Select managed system and account:
When a user needs to gain access to a privileged account on a managed system, the first step is to select the system and account. A searchable, browsable UI is presented for this purpose, as shown here.
Checkout a session:
The next step is to checkout a session. Access control rules determine which users are allowed to checkout a session to which accounts on which systems. Alternately, a user can request one-time access (authorized through a workflow process). In either case, concurrency limits may be in place, for example to ensure that no more than two administrators work on the same system at the same time.
Launch RDP connection:
Once a session has been activated, the user can connect. Policy determines what connection options are available -- in this case, there is just one: to launch a remote desktop session.
Manage the system:
Using the remote desktop window, the user can do his work. He can close the window and open it again later, so long as his Hitachi ID Privileged Access Manager session has not timed out and been automatically checked back in.
Checkin the session:
When his work is done, the administrator checks in the session. This typically causes the password to the account he was using to be randomized again and the new value placed in the secure, replicated vault.
Report: Managed account check-outs / check-ins:
Shows current and historical check-outs of managed accounts. Can be run with data selection on system/account (i.e., who has accessed this?) or based on user (i.e., what has this user signed into?).
Report: Expired password:
Shows when passwords are due to be changed next -- for example, at check-in time or on a schedule.
Report: Account access check-out trend:
Shows activity, in terms of workflow requests for on-off access and check-outs (pre-authorized or individually approved) over time. The scope of the report (which systems, which accounts) and the time interval are configurable.
Report: Discovered accounts:
Shows accounts that have been discovered by the system. For each account, indicates why it appears in the listing -- for example, the account is a member in a privileged security group, is used to run a service, etc.