Password Access Control Workflow
PAM360 provides an access control mechanism that allows administrators to grant password access to users for a specific period. Admins can start granting exclusive privileges once a password is ready to share, and only one user is allowed to use a particular password at any point of time. Additionally, administrators can provide just-in-time (JIT) privilege elevation to local user accounts in a Windows resource. For example, assume, "dbuser" is a local account in a Windows resource added to PAM360, and this account does not have any admin privileges. Using the JIT privilege elevation feature, admin can elevate dbuser's privileges equal to that of an admin or any other privileged user.
You will learn the following topics concerning Password Access Control workflow:
- How does the Password Access Control mechanism work?
- Steps to implement Password Access Control workflow
- Use case scenarios
- Glossary of Terminologies
1. How Does the Password Access Control Mechanism Work?
Once the password access control is enforced for a resource, the following workflow is invoked for password access attempt by the users.
- A user needs access to a password that is shared with them.
- The user makes a request to access the password.
- The request is sent to the designated administrator(s) for approval. If more users require access to the same password, all the requests will be queued up for approval.
- If the administrator does not approve the request within the stipulated time, it becomes void. In case the user has specified a particular time frame for password access, then the request becomes void after the user-specified stipulated time.
- The request, rejected by even one of the designated administrators, becomes void.
- If the administrator approves the request, the user will be allowed to check out the password only during the stipulated time, or during the time set by the administrator during approval. In case, more than one administrators have to approve a password, user will be allowed to check out the password only after all of the designated administrators have approved the request.
- Once the user checks out the password, it will be available exclusively for their use till the stipulated time.
- If any other user requires access to the same password at the same time, they will be provided access only after the previous user checks in the password. This rule applies to all types of user roles in PAM360, including administrators, password administrators and owner of the password.
- Administrator can also revoke password access for the user any time. The password will be forcefully checked-in during such circumstances, denying access to the user. Once the user finishes their work, the password will be reset.
- While granting a temporary exclusive access to a user, you can enable administrators to view the password concurrently by selecting the option Enforce users to provide reason for password retrieval under Admin >> Settings >> General Settings.
Note: The access control workflow does not override the password ownership and sharing mechanism of PAM360, rather it is only an enhanced access control mechanism. Normally, when a password is shared with a user, the user will be able to view the password directly. However, when access control is enabled, the user will have to request the release of a password to which they are already allowed access.
2. Steps to Implement Password Access Control Workflow
- Click the Resources tab and select all resources for which you wish to enforce access control in bulk, click Resource Actions drop-down from the top bar and choose Configure >> Access Control.
- To implement access control for a single resource, from the Resources tab, click the Resource Actions drop-down beside the required resource and choose Configure Access Control.
- In the Configure Access Control window that opens, you will see five tabs. Customize the settings as required.
3.2 Excluded Users
3.4 Auto Approval
3.1 Approval Administrators
Designate the administrator(s) as the approvers of password release requests. The list of all administrators, password administrators, and privileged administrators in the system are listed in the left section. You can designate as many administrators as you wish for a particular resource. Anyone from the list of Authorized Administrators could approve the requests raised by users.
3.2 Excluded Users
Exclude a set of users from the access control workflow using this option. The excluded users will be able to access passwords directly without raising requests.
3.3 Miscellaneous Settings
- Enforce approval by at least __ administrators: Select this option to enforce approval by a specific number of administrators for all password requests. This number can vary from 1 to 10 administrators and you can customize this by choosing the number of admins under Admin >> Settings >> General Settings >> Maximum X approval admins (You may give minimum of 1 to maximum of 10 admins). If you wish to enforce approval by at least 10 admins, then you must designate 10 admins as the authorized administrators under the Approval Administrators section.
Note: You can also designate user group(s) as approvers for password release requests. When a user group is designated as an approver, all the users with admin rights within that group (the administrators, password administrators, privileged administrators and admin users with the custom role) are given access rights. If you have enforced approval by a particular number of administrators, say 5, then the authorized user group must have at least 5 valid administrators.
- Enforce users to provide a reason for password retrieval: Use this option to mandate users to provide a reason when they try to retrieve a password in plain text by clicking the asterisks. This is useful for auditing purposes.
- Send a reminder mail to the administrators to process the password access request before X minutes of the stipulated time: Use this option to set a time at which a reminder email will be sent to the administrator about the password request that is yet to be approved. PAM360 will send the reminder email at the specified number of minutes before the void time.
- Once the access time ends, provide grace time of X minutes to the user: Enable this option to provide a grace time of up to 60 minutes to the user, after the password access time ends.
- The password will be checked in automatically after X hours of approval time: Use this option to specify the exact time after which the password will be checked in automatically and will no longer be available for use.
- Requests are void after X hours, if not approved: Use this option to specify the maximum time, in hours, after which a pending password request would become void if the administrators do not approve. If even one administrator approves the password request, then the approval status will be sent as notification to the other authorized administrators.
- Password access can remain exclusive for a maximum of X minutes: Select this option to enforce concurrency controls for password access. During this specified time, the password is made available for the exclusive use of a particular user and no one else, including the owner of the resource, would be allowed to view the password. By default, the password will remain exclusive for 30 minutes. However you can modify it to a desired value. For example, if you specify the time period as two hours, the password would be made available exclusively for that user for two hours. Others cannot view the password during that time. After the specified time, the password access will be void and will not be available to the user and other users will be able to view the passwords. If you specify the value as '0' hours, the password will remain exclusive for unlimited hours.
- Reset password / key after exclusive use (password / key checked-in by the user): Select this option to enforce automatic reset of password once the user checks in the password thereby giving up access. For automatic password reset to take effect, you need to ensure that all required credentials have been supplied to the resource for remote password reset or you should have installed PAM360 agents in the resource. Otherwise, the automatic password reset will not take effect. Click here for instructions on Remote Password Reset and Password Reset via PAM360 Agents.
3.4 Auto Approval
PAM360 provides the option to set automatic approval of password access requests. This auto-approval feature will be handy during the times when an administrator may not be available to approve access requests for users. To implement this, administrators can set an approval time for every day or specific times on specific days of the week. All password access requests that are raised in this time frame will be auto-approved and the authorized administrators will be notified. For example, you can set auto-approval for all requests raised between 2 p.m to 3 p.m on Saturday. You can set upto 3 approval time frames for a single day. Except for the automatic nature of approval, all other aspects of this feature remain the same as access control workflow.
3.5 Privilege Elevation
Administrators can provide just-in-time (JIT) privilege elevation to local accounts in PAM360. For this, the administrator has to access the Privilege Elevation tab. Then, select the required groups out of the available local groups in the Windows resource and save them locally in the PAM360 database. Now, the privilege elevation configuration is ready for the local user account(s) under the selected resource.
Later, during the password check-out by any of the local accounts under the resource, their access privileges will be elevated as that of the local groups they were added to, and they will be able to operate with the same group privileges, for a stipulated time, as set by the administrator under Miscellaneous Settings.
The JIT privilege elevation feature comes in handy in situations where a local account may not have the access privileges to use certain applications or services in a system. Using the JIT privilege elevation feature, administrators can provide timely and controlled access to accounts to operate applications or systems for a specified period. This feature gives administrators the ability to control who can access what and for how long, thereby eliminating the need to provide unnecessary blanket access for all accounts. This is based on the principle of least privileged access, which is one of the core philosophies of zero trust networks.
- Access the Privilege Elevation tab and enable the Elevate account privilege by adding into the below local groups option.
- Click Select and all the local groups available in the Windows resource will be fetched and displayed in the Select Local Group dialog box. Choose the required groups and click Save. To update this list of local groups saved in the database, click the Refresh icon at the top right corner of the window.
- The selected groups will be listed in the Selected Local Groups box shown here.
Once you have configured the necessary options for setting up password access control, click Save & Activate. To remove previously configured access control for the selected resource, click the Deactivate button.
Now, when the resource is shared to a user with Password User/Password Auditor capabilities, they can request for password access or elevation. This request can be approved/rejected by any admin in the Authorized Administrators list.
- Privilege elevation for local accounts using the above procedure can be done only for Windows resources. To apply privilege elevation in Windows Domain resources, integrate PAM360 with ManageEngine ADManager Plus. Click here for more details on the integration.
- Privilege elevation happens only at the time of password check-out i.e., PAM360 will add the local account to the selected local groups only when the password of the local account is checked out from the PAM360 vault.
- If privilege elevation fails for a local user account when PAM360 adds it to the selected local groups, then the password of the account cannot be requested by users who have access to it. For more details on the reasons of failure, check audit logs in the Audit tab.
- Password access control cannot be deactivated for a resource when the password is checked out and is currently in use.
- It is recommended that resource owners do not change the Resource Type or Remote Password Reset settings of a resource for which access control is configured and whose password is currently in use. Doing so will remove the access control configuration. To check if the status of a password is In Use, go to Admin >> Manage >> Password Access Requests and check the status under Action. Refer to this topic for more details.
3. Use Case Scenarios
Following are some of the use case scenarios in which access control workflow will be useful in an organization.
Case 1: User Requesting Access to View a Password
To access a password protected by the access control workflow, a user will have to request the administrator to grant permission to view the password.
Steps To Make a Request:
- Click the Resources tab from the left pane and click the Passwords tab.
- All the passwords will be listed in the table below. Click Request beside the desired passwords to request the administrator to grant permission to view the passwords.
- In the new pop-up form that opens, you will be able to:
- Specify when you want to access the password - now or later.
- Enter a reason to view the password.
- Specify the time before which a reminder email is to be sent.
- Once the administrator approves your request, you will be allowed to view the password. Till then, the status will be Waiting for approval.
- Once the administrator approves the request, the status will change to Check Out. To view the password, click Check Out. Please note that the Check Out button will be enabled only during the approved access time.
- Click Save. Now, you will be allowed to view the password.
Case 2: Administrator Approving a Password Request
If you're an administrator and a user has requested your approval to view a password, you will receive an email notification about the request. You can view all the requests pending your approval from the Admin tab.To Approve a Request,
- Navigate to Admin >> Manage >> Password Access Requests.
- Click Process Request beside a request to allow the user to view the password. Once you do this, a new window will open where the administrator can do any of the following things:
- Approve or reject the password access request.
- Specify when the user can access the password - Now or Later.
- Specify the reason for approval / rejection of the request.
- Immediately after you approve the request, the status of the link will change to Yet to Use, indicating that the user is yet to check out the password.
- Once the user has viewed the password, the status will change to In Use.
Note: If a password access request is rejected by an admin in the above scenario, the request will be removed from the queue.
Case 3: User Completes their Password Usage
The crux of the access control mechanism is that the user will be allowed only temporary access to passwords. So, once the user finishes their work, they can give up the password.To Give Up Access to the Password:
- Click the Check In button beside the password. Now the password will be checked back into the system and the status will change as Request again.
- You will no longer be able to view the password. In case, you require access again, you will have to go through the Request-Release process again.
Case 4: Administrator Forcefully Checks In the Password
Access control mechanism allows exclusive access privilege to a user for a specified time period. During this period, no one else will be allowed to view the password, including the owner. In case an emergency arises to revoke the exclusive permission to the user, administrator can forcefully check in the password at any point of time.
To Forcefully Check In a Password:
- Go to Admin >> Password Access Requests.
- Click Check in beside the specific request to revoke the user's access permission. Once you do this, user will not be allowed to view the password. The password access request will also vanish from the list.
Case 5: What Happens if the Automatic Scheduled Password Reset Fails During Password Check In
Once a password is checked out by a user, it will be checked in due to any of the following three reasons:
- User checks in the password on their own after password usage is complete.
- System automatically revokes the password after the stipulated time.
- Administrator forcefully checks in the password.
When password is checked in, if the admin settings require automatic password reset, PAM360 will try to reset the password. In case PAM360 is not able to reset the password in the actual resource, PAM360 will immediately trigger email notifications to the administrators who approved the password access request of the use so that they can troubleshoot and set things right. The password reset failure will also reflect on the audit trails.
Case 6: What Happens if a Scheduled Password Reset Scheduled Task Runs When a Password is Checked Out?
PAM360 provides an option to create scheduled tasks for automatic and periodic password resets. It is possible that a scheduled task starts executing the reset of a password that is currently checked out by a user. If that reset task is allowed to execute successfully, the user will be working with an outdated password. To avoid such password mismatch issues, PAM360 will prevent the reset of that password alone while all other passwords of other resources that are part of the scheduled task will be reset. The failure to reset the exempted password during the password reset schedule will reflect on the audit trails.
Case 7: Disabling Access Control
- Go to the Resources tab and select the resources for which you wish to disable access control.
- Go to Resource Actions >> Configure >> Access Control and click Deactivate.
Access Control for the selected resource will be deactivated. That means, any user who has permission to view the password (owned/shared) will be able to view the password without going through the access control process for that particular resource.
Case 8: Transferring Approver Privileges to Other Administrators
When an administrator leaves the organization or moves to a different department, resources owned by that administrator are transferred to some other administrator. If the departing administrator had acted as the approver for password release requests, the approval privileges should also be transferred. All the resources that were earlier controlled by one admin can be easily transferred in bulk to another admin. Follow the below steps to learn how to transfer approver privileges from one administrator to another.
To Transfer Approver Privileges:
- Navigate to the Users tab and select or search for the user whose approver privileges you would like to transfer to another admin.
- Click the User Actions icon beside that user and select Transfer Approver Privileges from the drop down list.
- In the Transfer Approver Privileges window that opens, all the resources for which the selected admin is an authorized administrator will be displayed. Choose the desired resources.
- From the Transfer To drop down, select the admin to whom you would like to transfer the approver privileges to and click Transfer. The approver privileges will be transferred and the authorized administrator will be subsequently changed.
Case 9: What Happens if the Resource Type of a Resource is Changed When Privilege Elevation is Configured
If privilege elevation is configured for a resource and the password is currently in use, changing the Resource Type or the Remote Password Reset settings of the said resource will remove the access control configuration, thereby exposing the password to users who have access to this resource. It is recommended that resource owners/administrators wait until the password is checked in before modifying the resource settings. To check the status of a password, go to Admin >> Manage >> Password Access Requests and check the status under Action.
4. Glossary of Terminologies
The user has to make a request to view the password.
Waiting for Approval
User's password release request is pending with administrator(s) for approval.
Administrator has approved the request and the user can view the password.
Administrator can either approve or reject the password request.
Yet to Use
Indicates that the user is yet to view the password released by the administrator.
Password is being used exclusively by a user.
Giving up/revoking password access.