileged Access Manager web services API uses OTP and IP address validation.
- Wrapper library manages caching, encryption, key generation, serialization.
- Encryption key generated based on runtime environment.
- Command-line launcher hides complexity from user.