CyberArk PAM Administration - Privileged Access Workflows PDF
Document Details
Uploaded by FancySarod
CyberArk University
Tags
Summary
This CyberArk document details privileged access workflows, including configuring different access levels, reasons for access, and more. It describes important concepts for privileged access.
Full Transcript
PAM Administration Privileged Access Workflows © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to describe and configur...
PAM Administration Privileged Access Workflows © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to describe and configure the following Privileged Access Workflows: 1. Allow transparent connections 2. Require users to specify reason for access 3. Dual Control 4. Exclusive Passwords 5. One-time Passwords © 2023 CyberArk Software Ltd. All rights reserved Accessing and Using Accounts Users who have List and Retrieve Accounts permissions are able to click on Show and Copy Users who have List and Use Accounts permissions are able to click on Connect CyberArk PAM provides advanced workflows on top of these permissions to determine how users can access accounts and for how long © 2023 CyberArk Software Ltd. All rights reserved Allow Transparent Connections © 2023 CyberArk Software Ltd. All rights reserved Allow EPV Transparent Connections Provides corporate level control over users’ ability to view passwords or launch privileged sessions © 2023 CyberArk Software Ltd. All rights reserved Allow Transparent Connections: Advanced Settings By clicking the Edit settings button, we can see that end users are able to connect transparently using privileged accounts and are allowed by default to view passwords © 2023 CyberArk Software Ltd. All rights reserved Reason for Access © 2023 CyberArk Software Ltd. All rights reserved Require Users to Specify Reason for Access Forces users to provide a reason why they are using a particular account © 2023 CyberArk Software Ltd. All rights reserved Platform Settings: Privileged Account Request The list of options for the drop-down is defined at the Platform level, so we can have a different set of reasons on a platform-by-platform basis. In the Privileged Account Request section for a given Platform, we can add the Predefined Reasons to create a list of choices for our users when accessing a password in the PVWA. © 2023 CyberArk Software Ltd. All rights reserved Dual Control © 2023 CyberArk Software Ltd. All rights reserved Dual Control – Master Policy Dual control requires end users to get authorization before accessing privileged accounts. Depending on the configuration, authorization must be given by one or more managers or peers. © 2023 CyberArk Software Ltd. All rights reserved Dual Control – Safe Membership REQUESTER APPROVER Dual Control is controlled through Safe membership Requesters are the people who want to use the privileged accounts. They need the permissions Use (and/or Retrieve) and List Approvers accept or reject requests to privileged accounts, but generally do not use the accounts. They will need List and Authorize permissions © 2023 CyberArk Software Ltd. All rights reserved Dual Control – Request Connection © 2023 CyberArk Software Ltd. All rights reserved Dual Control – Submitting a Request 3 © 2023 CyberArk Software Ltd. All rights reserved Dual Control – Email Notification © 2023 CyberArk Software Ltd. All rights reserved Dual Control – Incoming Request © 2023 CyberArk Software Ltd. All rights reserved Dual Control The requester will receive notification of the approval in the PVWA and via email. © 2023 CyberArk Software Ltd. All rights reserved Peer Approval Process WINDOWS TEAM Here we have a single group of admins setup with both requester and approver permissions In this scenario, anyone could be a requester or an approver, but since the system prevents a person from approving their own requests, it still requires at least two separate actors One person from this group will become the requester and one will become the approver © 2023 CyberArk Software Ltd. All rights reserved Bypass Dual Control ADMIN TEAM SUPPORT TEAM We may want to allow certain groups to bypass Dual Control Here our admin teams have the "Access Safe without confirmation" permission and are therefore allowed to bypass dual control The support team still needs to get approval © 2023 CyberArk Software Ltd. All rights reserved Multi-Group Approval Process CHANGE WINDOWS TEAM IT MANAGERS ADVISORY BOARD If we setup more than one group with approver permissions, at least one person from each group must approve the request before the requester can use the password © 2023 CyberArk Software Ltd. All rights reserved Dual Control: Advanced Settings In the advanced settings for Dual Control, we can enable a multi-level approval process With a multi-level process, a request must first be approved by one group before it is forwarded for approval to another group Also in advanced settings, we can enable direct manager Selecting “All” in number of confirmers approval, determined by the could lead to requests being unnecessarily Manager attribute on the delayed if certain users are out of office or requester’s AD user object otherwise unavailable. © 2023 CyberArk Software Ltd. All rights reserved Multi Level Approval Process WINDOWS TEAM IT MANAGERS IT DIRECTORS In this example, a request is sent first to the IT Managers group Once approved by at least one person from the Managers group, the request is forwarded to the IT Directors group At least one person from each group must approve before the password may be used © 2023 CyberArk Software Ltd. All rights reserved Exclusive Access © 2023 CyberArk Software Ltd. All rights reserved Exclusive Passwords When applied, only one user will be able to access and use an account at any given time. When a user checks-out an account, it is LOCKED and cannot be retrieved by other users until it is checked-in. © 2023 CyberArk Software Ltd. All rights reserved Exclusive Password – Locked If another user attempts to access the password, the status REMEMBER: By default, the password can only be will appear with a lock button, released by the owner of the lock (Tom in this case) indicating that it is locked by the or by an administrator who has the rights to force a first user password release © 2023 CyberArk Software Ltd. All rights reserved Exclusive Password – Manual Check-In After accessing the account (using Show or Connect), the user will have the “Check-in” option to unlock the account and make it available to other users. © 2023 CyberArk Software Ltd. All rights reserved Exclusive Password – Release and Change After the user checks-in the account, the password will be The CPM will then scheduled for an immediate release and change the change by the CPM account password © 2023 CyberArk Software Ltd. All rights reserved Exclusive Password – Auto Release by PSM Beginning with CyberArk PAM version 11.7, the PSM can automatically release an account after the user closes the session This is configured at the Platform level. © 2023 CyberArk Software Ltd. All rights reserved One-Time Passwords © 2023 CyberArk Software Ltd. All rights reserved One-Time Passwords Enforce one-time password access (without exclusivity) One-time passwords are enabled in the Master Policy It is possible for multiple users to access the same account simultaneously The password will be changed based on MinValidityPeriod, as configured in the Platform When a user retrieves an account, the account is flagged for change by the CPM after a specified time © 2023 CyberArk Software Ltd. All rights reserved MinValidityPeriod – Platform Configuration A MinValidityPeriod of 60 means that the password will be changed 60 minutes after it is accessed During that time, other users can access the password The MinValidityPeriod should provide enough time for a user to make use of the password © 2023 CyberArk Software Ltd. All rights reserved Combining Workflows © 2023 CyberArk Software Ltd. All rights reserved Exclusive Access With One-time Password If Exclusive access and One-Time Password are enabled for the same Platform, the password will be marked for change 60 minutes (by default) after it is used. This keeps the password exclusive, but enables automatic release after 60 minutes © 2023 CyberArk Software Ltd. All rights reserved Dual Control With One-time Passwords and Exclusivity When using check-in/check-out exclusive access or one-time password access with Dual Control, the password will only be changed after the time frame has expired If the Request timeframe is active, this setting overrides the MinValidityPeriod © 2023 CyberArk Software Ltd. All rights reserved Exclusive and One-time Password Summary Exclusive Passwords One-time Passwords Exclusive and One-time Passwords Combined When a user accesses a After a user accesses a Account is locked to a single password, the account is password, it is changed user, no other user can access it locked and no other user can automatically based on the access the password until it minimum validity period If the user does not release the has been released. account manually, the system Multiple users can access the will release it automatically Password is changed password simultaneously based on the Minimum validity automatically upon manual period and change the password release Minimum validity period is reset as each user accesses In later versions, the password the password can be auto-released by the PSM © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed these workflows: Allow transparent connections Require users to specify reason for access Dual Control Exclusive Passwords One-time Passwords © 2023 CyberArk Software Ltd. All rights reserved Online Training Customizing Privileged Account Requests (login required) You may now complete the following exercises: Privileged Access Workflows Additional Require users to specify reason for access ̶ Activating the Policy Resources ̶ Add Predefined Reasons for Access Require dual control access approval ̶ Activating the Policy ̶ Adding an approver to a Safe ̶ Testing Dual Control Exclusive Passwords with Automated Release and One-time Use ̶ Adding a Master Policy exception for Exclusive Passwords ̶ Adding a Master Policy exception for One-Time Passwords ̶ Reducing the Minimum Validity Period ̶ Testing Exclusive Passwords ̶ Testing Automatic release by PSM © 2023 CyberArk Software Ltd. All rights reserved