In a privileged access management system, authorized users are allowed access to privileged accounts. This simple statement raises an important question: how is that access granted? An access disclosure mechanism is a process that connects an authorized user to a privileged account in a secure, authenticated, authorized and auditable manner.
Hitachi ID Privileged Access Manager controls access by users and programs to privileged accounts on managed endpoint systems. In most cases, this means that when a user is authorized to connect to a privileged account, the user is able to launch a login session directly to the managed account without seeing its password.
Display of current password values can be enabled through Hitachi ID Privileged Access Manager policy configuration but is usually only recommended for users physically in the data center, who need access to a server console.
Access disclosure options include:
- Directly launch Terminal Services Client (RDP), SSH (PuTTY, SecureCRT, etc.), VMware vSphere, SQL Studio, web browser/form login and other connections to target systems from the Hitachi ID Privileged Access Manager web user interface, without displaying a password value.
- Launch an SSH or RDP session from a proxy server to the managed endpoint and display its output (terminal or bitmap) in a second tab in the user's browser.
- Place a copy of a sensitive password into the Windows copy buffer. This password is automatically cleared from their copy buffer after a few seconds.
- Temporarily place the authorized user's Active Directory account in a local or domain security group.
- Temporarily append the authorized user's public SSH key into the managed account's .ssh/authorized_keys file.
- Where password display is required, display the password but automatically clear it from the user's browser display after a few seconds.
Policy rules determine which mechanisms are available to what users, managed systems and managed accounts.