A user who has signed on, requested access and been authorized to have that access should sign into the relevant managed account. There are multiple ways to do this, most of which do not involve disclosing the current password from the vault.
Hitachi ID Privileged Access Manager supports five basic methods to disclose access:
- Password disclosure: Give the authorized user the password for a managed account, either through display or copy buffer integration. This is usually not permitted.
- Direct connection: Launch the desired administration program on the user's PC and inject credentials into that program, so that it automatically signs into the managed account on the managed system.
- Proxy connection: Connect the user through an intermediate, proxy server, which in turn runs an administration program and signs into the managed system and account.
- Privilege elevation: Do not sign the user into the managed system at all. Instead, elevate the security rights of the user's personal, non-privileged account so that it can temporarily perform privileged functions on the managed system.
- Run commands: Privileged Access Manager signs into managed systems using managed credentials and executes commands on behalf of the user. It collects and displays results to the user.
Password disclosure can be restricted to only a few cases, such as desk-side support. More convenient mechanisms, such as single sign-on to privileged accounts and checking out multiple accounts at a time, are normally offered instead.