Access Control Workflow
(Feature available only in Premium and Enterprise Editions)
After successful authentication into Password Manager Pro, users get access to the passwords that are owned by them or shared to them. While storing very sensitive passwords, quite often administrators wish to have an extra level of security. In some other cases, administrators wish to give temporary access to passwords for certain users for a specified period of time.
There are also requirements to give users exclusive privilege to passwords. That means, only one user should be allowed to use a particular password at any point of time. When more than one user is required to work on the same resource, problems of coordination arise. Access control on concurrent usage would help resolve such issues.
To achieve all the above requirements, PMP provides the Password Access Control Workflow. This document explains how to implement the access control workflow in PMP.
How does Password Access Workflow work?
Once password access control is enforced, the password access attempt by the users will follow the work flow as detailed below:
- User needs access to a password that is shared to him/her
- Makes a request for accessing the password
- Request goes to administrator(s) for approval. If more users require access to the same password, all the requests will be queued up for approval
- If the administrator(s) does not approve the request within the stipulated time, it becomes void
- If the administrator rejects the request, it becomes void
- If the administrator(s) approves the request, user will be allowed to check out the password. In case, two administrators have to approve a password, user will be allowed to check only after the approval by both the administrators
- Once the user checks out a password, it will be available exclusively for his/her use till the stipulated time
- If any other user requires access to the same password at the same time, he will be provided access only after the previous user checks in the password. This rule applies to all, including administrators, password administrators and owner of the password
- Administrator can force out password access anytime. In such cases, the password will be forcefully checked-in denying access to the user
- Once the user finishes his work, the password will be reset
- While giving the exclusive access to a user temporarily, PMP provides the flexibility to enable administrators view the password concurrently. Through a simple administrative setting from "General Settings", users will be able to do that, if required.
Important Note: The access control workflow does not override the password ownership and sharing mechanism of PMP. That means, it is only an enhanced access control mechanism. Normally, when a password is shared to a user, the user will be able to directly view the password. When the access control is enabled, the user will have to request the release of the password that he is already allowed access.
The following diagram illustrates the typical access control workflow:
How to Implement Access Control Workflow?
To implement access control, administrators need to carry out the following administrative settings:
- Go to "Resources" tab
- Select the resources for which you wish to enforce access control
- Click the link "Configure Access Control" from "More Options" listing
In the UI that opens up,
- Designate the administrator(s) who could approve password release requests. The list of all administrators and password administrators in the system are listed in the LHS. You can designate as many administrators as you wish. Anyone from the list of 'authorizers' could approve the requests. Optionally, you can enforce dual approval by designating two administrators. In that case, select the check box "Require at least two administrators to approve password access" present at the end of the page and select two administrators.
- List down the users to be excluded from the request process. When you exclude a user from approval, he/she would be able to retrieve the password without administrator approval. That means, the user need not have to go through the 'Request-Release' process
- If you have chosen dual approval in Step 1, select the checkbox "Require at least two administrators to approve password access"
- Specify the maximum time period in hours after which a password request would go void, if administrator(s) does not approve
- Concurrency Controls: You can also enforce concurrency controls for password access. That is, the password could be made available for the exclusive use of a particular user for a specified time period during which no one else, including the owner of the resource would be allowed to view the password. You can specify the time period in hours up to which the released password would remain valid and be available exclusively for the user. For Example, if you specify the time period as two hours, the password would be made available exclusively for that user for two hours. Others cannot view the password during that period. After the specified time period, the password would become void and will not be available to the user. Other users will now be able to view the passwords.
- You can also enforce automatic reset of password once the user gives up password access. To do this, select the option "Reset password after check-in"
- Approve access requests automatically: Password Manager Pro provides the option for automatic approval of password access requests. That means users need not have to wait for approval by authorized administrators while going through the access control workflow. The requests will be automatically approved and notifications will be sent to the authorized administrators. When the password is released after automatic approval, it will be reserved for exclusive use of the requester for the specified time period.
- Click "Save & Activate"
Note: By default, the password will remain exclusive for 8 hours. You can modify it to the desired value. If you specify the value as '0' hours, the password will remain exclusive for unlimited hours.
Important Note: For automatic password reset to take effect, you need to ensure that all required credentials have been supplied to the resource for remote password reset OR you should have installed PMP agents in the resource. Otherwise, the automatic password reset will not take effect.
You have the option to automatically approve the requests raised during a specific time period in the day - for example, all the requests raised between 2 p.m to 3 p.m. Alternatively, you can even set automatic approval to take place anytime of the day.
This automatic approval feature has been provided to serve the users when administrator is not available to approve. Except the automatic nature of approval, all other aspects of this feature remains the same as access control workflow.
With the above steps, access control workflow would be enabled for the required resources.
Following are some of the use case scenarios of the access control workflow:
Case 1: User Requiring Access to a Password
A user who requires access to a password, which is safeguarded by the access control mechanism will have to make a request to the administrator to grant permission to view the password.
To make a request
- Go to the "Home" tab
- In the drop-down "Show Passwords of" you select the option "All" to view all the passwords; select "Resource Group" to view the passwords that are owned by you; select "Shared Groups" to view the passwords that are shared to you
- Once you select your option, all the passwords falling under your selection will be listed in the table below
- Each entry in the table is a link and when you click that, you can view the corresponding resource details
- Click the link "Request" and in the UI that opens, enter your request as a comment to retrieve the password and the request will be sent to the administrator for approval.
- Once the administrator approves your request, you will be allowed to view the password. Till then, you will see the status as "Waiting for approval"
- Once the administrator approves, users will see the status as "Check Out". To view the password, click the link "Check Out" and in the UI that opens up, enter a reason to view the password and click "Save".
- Now, you will be allowed to view the password
Case 2: Administrator approving a password request
When a user has requested your approval to view a password, you will receive email notification about the request. You can view all the requests pending your approval from the 'Admin' tab.
To approve a request,
- Go to "Admin" >> "Password Access Requests"
- Click the link "Approve" against a request to allow the user to view the password. Once you do this, user will be allowed to view the password. (You can also "Reject" the request, in which case, the request will be removed from the queue).
- Immediately after you approve the request, the status of the link will change to "Yet Use" indicating that use is yet to check out the password. Once the user has viewed the password, the status will change to "In use"
Case 3: User completes his password usage
The crux of the access control mechanism is that user will be allowed only temporary access to passwords. So, once the user finishes his work, he can give up the password.
To give up access to the password,
- Click the link "Check In" present near the password. Once you do this, the password will be checked in and the status will change as "Request" again.
- You will no longer be able to view the password. In case, you require access again, you will have to go through the "Request-Release" process again.
Case 4: Administrator forcefully checking in the password
The essence of the access control mechanism is to provide exclusive access privilege to a user for a specified time period. During this period, no one will be allowed to view the password, including the owner. In case, an emergency need arises to revoke the exclusive permission to the user, administrator can forcefully check in the password at any point of time.
To forcefully checkin a password,
- Go to "Admin" >> "Password Access Requests"
- Click the link "Check in" against the specific request to revoke permission to the user. Once you do this, user will not be allowed to view the password. Also, the request will vanish from the list
Case 5: Allowing administrators to have concurrent view of a password when access control is enabled
As mentioned in Case 4 above, when a user is viewing the password, no one else would be allowed concurrent view by default. While giving the exclusive access to a user temporarily, PMP provides the flexibility to enable administrators view the password concurrently. Through a simple administrative setting from "General Settings", users will be able to do that, if required.
To enable this,
- Go to "Admin" >> "General Settings"
- In the UI that opens up, select the check box "When access control is enabled and a password has been released to a 'password user', allow admins to view the password" and click "Save"
- Once you do this, the user who makes a request for a password, will not have the exclusive privilege. All PMP administrators will be able to view the password concurrently.
Case 6: What happens if automatic password reset (if enabled) during password check in fails?
Once a password is checked out by a user, it will be checked in due to any of the following three reasons:
- User checks-in on his own after using the password
- System automatically revokes access after the stipulated time and checks in
- Administrator forcefully checks-in
When password is checked in, if the admin settings require automatic password reset, PMP will try to reset the password. In case, PMP is not able to reset the password in the actual resource, PMP will immediately trigger email notifications to the administrators who approved the password access request of the user. They can troubleshoot and set things right. The password reset failure will also reflect in the audit trails.
Case 7: When a user has checked out a password, what happens if an already configured password reset scheduled task runs?
PMP provides option for creating scheduled tasks for automatically resetting the passwords periodically. It is quite possible that a scheduled task start executing the reset of a password that is being used by a user. If that reset task is allowed to get executed successfully, the user will be working with an outdated password. To avoid such issues, PMP will not allow reset of that password alone. (All other passwords of other resources that are part of the scheduled task will be reset). The failure of scheduled reset of the particular password will reflect in the audit trails.
Case 8: Disabling Access Control
If you want to disable access control for any of the resources, you (administrator) may do so at anytime as explained below:
- Go to "Resources" tab
- Select the resources for which you wish to disable access control
- Click the link "Configure Access Control" from "More Options" listing
- Select the option "Deactivate"
Case 9: Transferring approver privileges to other administrators
When an administrator leaves the organization or moves to a different department, resources owned by that administrator are transferred to some other administrator. If the departing administrator had acted as the approver for password release requests, the approval privileges should also be transferred. Otherwise, users requesting access to passwords will have no one to approve. Password Manager Pro provides an option to handle this scenario by allowing transfer of approver privileges from one administrator to another. All the resources that were earlier controlled by one admin can be easily transferred in bulk to another admin.
To transfer approver privileges,
- Go to "Admin" Tab. Select 'Users'.
- Search/select the user whose approver privileges you would like to transfer to another admin.
- Click the 'Transfer Approver Privileges' icon present against the particular user.
- In the pop up that opens, all the resources for which the selected admin to authorized to approve password access requests will be displayed. Choose the desired resources
- Then, select the admin to whom you would like to transfer the approver privileges to.
- Hit "Transfer". The approver privileges will be transferred and the authorized administrator will be subsequently changed.
Access Control for the selected resource will be deactivated. That means, any user who has permission to view the password (owned/shared) will be able to view the password without going through the Access Control process for that particular resource.
Summary of Terminologies
|Term||What it Signifies|
The user has to make a request to view the password
Waiting for Approval
The password release request made by the user is pending administrator's approval
Administrator has approved the request and the user could view the password
The administrator can either approve or reject a password request
Yet to Use
Indicates that the user is yet to view the password released by the administrator
Password is being used exclusively by a user
Giving up/revoking password access