Users gain access to Hitachi ID Privileged Access Manager itself -- for example, to make configuration changes and run reports -- and to managed systems and accounts through user classes.
User classes are expressions in terms of identity attributes and group memberships on integrated systems. For example, a user may be considered a member of a user class called "Windows Server Administrators NYC" if he satisfies the conditions:
- Member of "Windows server administrators" group on the Active Directory domain ADCORP; and
- The user's location code in HR is "NYC."
Members of the user class "Windows Server Administrators NYC" can then be granted access rights within Privileged Access Manager, such as:
- Can sign into the Privileged Access Manager web portal.
- Can run reports.
- Can request access to privileged accounts.
- Can checkout access to privileged accounts attached to the managed system policy "NYC Windows Servers" without additional approvals.
Most Privileged Access Manager deployments leverage AD or LDAP groups in the user classes that control user rights. This means that trustworthy management of who is attached to key AD and LDAP groups underpins the security of Privileged Access Manager and by extension the security of access to privileged accounts across the enterprise.
Privileged Access Manager includes workflows, policy enforcement and reports to help organizations effectively manage these sensitive groups. This includes:
- Workflow screens where users can request group membership. Requests are subjected to policy review (including SoD -- see below) and approval by other business users (e.g., managers, group owners, etc.).
- Periodic certification (review and cleanup) of the membership of sensitive groups.
- Enforcement of segregation of duties policies, to prevent users from acquiring toxic combinations of rights via the Privileged Access Manager request/approval workflow.
- Detection of existing segregation of duties policies, to identify users who either already had toxic combinations of rights before an SoD policy was defined or who acquired such combinations using tools other than Privileged Access Manager.
SoD rules in Privileged Access Manager are formulated as:
- No user may have more than N of the following entitlements.
- Entitlements may be group memberships (e.g., on AD domains or LDAP directories).
- Entitlements may also be role memberships (e.g., sets of groups).
- Entitlements may span target systems (e.g., one on AD, two on LDAP).
- Attribute X taking on value Y on system Z can be treated as a synthetic group membership.
Using this infrastructure, SoD rules such as the following can be defined, enforced and monitored:
- Windows administrators can only manage systems in a single data center.
- No user may be both a Windows and Linux administrator.
- Users who can request playback of a recorded administrator login session cannot also authorize such playback.