Access Control Workflow

Note: The procedure outlined in this document applies only to Password Manager Pro builds 13200 and above. For access control configuration in builds before 13200, please refer to this help document.

In any IT environment, access control is a fundamental security principle that defines who can access privileged resources, under what conditions, and to what extent, ensuring only authorized users can access, modify, or manage critical resources while restricting unconditional access. The absence of a well-defined password access control workflow creates significant vulnerabilities, including unlimited access to privileged accounts, leading to system compromises and financial loss.

Password Manager Pro's Advanced Access Control Workflow Mechanism mitigates these risks by implementing a time-based access approval mechanism to grant access to privileged accounts to the users for a specific period. This mechanism ensures that only authorized users can access privileged credentials through a structured workflow, reducing the risks of unauthorized access, insider threats, and credential misuse. Administrators can define the approval workflow, how long the users can have access to the privileged resources, and reset the passwords after exclusive use. This structured approach safeguards access to privileged resources and minimizes security vulnerabilities, ensuring access is granted only when necessary and under defined conditions.

This document covers the following topics in detail:

  1. Terminologies - Access Control Workflow
  2. Understanding the Access Control Mechanism in Password Manager Pro
  3. How Precedence Works in Access Control Workflow?
  4. Limitations in Access Control Workflow

1. Terminologies - Access Control Workflow

The table below outlines the various terminologies used to represent the different stages in the password access control workflow, along with a brief description of each stage, helping the users accurately interpret the status of password access requests. These stages reflect the status and progression of password access requests as they move through the approval, usage, and completion phases.

User Keywords/Actions Description

Administrator

Approve

To approve the user's request to access the password

Reject

To deny the user's request to access the password

Yet To Use

Indicates that the user has received approval from the authorized administrators but has not yet checked out the password from the vault

In Use

Indicates that the user has checked out the password and Is currently using it

Modify

To update the password access request raised by the user

Check In

To revoke user's access to the password

End-User

Request

To request exclusive access to the password

Waiting for Approval

The request to access the password is awaiting approval from the administrators

Check Out

To check out the password from the vault

Check In

To check-in the password back into the vault

Cancel

To cancel the raised password access request

2. Understanding the Access Control Mechanism in Password Manager Pro

By default, users with the Privileged Administrator and Administrator user roles can configure and manage the access control workflow by defining the scope and limitations of password access. Apart from these predefined roles, you can also create a Custom Role with the following privileges enabled to configure or manage access control workflow in Password Manager Pro:

  1. Configure - Configure the access control workflow.
  2. Approve Password Access Requests - Approve, reject, or modify the password access requests raised by the users.

Once the access control workflow is configured for the privileged resource/account, the end users requiring access to the privileged password should follow the access control workflow to gain exclusive access. The access control workflow in Password Manager Pro ensures that access to privileged passwords is controlled and granted only through an approval-based process as follows:

  1. When a user requires access to a privileged resource shared with them, they should submit a request with a required time slot to access the password through the Password Manager Pro interface.
  2. The request is then forwarded to the administrators who are designated as authorized approval administrators for the selected resource/account during the access control configuration.
  3. The authorized administrator reviews the user's request to access the password and can approve, reject, or update the user's request to access the password.
  4. Access is granted only if all the number of designated administrators approve the request. Even if one of the designated approval administrators rejects the request, the user is denied access to the password, and the request becomes void.
  5. Once approved, the user can check out the password within the specified access duration.
  6. After use, the user can manually check in the password. If the approved access duration expires, the system automatically revokes the user's access to the password and terminates the user from the remote session.
  7. Administrators can also manually revoke the user's access to the passwords at anytime, by forcibly checking in the password.
  8. After each exclusive use, the system resets the password based on the configured password policy to maintain security.
  9. If a user needs access to the password again, they must follow the access control workflow to submit a new access request.

This workflow ensures secure, time-bound access while preventing unauthorized use of privileged passwords.

Note: The access control workflow does not override the password ownership and sharing mechanism of Password Manager Pro. It is an enhanced mechanism that improves security. Users can directly view shared passwords and initiate remote sessions from the Password Manager Pro interface when access control is not configured. With the password access control mechanism, the user should follow the request-release workflow to access the password, even if it is shared with them.

3. How Precedence Works in Access Control Workflow?

In Password Manager Pro, the access control workflow can be configured at both the account and resource levels, offering the flexibility to configure different access control mechanisms for user accounts within the same resource. Let us understand how precedence works when the access control workflow is configured at the account and resource level.

  • When access control is enforced at the account and resource levels, the account-level configuration takes precedence over the resource-level configuration.
  • When access control is enforced at the resource level, the configuration is applied to all the accounts within the resource. However, when access control is configured for an account within the same resource, the account-level configuration overrides the configuration applied at the resource level for that account.
  • Disabling access control configured at the resource level does not affect the access control configuration enforced at the account level for accounts within the same resource.
  • When the access control workflow configured at the account level is deactivated, the access control configuration enforced at the resource level will be applied to that account.
  • Configuring access control at the account level is beneficial when specific accounts within a resource require a higher level of security.

Consider PMP-Win10, a privileged resource within an organization with multiple accounts. When access control is enforced at the resource level, all the accounts within PMP-Win10 will inherit the same access control policies by default. However, if specific accounts require stricter security measures, access control can be enforced at the account level.

For instance, if the Administrator account within PMP-Win10 requires a higher level of security, such as approval from at least four administrators before granting access, the access control configuration can be enforced at the account level. This configuration will override the access control enforced at the resource level only for the Administrator account. However, all other accounts within PMP-Win10 will continue to follow the access control policies configured at the resource level.

4. Limitations

The password access control workflow in Password Manager Pro currently presents a compatibility issue when operating on High Availability (HA) secondary servers. If the primary server goes offline, users cannot utilize the password access control workflow to request password access. To solve this issue, administrators can use a temporary workaround to enable access control workflow on the secondary server. However, this requires careful tracking of approved requests during the downtime. Follow the steps detailed below to implement the workaround solution:

  1. Go to the Password Manager Pro installation directory on the secondary server and locate the 'conf' folder.
  2. Open the system_properties.conf file using a text editor.
  3. Append the following system property PwdAcsSecSrvr.AcsCtrl=true at the end of the file and save the changes.
  4. Restart the Password Manager Pro application on the secondary server for the changes to take effect.

Once the primary server is restored, the automated password check-in process will not function efficiently for the passwords checked out from the secondary server during the downtime. To maintain security and compliance, administrators must manually review and check in any passwords checked out during downtime, ensuring all access requests are accounted for and preventing any unauthorized access. By following this workaround, administrators can maintain access control functionality on the secondary server when the primary server is down.
Top