Requesting / Checking Out Privileged Access
Bravura Privilege allows regular users to request temporary privileged access to managed systems, for themselves or other users, using authorization workflow.
Privileged access can mean:
Access to a single administrative account
Access to keys
Access to documents
Temporary group membership using group sets
The ability to run commands on multiple systems and accounts
Requests can be auto-approved for certain users, or require approval by authorizers . If approval is required, Bravura Privilege notifies one or more authorizers, by email or other means, that they need to review the request. Most requests should be auto-approved; when an authorizer receives too many requests, they tend to approve requests without reading them. This is called approver fatigue .
Checking out account access does not allow a user to reset or change the account’s password.
If approved, a user can check out the requested privileged access. Broadly, the check-out workflow proceeds as follows:
A user logs into the Front-end (PSF) and clicks the Privileged access link.
From the available menu options, the user chooses:
Accounts to select one or more administrative accounts.
Account sets to select an existing account set.
Group sets to select from a list of group sets.
The user selects an account, group set, or account set and begins the request for access.
The user enters required information, including the time needed for the check-out, and submits the request. You can grant permission for users to bypass this step and proceed to Step 6.
Bravura Privilege notifies appropriate authorizers who must log in to approve, modify, or deny the request.
If approved, the user logs in to check out the access privilege. The account access or group membership applies once they have it checked out.
In the case of account check-outs, access disclosure plugins provide the user with access to the password or automatic connection to the managed system.
In the case of account set check-outs, user can access each individual account included in the set and may be able to run command on multiple systems.
The user checks in when finished with the accounts or group membership. Bravura Privilege forces the check-in after a certain time. The user can check out and check in once during an authorized interval.
In the case of account check-outs, the password is randomized upon check-in.
Checking access privileges in and out allows Bravura Privilege to control and audit who has access to an account or group set and when, and provides "dual-key" limitations on account access.
Terminology
The following terminology is introduced in these sections:
Requester A requester is a person who submits an access change request. The change may be to alter the requester’s own access to systems, or to alter another user’s access privileges.
Recipient The recipient is the person whose access privileges change once an access change request is approved and fulfilled.
Authorizer A user who can review and act on security change requests.
Privileged accounts A privileged account is a login ID on a system or application which has more privileges than a normal user. Privileged accounts are normally used by system administrators to manage the system, or to run services on that system, or by one application to connect to another. Examples include Administrator on Windows, sa on SQL Server and root on Unix/Linux.
Group sets A predefined set of one or more groups, defined within the scope of a managed system policy, which can be checked out – that is, temporarily attached to an authorized user’s (normally unprivileged, pre-existing) account.
Account sets A set of accounts from one or more managed systems that are used for temporary account access. This allows users to check out multiple accounts in a single operation, run commands or scripts on checked out accounts, and collect program output or log files from multiple systems.
Authentication type Authentication type refers to the operation to perform once users are granted temporary access to accounts, account sets, or group sets.