Password Access Control Workflow

Access Control - Definition

Access control is a strategy that verifies the authenticity of users and ensures that they have suitable privileges to perform a task or access data. To put it simply, access control is a way of selectively restricting access to sensitive data. An effective access control strategy comprises of two major components: authentication and authorization. Through authentication, one can verify if a person is who they claim to be. However, authentication alone is not sufficient to protect data, and an additional layer called authorization, which determines whether a user is permitted to access the data or perform an action they are attempting, is mandatory. Authentication and authorization are the two key components that are essential to strengthen data security in an organization.

Glossary of Terminologies

Term Description

Request

The user has to make a request to view the password.

Waiting for Approval

User's password release request is pending with administrator(s) for approval.

Check Out

Administrator has approved the request and the user can view the password.

Approve/Reject

Administrator can either approve or reject the password request.

Yet to Use

Indicates that the user is yet to view the password released by the administrator.

In Use

Password is being used exclusively by a user.

Check In

Giving up/revoking password access.


Password Access Control in PAM360

PAM360 provides an access control mechanism that allows administrators to grant password access to users for a specific period. Admins can start granting exclusive privileges once a password is ready to share, and only one user is allowed to use a particular password at a single point of time. Additionally, administrators can provide just-in-time (JIT) privilege elevation to local user accounts in a Windows resource. For example, assume, "dbuser" is a local account in a Windows resource added to PAM360, and this account does not have any admin privileges. Using the JIT privilege elevation feature, admin can elevate dbuser's privileges equal to that of an admin or any other privileged user.

You will learn the following topics concerning Password Access Control workflow in this document:

  1. The Password Access Control workflow
  2. Precedence in Password Access Control
  3. Executing the Password Access Control workflow

    3.1 Access Control at Resource level

    3.2 Access Control at Account level

    3.2.i Approval Administrators
    3.2.ii Excluded Users
    3.2.iii Miscellaneous Settings
    3.2.iv Auto Approval
    3.2.v JIT Privilege Elevation

    3.3 Viewing Access Control Details

  4. Use case scenarios
  5. Message Templates
  6. Limitation in Access Control Workflow

1. The Password Access Control Workflow

Once the password access control is enforced for a resource or an account, the following workflow is invoked for password access attempt by the users:

  1. A user needs access to a password that is shared with them.
  2. The user makes a request to access the password.
  3. The request is sent to the designated administrator(s) for approval. If more users require access to the same password, all the requests will be queued up for approval.
  4. If the administrator does not approve the request within the stipulated time, the request becomes void. In case the user has specified a particular time frame for password access, then the request becomes void after the user-specified stipulated time.
  5. If the request is rejected by even one of the designated administrators, it becomes void.
  6. If the administrator approves the request, the user will be allowed to check out the password only during the stipulated time, or at the time set by the administrator during approval. In case more than one administrators have to approve a password request, the user will be allowed to check out the password only after all of the designated administrators have approved the request.
  7. Once the user checks out the password, it will be available exclusively for their use till the stipulated time.
  8. If any other user requires access to the same password concurrently, they will be provided access only after the previous user checks in the password. This rule applies to all types of user roles in PAM360, including administrators, password administrators and owner of the password.
  9. Administrator can also revoke password access for the user any time. The password will be forcefully checked-in during such circumstances, denying access to the user. Once the user finishes their work, the password will be reset.
  10. While granting a temporary exclusive access to a user, you can enable administrators to view the password concurrently by selecting the option Enforce users to provide reason for password retrieval under Admin >> Settings >> General Settings.

Note: The access control workflow does not override the password ownership and sharing mechanism of PAM360. Rather it is only an enhanced access control mechanism. Normally, when a password is shared with a user, the user will be able to view the password directly. Now, with the password access control mechanism, the user will have to request access to a password, even if they have access to it.

2. Precedence in Password Access Control

Account level access control configuration takes higher precedence over Resource level access control configuration as explained below in detail:

  1. When Access Control settings are enforced on a resource, the settings are automatically applied to all the accounts within the resource. However, when Account level access control settings are applied to an individual account within the resource, it overrides the resource level access control settings that were previously applied for the selected account.
    1. Let's assume, PAM360-win10 is a resource with several accounts under it. When access control mechanism is enforced for the resource PAM360-win10, the settings are applied to all accounts under PAM360-win10 automatically. In case, if Account Level access control is applied for a user account, say Administrator, within the resource PAM360-win10, that action will override the resource level access control that was earlier applied for the user account Administrator. However, the access control settings for the rest of the accounts within the resource will remain unchanged.
  2. If resource level access control settings are deactivated, it will not affect the account level access control configurations within the same resource.
  3. If account level access control settings are deactivated for an account, then the resource level access control, if configured, will be applied to the account automatically.
  4. Account level access control settings come in handy when certain accounts within a resource require a higher level of security.
    1. Let's assume CentOS-1 is a resource with several accounts under it. Access control mechanism is enforced for CentOS-1 and settings are customized in a way that it requires the approval of one authorized administrator to access the resource; the same settings will be applied to all accounts under the resource. However, the user account Root under the resource requires better security. In this case, account level access control configuration can be applied to Root so that it requires approval of at least five authorized administrators to gain access to its password. Modifying access control configuration for Root will not affect the configuration done for CentOS-1 and the other accounts under the resource.

3. Executing the Password Access Control Workflow

Follow the below steps to implement password access control for a resource or an account:

3.1 Access Control at Resource Level

3.2 Access Control at Account Level

3.3 Viewing Access Control Details

3.1 Access Control at Resource Level

  1. To implement access control for multiple resources, navigate to the Resources tab and select the resources for which you wish to enforce access control, click the bulk Resource Actions menu and choose Configure >> Access Control.
  2. To implement access control for a single resource, in the Resources tab, click the Resource Actions drop-down beside the required resource and choose Configure Access Control.

3.2 Access Control at Account Level

With Access Control at account level, it is possible to set password access control independently for each account under a resource, without affecting the access control configurations of other accounts in the resource. This ability to set unique configurations for each account helps users maintain unparalleled security levels for each account, based on requirements.

Follow the below steps to implement access control for accounts:

  1. To implement access control for multiple accounts, navigate to Resources and switch to the Passwords tab. Select all accounts for which you wish to enforce access control in bulk, click the bulk Account Actions menu and choose Configure Access Control.
  2. To implement access control for a single account, switch to the Passwords tab, click the Account Actions drop-down beside the required account and choose Configure Access Control. Alternatively, to implement access control for one or more accounts belonging to the same resource, click the resource name in the Resources tab. In the Account Details dialog box that opens up, select the required accounts and click More Actions >> Configure Access Control or click Account Actions >> Configure Access Control beside the required account.
  1. In the Configure Access Control window, you will see five tabs. Customize the settings as required.
    1. Approval Administrators
    2. Excluded Users
    3. Miscellaneous Settings
    4. Auto Approval
    5. Privilege Elevation

3.2.i Approval Administrators

Designate the administrator(s) as the approvers of password release requests. The list of all administrators, password administrators, and privileged administrators in the system are listed in the left pane. You can designate as many administrators as you wish for a particular resource or an account. Anyone from the list of Authorized Administrators could approve the requests raised by users.

3.2.ii Excluded Users

Exclude a set of users from the access control workflow using this option. The excluded users will be able to access passwords directly without raising requests

3.2.iii Miscellaneous Settings

  1. Enforce approval by at least __ administrators: Select this option to enforce approval by a specific number of administrators for all password requests. This number can vary from 1 to 10 administrators and you can customize this by choosing the number of admins under Admin >> Settings >> General Settings >> Maximum X approval admins (You may give minimum of 1 to maximum of 10 admins).  If you wish to enforce approval by at least 10 admins, then you must designate 10 admins as the authorized administrators under the  Approval Administrators section.

    2. Note: You can also designate user group(s) as approvers for password release requests. When a user group is designated as an approver, all the users with admin rights within that group (the administrators, password administrators, privileged administrators and admin users with the custom role) are given access rights.  If you have enforced approval by a particular number of administrators, say 5, then the authorized user group must have at least 5 valid administrators.


  2. Enforce users to provide a reason for password retrieval: Use this option to mandate users to provide a reason when they try to retrieve a password in plain text by clicking the asterisks. This is useful for auditing purposes.
  3. Send a reminder mail to the administrators to process the password access request before X minutes of the stipulated time: Use this option to set a time at which a reminder email will be sent to the administrator about the password request that is yet to be approved. PAM360 will send the reminder email at the specified number of minutes before the void time.
  4. Once the access time ends, provide grace time of X minutes to the user: Enable this option to provide a grace time of up to 60 minutes to the user, after the password access time ends.
  5. The password will be checked in automatically after X hours of approval time: Use this option to specify the exact time after which the password will be checked in automatically and will no longer be available for use.
  6. Requests are void after X hours, if not approved: Use this option to specify the maximum time, in hours, after which a pending password request will become void if the administrators do not approve. If even one administrator approves the password request, then the approval status will be sent as notification to the other authorized administrators.
  7. Password access can remain exclusive for a maximum of X minutes: Select this option to enforce concurrency controls for password access. During this specified time, the password is made available for the exclusive use of a particular user and no one else, including the resource owner, is allowed to view the password. By default, the password will remain exclusive for 30 minutes. However you can modify it to a desired value. For example, if you specify the time period as two hours, the password will be made available exclusively for that user for two hours. Others cannot view the password during that time. After the specified time, the password access will be void and will not be available to the user and other users will be able to view the passwords. If you specify the value as '0' hours, the password will remain exclusive for unlimited hours.
  8. Reset password / key after exclusive use (password / key checked-in by the user): Select this option to enforce automatic reset of password once the user checks in the password thereby giving up access. For automatic password reset to take effect, you need to ensure that all required credentials have been supplied to the resource for remote password reset or you should have installed PAM360 agents in the resource. Otherwise, the automatic password reset will not take effect. For instructions on remote password reset, click here and for details on password reset via PAM360 agents, click here.

3.2.iv Auto Approval

  1. PAM360 provides the option to set automatic approval of password access requests. This auto-approval feature will be handy during the times when an administrator may not be available to approve access requests for users. To implement this, administrators can set an approval time for every day or specific times on specific days of the week. All password access requests that are raised in this time frame will be auto-approved and the authorized administrators will be notified. For example, you can set auto-approval for all requests raised between 2 p.m to 3 p.m on Saturday. You can set up to 3 approval time frames for a single day. Except for the automatic nature of approval, all other aspects of this feature will follow the access control workflow.
  2. Once you have configured the necessary options for setting up the access control workflow for a resource or an account, click Save & Activate.

3.2.v JIT Privilege Elevation

Administrators can provide just-in-time (JIT) privilege elevation to local accounts in PAM360. For this, the administrator has to access the Privilege Elevation tab. Then, select the required groups out of the available local groups in the Windows resource and save them locally in the PAM360 database. Now, the privilege elevation configuration is ready for the local user account(s) under the selected resource.

Later, during the password check-out by any of the local accounts under the resource, their access privileges will be elevated as that of the local groups they were added to, and they will be able to operate with the same group privileges, for a stipulated time, as set by the administrator under Miscellaneous Settings.

Benefits

The JIT privilege elevation feature comes in handy in situations where a local account may not have the access privileges to use certain applications or services in a system. Using the JIT privilege elevation feature, administrators can provide timely and controlled access to accounts to operate applications or systems for a specified period. This feature gives administrators the ability to control who can access what and for how long, thereby eliminating the need to provide unnecessary blanket access for all accounts. This is based on the principle of least privileged access, which is one of the core philosophies of zero trust networks.

Steps Required

Follow the below steps to fetch and save local groups from a Windows resource to facilitate JIT privilege elevation:

  1. Access the Privilege Elevation tab and enable the Elevate account privilege by adding into the below local groups option.

  2. Click Select and all the local groups available in the Windows resource will be fetched and displayed in the Select Local Group dialog box. Choose the required groups and click Save. To update this list of local groups saved in the database, click the Refresh icon at the top right corner of the window.

  3. The selected groups will be listed in the Selected Local Groups box shown here.

Once you have configured the necessary options for setting up password access control, click Save & Activate. To remove previously configured access control for the selected resource, click the Deactivate button.

Now, when the resource is shared to a user with Password User/Password Auditor capabilities, they can request for password access or elevation. This request can be approved/rejected by any admin in the Authorized Administrators list.

    Notes:

    1. Privilege elevation for local accounts using the above procedure can be done only for Windows resources. To apply privilege elevation in Windows Domain resources, integrate PAM360 with ManageEngine ADManager Plus. Click here for more details on the integration.
    2. Privilege elevation happens only at the time of password check-out i.e., PAM360 will add the local account to the selected local groups only when the password of the local account is checked out from the PAM360 vault.
    3. If privilege elevation fails for a local user account when PAM360 adds it to the selected local groups, then the password of the account cannot be requested by users who have access to it. For more details on the reasons of failure, check audit logs in the Audit tab.
    4. Password access control cannot be deactivated for a resource when the password is checked out and is currently in use.
    5. It is recommended that resource owners do not change the Resource Type or Remote Password Reset settings of a resource for which access control is configured and whose password is currently in use. Doing so will remove the access control configuration. To check if the status of a password is In Use, go to Admin >> Manage >> Password Access Requests and check the status under Action. Refer to this topic for more details.

3.3 Viewing Access Control Details

Once Access Control is activated for an account or a resource, the Access Control Details option consolidates all the settings applied and provides it in a single window for easy perusal. Please note that the Access Control Details window can be accessed from the Account Actions menu only. Follow the below steps to view the access control details:

  1. Navigate to the Resources tab and switch to the Passwords tab.
  2. Click the Account Actions icon beside the required account and choose Access Control Details from the drop-down. Alternatively, click a resource name in the Resources tab. In the Account Details dialog box that opens, click Account Actions >> Access Control Details beside the required account.
  3. The Access Control Details dialog box will display the following details:
    1. Account Name.
    2. Resource Owner.
    3. Type of Access Control activated: Resource Level or Account Level.
    4. List of Approval Administrators (users and/or groups).
    5. List of Excluded Users (users and/or groups).
    6. Auto Approval time frame set for this particular account or resource.
    7. Any Miscellaneous Settings configured such as, enforcing approval by multiple administrators, enforcing users to provide a reason for password retrieval etc.

4. Use Case Scenarios

The following are some of the use case scenarios in which access control workflow will be useful in an organization.

Case 1: User Requesting Access to View a Password

To access a password protected by the access control workflow, a user will have to request the administrator to grant permission to view the password.

Steps To Make a Request:

  1. Click the Resources tab from the left pane and click the Passwords tab.
  2. All the passwords will be listed in the table below. Click Request beside the desired passwords to request the administrator to grant permission to view the passwords.
  3. In the new pop-up form that opens, you will be able to:
    • Specify when you want to access the password - now or later.
    • Enter a reason to view the password.
    • Specify the time before which a reminder email is to be sent.
  1. Once the administrator approves your request, you will be allowed to view the password. Till then, the status will be Waiting for approval.
  2. Once the administrator approves the request, the status will change to Check Out. To view the password, click Check Out. Please note that the Check Out button will be enabled only during the approved access time.
  3. Click Save. Now, you will be allowed to view the password.

Case 2: Administrator Approving a Password Request

If you're an administrator and a user has requested your approval to view a password, you will receive an email notification about the request. You can view all the requests pending your approval from the Admin tab.

To Approve a Request,
  1. Navigate to Admin >> Manage >> Password Access Requests.
  2. Click Process Request beside a request to allow the user to view the password. Once you do this, a new window will open where the administrator can do any of the following things:
    • Approve or reject the password access request.
    • Specify when the user can access the password - Now or Later.
    • Specify the reason for approval / rejection of the request.
  3. Immediately after you approve the request, the status of the link will change to Yet to Use,  indicating that the user is yet to check out the password.

  4. Once the user has viewed the password, the status will change to In Use.

Note: If a password access request is rejected by an admin in the above scenario, the request will be removed from the queue.

Case 3: User Requesting Access and Administrator Approving a Password Request for Windows Domain Account

Steps to request a password:

  1. Click the Resources tab from the left pane and click the Passwords tab.
  2. All the passwords will be listed in the table below. Click Request beside the desired passwords to request the administrator to grant permission to view the passwords.
  3. In the new pop-up form that opens, you will be able to:
    • Choose the resource(s) to be accessed - Current Windows Domain Machine, All Resources or select the required resource(s) from the drop-down.
    • Specify when you want to access the password - now or later.
    • Enter a reason to view the password.
  4. Click Send.
  5. Once the administrator approves your request, you will be allowed to view the password. Till then, the status will be Waiting for approval.
  6. Once the administrator approves the request, the status will change to Check Out. To view the password, click Check Out. Please note that the Check Out button will be enabled only during the approved access time.
  7. Click Save. Now, you will be allowed to view the password.

    Note: Users can choose the required resources in the domain account and request permission to access them. Users will be able to access only the approved resources using that domain account.

To Approve a Request:

  1. Navigate to Admin >> Manage >> Password Access Requests.
  2. Click Process Request beside a request to allow the user to view the password. Once you do this, a new window will open where the administrator can do any of the following things:
    • Change the Target Resource(s).
    • Specify when the User can access the password - Now or Later.
    • Specify the reason for approval / rejection of the request.
    • Approve or Reject the password access request.

  3. Immediately after you approve the request, the status of the link will change to Yet to Use,  indicating that the user is yet to check out the password.
  4. Once the user has viewed the password, the status will change to In Use.

Case 4: User Completes their Password Usage

The crux of the access control mechanism is that the user will be allowed only temporary access to passwords. So, once the user finishes their work, they can give up the password.

To Give Up Access to the Password:
  1. Click the Check In button beside the password. Now the password will be checked back into the system and the status will change as Request again.
  2. You will no longer be able to view the password. In case, you require access again, you will have to go through the Request-Release process again.

Case 5: Administrator Forcefully Checks In the Password

Access control mechanism allows exclusive access privilege to a user for a specified time period. During this period, no one else will be allowed to view the password, including the owner. In case an emergency arises to revoke the exclusive permission to the user, administrator can forcefully check in the password at any point of time.

To Forcefully Check In a Password:

  1. Go to Admin >> Password Access Requests.
  2. Click Check in beside the specific request to revoke the user's access permission. Once you do this, user will not be allowed to view the password. The password access request will also vanish from the list.

Case 6: What Happens if the Automatic Scheduled Password Reset Fails During Password Check In

Once a password is checked out by a user, it will be checked in due to any of the following three reasons:

  1. User checks in the password on their own after password usage is complete.
  2. System automatically revokes the password after the stipulated time.
  3. Administrator forcefully checks in the password.

When password is checked in, if the admin settings require automatic password reset, PAM360 will try to reset the password. In case PAM360 is not able to reset the password in the actual resource, PAM360 will immediately trigger email notifications to the administrators who approved the password access request of the use so that they can troubleshoot and set things right. The password reset failure will also reflect on the audit trails.

Case 7: What Happens if a Scheduled Password Reset Scheduled Task Runs When a Password is Checked Out?

PAM360 provides an option to create scheduled tasks for automatic and periodic password resets. It is possible that a scheduled task starts executing the reset of a password that is currently checked out by a user. If that reset task is allowed to execute successfully, the user will be working with an outdated password. To avoid such password mismatch issues, PAM360 will prevent the reset of that password alone while all other passwords of other resources that are part of the scheduled task will be reset. The failure to reset the exempted password during the password reset schedule will reflect on the audit trails.

Case 8: Disabling Access Control

As an administrator, if you want to disable access control for any resource or an account, you may do so at any time as explained below.

i. Deactivating Access Control for Resources

  1. Go to the Resources tab and select the resources for which you wish to disable access control.
  2. Go to the bulk Resource Actions menu, choose Configure >> Access Control and click Deactivate in the Configure Access Control dialog box.
  3. To deactivate access control for a single resource, click the Resource Actions icon beside the required resource and choose Configure Access Control from the drop-down. Click Deactivate in the Configure Access Control dialog box.

Note: Deactivating the Resource level access control will not affect any Account level access control configuration enforced on the accounts belonging to that resource.

ii. Deactivating Access Control for Accounts

  1. Go to the Resources tab, switch to the Passwords tab and select the accounts for which you wish to disable access control.
  2. Go to the bulk Account Actions menu, choose Configure Access Control and click Deactivate.
  3. To deactivate access control for a single account, click the Account Actions icon beside the required account and choose Configure Access Control from the drop-down. Click Deactivate in the Configure Access Control dialog box.

Now, the Access Control for the selected resources or accounts is deactivated. So, any user who has permission to view a password (owned/shared) can directly view the password without going through the access control process.

Note: If Account level access control is deactivated and there is a Resource level access control already in place for the resource, then the Resource level access control will be automatically applied to the account as well. Click here to read more about how precedence works for access control settings.

Case 9: Transferring Approver Privileges to Other Administrators

When an administrator leaves the organization or moves to a different department, resources/ accounts owned by that administrator are transferred to some other administrator. If the departing administrator had acted as the approver for password release requests, the approval privileges should also be transferred. All the resources and accounts that were earlier controlled by one admin can be easily transferred in bulk to another admin. Follow the below steps to learn how to transfer approver privileges from one administrator to another.

To Transfer Approver Privileges:

  1. Navigate to the Users tab and select or search for the user whose approver privileges you would like to transfer to another admin.
  2. Click the User Actions icon beside that user and select Transfer Approver Privileges from the drop down list.
  3. In the Transfer Approver Privileges window that opens, all the resources and accounts for which the selected admin is an authorized administrator will be displayed. Choose the desired resources.
  4. From the Transfer To drop down, select the admin to whom you would like to transfer the approver privileges to and click Transfer. The approver privileges will be transferred and the authorized administrator will be subsequently changed.

5. Message Templates

By default, PAM360 has predefined templates for access control dialog boxes such as Password Request, Password Check In, Password Check Out. Using message templates, the administrators will be able to alter the messages in access control workflow dialog. To customize the messages in access control dialog:

  1. Navigate to Admin >> Customization >> Message Templates.
  2. For each category, you will find a number of sub-categories with a dedicated message template.
  3. Preview the existing content for each template by clicking the respective Preview link.
  4. Click Edit Template against the desired template to edit the content.
    1. In the Access Control Template window, enter a customized Message.
    2. While entering the Message, you can specify place holders for certain values like ORG name or user email, etc. The exact ORG name will be replaced with the place holders at runtime. The allowed place holders for each template can be found at the bottom of its respective Access Control Template window.
    3. Click Save to save the message template.
    4. Click Reset to Default to reset the message template to the default message.
    5. Click Cancel to cancel and exit the Access Control Template window.
  5. The Access control dialog box of the respective categories will now have the new content.

6. Limitation in Access Control Workflow

The password access control workflow in PAM360 currently presents a compatibility issue when it comes to High Availability secondary servers. If the primary server becomes unavailable, PAM360 users won't be able to utilize the password access control workflow.

To solve this, administrators can use a workaround solution, though it needs careful tracking of approved requests in that timeframe. Here's how to use the password access control workflow when the primary server is down:

  1. Head to the <PAM360 installation directory>/conf folder on the secondary server and open the system_properties.conf file.
  2. Append a new system property - PwdAcsSecSrvr.AcsCtrl=true at the file's end, then save the changes.
  3. Proceed to restart the PAM360 application on the secondary server to ensure the modifications take effect.

Upon the primary server's restoration, the automated check-in will not work efficiently for the resources checked out from the secondary server during the interim time. So, it becomes the administrator's responsibility to review manually and check-in the resources that were checked out during the interim period.

Top