Password Access Control Workflow
PAM360 provides an access control mechanism with which administrators can grant password access to users for a specific period of time. Admins can give exclusive privileges once the password is shared so that only one user is allowed to use a particular password at any point of time.
You will learn the following topics concerning Password Access Control workflow:
- How does the Password Access Control mechanism work
- Steps to implement Password Access Control workflow
- Use case scenarios
- Glossary of Terminologies
1. How Does the Password Access Control Mechanism Work
Once the password access control is enforced for a resource, the following workflow is invoked for password access attempt by the users.
- A user needs access to a password that is shared with them.
- The user makes a request to access the password.
- The request is sent to the designated administrator(s) for approval. If more users require access to the same password, all the requests will be queued up for approval.
- If the administrator does not approve the request within the stipulated time, it becomes void. In case the user has specified a particular time frame for password access, then the request becomes void after the user-specified stipulated time.
- The request, rejected by even one of the designated administrators, becomes void.
- If the administrator approves the request, the user will be allowed to check out the password only during the stipulated time, or during the time set by the administrator during approval. In case, more than one administrators have to approve a password, user will be allowed to check out the password only after all of the designated administrators have approved the request.
- Once the user checks out the password, it will be available exclusively for their use till the stipulated time.
- If any other user requires access to the same password at the same time, they will be provided access only after the previous user checks in the password. This rule applies to all types of user roles in PAM360, including administrators, password administrators and owner of the password.
- Administrator can also revoke password access for the user any time. The password will be forcefully checked-in during such circumstances, denying access to the user. Once the user finishes their work, the password will be reset.
- While granting a temporary exclusive access to a user, you can enable administrators to view the password concurrently by selecting the option Enforce users to provide reason for password retrieval under Admin >> Settings >> General Settings.
Note: The access control workflow does not override the password ownership and sharing mechanism of PAM360, rather it is only an enhanced access control mechanism. Normally, when a password is shared with a user, the user will be able to view the password directly. However, when access control is enabled, the user will have to request the release of a password to which they are already allowed access.
2. Steps to Implement Password Access Control Workflow
- Click the Resources tab and select the resources for which you wish to enforce access control in bulk.
- Navigate to Resource Actions >> Configure >> Access Control.
- To implement access control for a single resource, click the Resource Actions icon beside it and select Configure Access Control from the drop down.
- In the Configure Access Control window that opens, you will see four tabs. Customize the settings as required.
- Approval Administrators
- Excluded Users
- Miscellaneous Settings
- Auto Approval
2.1 Approval Administrators
Designate the administrator(s) as the approvers of password release requests. The list of all administrators, password administrators, and privileged administrators in the system are listed in the left section. You can designate as many administrators as you wish for a particular resource. Anyone from the list of Authorized Administrators could approve the requests raised by users.
2.2 Excluded Users
Exclude a set of users from the access control workflow using this option. The excluded users will be able to access passwords directly without raising requests.
2.3 Miscellaneous Settings
- Enforce approval by at least __ administrators: Select this option to enforce approval by a specific number of administrators for all password requests. This number can vary from 1 to 10 administrators and you can customize this by choosing the number of admins under Admin >> Settings >> General Settings >> Maximum X approval admins (You may give minimum of 1 to maximum of 10 admins). If you wish to enforce approval by at least 10 admins, then you must designate 10 admins as the authorized administrators under the Approval Administrators section.
- Enforce users to provide a reason for password retrieval: Use this option to mandate users to provide a reason when they try to retrieve a password in plain text by clicking the asterisks. This is useful for auditing purposes.
- Send a reminder mail to the administrators to process the password access request before X minutes of the stipulated time: Use this option to set a time at which a reminder email will be sent to the administrator about the password request that is yet to be approved. PAM360 will send the reminder email at the specified number of minutes before the void time.
- Once the access time ends, provide grace time of X minutes to the user: Enable this option to provide a grace time of up to 60 minutes to the user, after the password access time ends.
- The password will be checked in automatically after X hours of approval time: Use this option to specify the exact time after which the password will be checked in automatically and will no longer be available for use.
- Requests are void after X hours, if not approved: Use this option to specify the maximum time, in hours, after which a pending password request would become void if the administrators do not approve. If even one administrator approves the password request, then the approval status will be sent as notification to the other authorized administrators.
- Password access can remain exclusive for a maximum of X minutes: Select this option to enforce concurrency controls for password access. During this specified time, the password is made available for the exclusive use of a particular user and no one else, including the owner of the resource, would be allowed to view the password. By default, the password will remain exclusive for 30 minutes. However you can modify it to a desired value. For example, if you specify the time period as two hours, the password would be made available exclusively for that user for two hours. Others cannot view the password during that time. After the specified time, the password access will be void and will not be available to the user and other users will be able to view the passwords. If you specify the value as '0' hours, the password will remain exclusive for unlimited hours.
- Reset password / key after exclusive use (password / key checked-in by the user): Select this option to enforce automatic reset of password once the user checks in the password thereby giving up access. For automatic password reset to take effect, you need to ensure that all required credentials have been supplied to the resource for remote password reset or you should have installed PAM360 agents in the resource. Otherwise, the automatic password reset will not take effect. Click here for instructions on Remote password reset and password reset via PAM360 agents.
Note: You can also designate user group(s) as approvers for password release requests. When a user group is designated as an approver, all the users with admin rights within that group (the administrators, password administrators, privileged administrators and admin users with the custom role) are given access rights. If you have enforced approval by a particular number of administrators, say 5, then the authorized user group must have at least 5 valid administrators.
2.4 Auto Approval
- PAM360 provides the option to set automatic approval of password access requests. This auto-approval feature will be handy during the times when an administrator may not be available to approve access requests for users. To implement this, administrators can set an approval time for every day or specific times on specific days of the week. All password access requests that are raised in this time frame will be auto-approved and the authorized administrators will be notified. For example, you can set auto-approval for all requests raised between 2 p.m to 3 p.m on Saturday. You can set upto 3 approval time frames for a single day. Except for the automatic nature of approval, all other aspects of this feature remain the same as access control workflow.
- Once you have configured the necessary options for setting up the access control workflow, click Save & Activate.
3. Use Case Scenarios
Following are some of the use case scenarios in which access control workflow will be useful in an organization.
Case 1: User Requesting Access to View a Password
To access a password protected by the access control workflow, a user will have to request the administrator to grant permission to view the password.
Steps To Make a Request:
- Click the Resources tab from the left pane and click the Passwords tab.
- All the passwords will be listed in the table below. Click Request beside the desired passwords to request the administrator to grant permission to view the passwords.
- In the new pop-up form that opens, you will be able to:
- Specify when you want to access the password - now or later.
- Enter a reason to view the password.
- Specify the time before which a reminder email is to be sent.
- Once the administrator approves your request, you will be allowed to view the password. Till then, the status will be Waiting for approval.
- Once the administrator approves the request, the status will change to Check Out. To view the password, click Check Out. Please note that the Check Out button will be enabled only during the approved access time.
- Click Save. Now, you will be allowed to view the password.
Case 2: Administrator Approving a Password Request
If you're an administrator and a user has requested your approval to view a password, you will receive an email notification about the request. You can view all the requests pending your approval from the Admin tab.To Approve a Request,
- Navigate to Admin >> Manage >> Password Access Requests.
- Click Process Request beside a request to allow the user to view the password. Once you do this, a new window will open where the administrator can do any of the following things:
- Approve or reject the password access request.
- Specify when the user can access the password - Now or Later.
- Specify the reason for approval / rejection of the request.
- Immediately after you approve the request, the status of the link will change to Yet to Use, indicating that the user is yet to check out the password.
- Once the user has viewed the password, the status will change to In Use.
- Click the Check In button beside the password. Now the password will be checked back into the system and the status will change as Request again.
- You will no longer be able to view the password. In case, you require access again, you will have to go through the Request-Release process again.
- Go to Admin >> Password Access Requests.
- Click Check in beside the specific request to revoke the user's access permission. Once you do this, user will not be allowed to view the password. The password access request will also vanish from the list.
- User checks in the password on their own after password usage is complete.
- System automatically revokes the password after the stipulated time.
- Administrator forcefully checks in the password.
- Go to the Resources tab and select the resources for which you wish to disable access control.
- Go to Resource Actions >> Configure >> Access Control and click Deactivate.
- Navigate to the Users tab and select or search for the user whose approver privileges you would like to transfer to another admin.
- Click the User Actions icon beside that user and select Transfer Approver Privileges from the drop down list.
- In the Transfer Approver Privileges window that opens, all the resources for which the selected admin is an authorized administrator will be displayed. Choose the desired resources.
- From the Transfer To drop down, select the admin to whom you would like to transfer the approver privileges to and click Transfer. The approver privileges will be transferred and the authorized administrator will be subsequently changed.
Note: If a password access request is rejected by an admin in the above scenario, the request will be removed from the queue.
Case 3: User Completes their Password Usage
The crux of the access control mechanism is that the user will be allowed only temporary access to passwords. So, once the user finishes their work, they can give up the password.To Give Up Access to the Password:
Case 4: Administrator Forcefully Checks In the Password
Access control mechanism allows exclusive access privilege to a user for a specified time period. During this period, no one else will be allowed to view the password, including the owner. In case an emergency arises to revoke the exclusive permission to the user, administrator can forcefully check in the password at any point of time.
To Forcefully Check In a Password:
Case 5: What Happens if the Automatic Scheduled Password Reset Fails During Password Check In
Once a password is checked out by a user, it will be checked in due to any of the following three reasons:
When password is checked in, if the admin settings require automatic password reset, PAM360 will try to reset the password. In case PAM360 is not able to reset the password in the actual resource, PAM360 will immediately trigger email notifications to the administrators who approved the password access request of the use so that they can troubleshoot and set things right. The password reset failure will also reflect on the audit trails.
Case 6: What Happens if a Scheduled Password Reset Scheduled Task Runs When a Password is Checked Out?
PAM360 provides an option to create scheduled tasks for automatic and periodic password resets. It is possible that a scheduled task starts executing the reset of a password that is currently checked out by a user. If that reset task is allowed to execute successfully, the user will be working with an outdated password. To avoid such password mismatch issues, PAM360 will prevent the reset of that password alone while all other passwords of other resources that are part of the scheduled task will be reset. The failure to reset the exempted password during the password reset schedule will reflect on the audit trails.
Case 7: Disabling Access Control
As an administrator, if you want to disable access control for any resource, you may do so at any time as explained below:
Access Control for the selected resource will be deactivated. That means, any user who has permission to view the password (owned/shared) will be able to view the password without going through the access control process for that particular resource.
Case 8: Transferring Approver Privileges to Other Administrators
When an administrator leaves the organization or moves to a different department, resources owned by that administrator are transferred to some other administrator. If the departing administrator had acted as the approver for password release requests, the approval privileges should also be transferred. All the resources that were earlier controlled by one admin can be easily transferred in bulk to another admin. Follow the below steps to learn how to transfer approver privileges from one administrator to another.
To Transfer Approver Privileges:
4. Glossary of Terminologies
The user has to make a request to view the password.
Waiting for Approval
User's password release request is pending with administrator(s) for approval.
Administrator has approved the request and the user can view the password.
Administrator can either approve or reject the password request.
Yet to Use
Indicates that the user is yet to view the password released by the administrator.
Password is being used exclusively by a user.
Giving up/revoking password access.