Implementing and Managing Access Control Workflow

Effective password management is essential for ensuring the security and integrity of privileged access within an organization. The Access Control Workflow enables administrators to enforce approval-based access, ensuring only authorized users can retrieve and utilize privileged passwords. This approach supports the zero-standing privileges model by eliminating persistent access and granting access only as needed. Administrators can define specific approval hierarchies, set access duration, and implement auto-approval rules by configuring the access control workflow. Additionally, a ticketing system can be integrated to auto-approve password access requests by validating the ticket IDs against active tickets. This mechanism strengthens security and introduces accountability through detailed auditing.

This document provides detailed instructions for managing privileged access through access control, covering the entire lifecycle from configuring the access control workflow to deactivating it when necessary. It explains how to define global access control settings, designate approval administrators, and enforce conditions such as exclusive access, grace periods, and auto-approval rules. With a streamlined request-release process, administrators can efficiently review, approve, reject, or modify password access requests, minimizing the risk of unauthorized access.

By following the instructions in this document, administrators can effectively implement and manage access control workflow for privileged resources within their environment, enhancing overall security while simplifying access management processes.

This document covers the following topics in detail:

  1. Configuring Access Control Workflow
  2. Viewing Access Control Details
  3. Password Access Requests
  4. Deactivating Access Control

1. Configuring Access Control Workflow

Password Manager Pro allows you to configure access control for the privileged resources in your environment at both the resource and account levels. Before configuring access control at these levels, you must set up the global settings for the access control workflow. The global settings define key aspects of password access requests, such as the required number of approval administrators, password access duration, grace period, etc., which you can modify based on your organizational requirements. Once the global settings are configured, you can configure the access control workflow for individual resources and accounts in your environment.

This section covers the detailed steps to configure the global settings for the access control workflow and set up access control for the privileged resources at both the account and resource levels.

1.1 Configuring Global Settings for Access Control Workflow

Follow these steps to configure the global settings for the access control workflow:

  1. Navigate to Admin >> Settings >> General Settings.
  2. On the General Settings page, switch to the Access Control tab.
  3. Under the Access Control tab, you will find the following settings:
    1. Choose the default password request method - Choose the default option using which the users should request access to the passwords.
    2. Extend access duration on delayed approval - Enable this option to grant password access to the users for the full duration they originally requested, even if the administrators approve the request after the scheduled start time.

      3. Note: The access duration cannot be extended even when the Extend access duration on delayed approval checkbox is enabled, if the subsequent time slot for the same password is already booked by another user. In this case, the users will gain access to the password only for the remaining duration after the password request is approved.

    3. Allow users to utilize the configured grace period for password access - Enable this checkbox to allow users to maintain exclusive access to the password during the grace time configured in the access control workflow.
    4. Limit each password request to a maximum of [X] hours - Select the desired number from the drop-down to set the maximum access duration for each password access request.
    5. Allow users to raise password access requests for up to [X] days in advance. - Select a number from the drop-down to set the number of days from the current date until the users can schedule the password access requests.
    6. Configure up to [X] administrators for password request approvals - Select the desired number from the drop-down to set the maximum number of approval administrators required to approve the password access requests.

These global settings will apply to all the access control workflows configured at both the account and resource levels.

1.2 Configuring Access Control Workflow at Resource Level

Password Manager Pro allows you to configure access control workflow at the account and resource levels. The configuration steps are almost identical for both cases. Follow these steps to configure access control at the resource level:

  1. Navigate to the Resources tab, click the Resource Actions icon beside the desired resource for which you wish to configure access control workflow, and select Configure Access Control from the displayed options.
  2. To configure access control for resources in bulk, tick the checkbox beside the desired resources for which you wish to configure access control workflow, click the Resource Actions button on the top pane, and select Configure >> Access Control.
  3. In the Configure Access Control window that appears, you will see the following configuration settings, where you can customize various options related to the password access based on your requirements.
    1. Approval Administrators
    2. Excluded Users
    3. Miscellaneous Settings
    4. Auto Approval

1.2.1 Approval Administrators

Designating approval administrators is a crucial step in configuring the access control workflow. Whenever a user requests access to a password, the request is forwarded to the administrators designated as approval administrators in this section. Under All Administrators, you will see the list of all the administrators in your environment, including the password and privileged administrators. Select the administrator from this list and click the right arrow button to assign an administrator as an approver for password access requests. The selected administrator will be designated as an approver. Anyone listed under the Authorized Administrators section can approve or reject password access requests made for any of the accounts within the selected resource.

Alternatively, if you wish to designate the users present within a user group as the approval administrator, you can switch to the Groups tab and designate the desired user group as Authorized Groupss. Only the user groups that contain users with administrator privileges will be listed here. Any user with administrator privileges who belongs to the user group designated as authorized administrators can approve or reject password access requests made for any of the accounts within the selected resource.

1.2.2 Excluded Users

While configuring the access control workflow for a resource, you can exclude certain users from the workflow. The users designated as Excluded Users can access the passwords shared with them directly without following the access control workflow. To exclude a user from the access control workflow, select the desired user you wish to exclude and click the right arrow button. You can also exclude users part of a user group from the access control workflow. To exclude user groups, switch to the Groups tab, select the desired user group you wish to exclude, and click the right arrow button.

1.2.3 Miscellaneous Settings

Under this section, you will find the various access conditions based on which users are granted access to the requested password and other security settings that help minimize vulnerabilities and insider threats.

  1. Enforce approval by at least [X] Administrators - Enable this option to enforce approval from a specific number of administrators for each password access request. Use the drop-down menu to select a number between 1 and 10. You can modify the maximum number of required approvers under the Access Control section on the General Settings page, as described in section 1.1. If you choose to enforce approval by at least 10 administrators, you must designate at least 10 administrators as Authorized Administrators under the Approval Administrator section.
  2. Enforce users to specify the reason for password retrieval - Enable this option to mandate users to specify a reason when they retrieve the passwords in plain text by clicking on the asterisks. By enabling this option, you can ensure accountability and maintain a clear audit trail of password access and its purpose.
  3. Send a reminder email to authorized administrators [X] minutes before the stipulated start time to process the pending password access request - Enable this option to send a reminder email to the administrators about the password access requests awaiting approval. Specify the duration (in minutes) before the email should be sent to the administrators, reminding them to review the pending password access requests. If you enter 30 in this field, Password Manager Pro will send a reminder email 30 minutes before the start time specified by the user in the password access request. By default, this value is set to 15.
  4. Extend password access with a grace time of [X] minutes after the stipulated access duration - Enable this option to provide grace time for the users to access the passwords after their access duration ends. Specify the duration (in minutes) for which the users can maintain exclusive access to the passwords after the end time. You can configure a grace time of up to 60 minutes. If you enter 15 in this field and the requested access duration is between 5 pm and 6 pm, then users can utilize the password until 6:15 pm.
  5. Provide exclusive access to passwords for [X] minutes - Specify the duration (in minutes) for which users can maintain exclusive access to the password when they request immediate access by choosing the Now option in the Password Request window. This number cannot be higher than the value set for the option Limit each password request to a maximum of X hours under the Access Control section on the General Settings page as specified in section 1.1. If you enter 30 in this field, users will maintain exclusive access to the passwords requested using the Now option for 30 minutes. By default, this value is set to 60.
  6. Rotate passwords or keys upon check-in after each exclusive use - Enable this option to reset the passwords or SSH keys automatically once they are returned to the vault after each exclusive use.

Notes:

  1. When grace time is configured, Password Manager Pro will forcefully check the password into the vault only after the configured grace time ends.
  2. The grace time can be configured only when the Allow users to utilize the configured grace period for password access option under the Access Control section on the General Settings page is enabled.
  3. The grace time will not be applicable in the following cases even though it is configured:
    • When the user checks the password back into the vault before the end time specified in the password access request.
    • When the user has not checked out the password until the end time specified in the password access request.
  4. Ensure you have configured remote password reset using the necessary credentials with password reset privileges to reset the passwords after each use. Explore these links for the detailed steps to configure remote password reset for resources available on the same network as the Password Manager Pro server and those managed via the Password Manager Pro agents.

1.2.4 Auto Approval

Password Manager Pro allows you to configure auto-approval settings for the password access requests made by the users based on the following criteria:

  1. The time at which the password access request was made
  2. Ticket ID validation

The auto-approval option will be helpful in scenarios where the approval administrators are unavailable to approve password access requests or when the number of requests is high. Administrator configuring the password access control workflow can specify the criteria based on their requirement. All the requests whose start time matches with the auto-approval criteria will be automatically approved by the system, and the users configured as authorized administrators will be notified via email. For example, you can set the time for auto-approval as Every day between 09:00 AM and 06:00 PM. You will find the following options under the auto-approval section.

  • Approve password access requests automatically as configured - Enable this checkbox to allow the system to approve the password access requests based on specific criteria automatically. You should select one of the below-mentioned criteria for auto-approval. If this checkbox is not enabled, password access requests made by the users will not be approved automatically.
    1. All times during the day - Select this option to automatically approve the password access requests made by the users during the day.
    2. Criteria - Select a time frame when the password access requests should be approved automatically using the given options. You can set up to three approval time frames for a single day.
    3. Approve requests by validating the ticket ID of the service requests - If you have a ticketing system integration in your environment, you can select this option to approve the password access requests based on the service request ticket ID. Password Manager Pro will verify the Ticket ID specified by the users before granting password access.

After configuring the required details, such as approval administrators, excluded users, access policies, and approval settings, click the Save & Activate button to configure the access control workflow for the selected resource successfully.

Notes: Administrators can also configure access control workflow for specific accounts within a resource without affecting the access control configuration applied at the resource level for other accounts within the resource.

1.3 Configuring Access Control Workflow at Account Level

Follow these steps to configure access control at the account level:

  1. To configure access control for an account - Navigate to the Resources tab, switch to the Passwords window, click the Account Actions icon beside the desired account, and select Configure Access Control from the displayed options.
  2. To configure access control for various accounts from different resources in bulk - Tick the checkbox beside the desired accounts on the Passwords window, click the Account Actions button on the top pane, and select Configure >> Access Control.
  3. To configure access control for an account within a resource - Navigate to the Resources tab and click on the resource that contains the desired account. Click the Account Actions icon beside the desired account on the Account Details window and select Configure Access Control from the displayed options.
  4. To configure access control for multiple accounts in bulk within a single resource - On the Account Details window, tick the checkbox beside the desired accounts, click the More Actions button on the top pane, and select Configure Access Control.
  5. In the Configure Access Control window that appears, you will see the following configuration settings, where you can customize various options related to the password access policies based on your requirements.
    1. Approval Administrators
    2. Excluded Users
    3. Miscellaneous Settings
    4. Auto Approval

Follow the steps detailed in section 1.2 to configure access control for the desired accounts.

2. Viewing Access Control Details

After the Access Control Workflow is configured for an account or a resource, you can view all the applied settings from a single place. i.e., the Access Control Details window for quick and easy reference, allowing administrators to review and verify the configured access control policies without navigating through multiple sections. This window provides a comprehensive summary of the configured access control details, including associated conditions, approval workflows, excluded users, and approval administrators, along with the resource details and the level at which the workflow is configured. This summary helps administrators efficiently manage the access permissions for the selected resource.

Follow these steps to access the Access Control Details window to view the configured access control workflow details:

  1. Navigate to the Resources tab, switch to the Passwords window, and click the Account Actions icon beside the desired account whose configured access control details you wish to review. In the drop-down menu, select Access Control Details from the displayed options.
  2. Alternatively, switch to the Resources window and click on the resource whose configured access control details you wish to review. On the Account Details window, click the Account Actions icon beside the desired account and select Access Control Details from the displayed options.

Administrators can view the following details on the Access Control Details window:

  1. Account details, including the account name, resource owner, and the level at which the access control workflow is configured.
  2. List of users designated as approval administrators
  3. List of users excluded from the configured access control workflow
  4. Criteria set for auto-approval
  5. Any miscellaneous settings, including the number of administrators required for approval, are the users enforced to provide a reason for password access, reminder emails to inform administrators about the requests awaiting approval, configured password access duration for exclusive use, and the configured grace time.

Notes:

  1. The Access Control Details window can be accessed only from the Account Actions menu.
  2. Once the request is approved, users can only access the list of resources approved by the approval administrators using the requested domain account password.

3. Password Access Requests

The Password Access Requests window in Password Manager Pro allows administrators to view, manage, and audit all password access requests in a single location. This window offers enhanced visibility into ongoing and past requests, helping administrators enforce secure access management and streamline compliance tracking. By consolidating all password access requests into one interface, the Password Access Requests window helps administrators efficiently monitor, approve, reject, or modify access requests. This structured approach prevents unauthorized access, reduces security risks, and simplifies access management workflows. Follow these steps to access the Password Access Requests window:

  1. Go to Admin >> Access Review >> Password Access Requests.
  2. The Password Access Requests window is divided into two sections:
    • In Progress - Displays all password access requests awaiting approval along with the relevant details such as the resource and account names for which the access request was made, the user who made the password access request, the reason for the request, and the requested time. Through this window, administrators can review pending requests that require approval and seamlessly manage access approvals and rejections.
    • History - Lists all past access requests with their associated details for auditing and compliance tracking, including all the relevant details displayed on the In-Progress tab along with the request status.

3.1 Managing Password Access Requests

Once the users submit the password access requests, the administrators designated authorized approvers can manage these requests from the Password Access Requests window. This section explains how to review pending password access requests, manage them, modify the access duration if needed, and forcefully return the passwords to the vault after approval. Follow these steps to manage the password access requests that are awaiting approval:

  1. Access the Password Access Requests window and switch to the In-Progress tab to view the list of all the password access requests that are currently awaiting approval, along with the relevant details such as the resource name, account name, requested user, reason for requesting access, duration, and requested time.
  2. Click the Process Request button under the Actions column beside the desired request to manage the password access request.
  3. In the Password Access Request Review pop-up window, you will find the relevant details about the password access request.
  4. Review the request details, enter the comments in the given field, and perform one of the following actions:
    1. Click the Approve button to approve the password access request as requested by the user without modifying the access duration.
    2. Click the Reject button to deny the password access request.
    3. Click the Modify button to update the access duration. In the Modify Password Access Request window that appears, use the calendar option to change the start and end times for the password access. Under Booked Slots, you can view the time slots for which the password is currently booked.
  5. When the password access request is approved, the status will be displayed as Yet To Use until the user checks out the password from the vault. Once the user checks out the password, the status will be changed to In Use.
  6. Click the Check-In button to revoke the user's access to the password. You can forcefully return the password when the password is in the Yet To Use and In Use stages. As soon as the password is checked in, the request-release workflow is complete, and the entry will be moved to the History tab.
  7. If you reject a password access request, the entry will be moved to the History tab immediately, and the approval status will be marked as Rejected.

Managing requests effectively ensures secure and controlled access to privileged account passwords in your environment.

Note: When a user submits a password access request, authorized administrators should approve it before the requested access duration expires. The request is automatically void once the end time specified in the request expires.

3.2 Viewing Past Requests

The History tab in the Password Access Requests window provides a comprehensive view of all completed password access requests with the relevant details such as the resource name, account name, requested user, status, etc. It features an Access Request Summary option that offers a timeline view of a password access request, detailing each stage from request creation to password check-in. To view the password request summary, click the Summary icon under the Details column beside the desired request on the History tab. On the Access Request Summary window, you will see all the relevant details about that specific password access request with a timeline view.

4. Deactivating Access Control

Password Manager Pro allows administrators to disable Access Control for any resource or account at any time, allowing users with the necessary permissions to directly access the passwords without requiring approval. The following section details the necessary steps to deactivate access control at both the resource and account levels based on your requirements.

4.1 Deactivating Access Control for Resources

Follow these steps to deactivate the access control workflow configured for a single resource:

  1. Navigate to the Resources tab, click the Resource Actions icon beside the desired resource, and select Configure Access Control from the displayed options.
  2. In the Configure Access Control window, click the Deactivate button at the bottom to deactivate the access control workflow configured for the selected resource.

Follow these steps to deactivate the access control workflow configured for multiple resources in bulk:

  1. Navigate to the Resources tab, select the desired resources for which you wish to deactivate the access control workflow, and click the Resource Actions button on the top pane.
  2. From the displayed options, select Configure >> Access Control.
  3. In the Configure Access Control window, click the Deactivate button at the bottom to successfully deactivate the access control workflow configured for the selected resources.

4.2 Deactivating Access Control for Accounts

Follow these steps to deactivate the access control workflow configured for a single account:

  1. Navigate to the Resources tab, switch to the Passwords window, click the Account Actions icon beside the desired account, and select Configure Access Control from the displayed options.
  2. In the Configure Access Control window, click the Deactivate button at the bottom to deactivate the access control workflow configured for the selected account.

Follow these steps to deactivate the access control workflow configured for multiple accounts in bulk:

  1. Navigate to the Resources tab, switch to the Passwords window, select the desired accounts for which you wish to deactivate the access control workflow, and click the Account Actions button on the top pane.
  2. From the displayed options, select Configure >> Access Control.
  3. In the Configure Access Control window, click the Deactivate button at the bottom to deactivate the access control workflow configured for the selected accounts.
Top