How Privileged Access Roles Affect Privileged Account Request Tasks

Enterprise Administration Guide › Planning Your PUPM Implementation › Privileged Access Roles and Privileged Accounts › How Privileged Access Roles Affect Privileged Account Request Tasks

How Privileged Access Roles Affect Privileged Account Request Tasks

If a user cannot check out a privileged account and does not need immediate access to the account, the user can submit a privileged account request. The manager can approve or reject the privileged account request. This topic explains what privileged access roles a user needs to perform privileged account request tasks.

Important! A user must have an endpoint privileged access role to perform tasks on an endpoint type. Endpoint privileged access roles specify the types of endpoints on which a user can perform tasks using a privileged access account.

For example, if you assign the Windows endpoint privileged access role to a user, the user can perform endpoint tasks on Windows endpoints that use privileged accounts. If you assign the Break Glass, Privileged Account Request, or PUPM User role to a user,also assign the user an endpoint privileged access role, or the user will not be able to complete any tasks.

The following process describes how privileged access roles affect the privileged account request tasks that a user can perform:

A user with the Privileged Account Request role requests access to a privileged account.
CA Access Control sends the privileged account request to the user's manager, who also has the PUPM Approver role.
Note: A user must have the PUPM Approver role and must be the user's manager to receive the privileged account request.
The user with the PUPM Approver role responds to the privileged account request, and does one of the following:
- Rejects the privileged account request.
  The user with the Privileged Account Request role cannot check out the privileged account.
- Reserves the privileged account request.
  No other user can approve or reject the privileged account request. The user with the Privileged Account Request role cannot check out the privileged account until the PUPM Approver chooses to approve the request.
- Approves the privileged account request.
  The user with the Privileged Account Request role is granted a privileged account exception, and can check out and check in the privileged account.
The privileged account exception expires, for one of the following reasons:
- The expiration time specified in the privileged account exception is reached.
- A user with the PUPM Target System Manager role deletes the privileged account exception.
The user with the Privileged Account Request role can no longer check out the privileged account.

The following diagram illustrates how privileged access roles affect the privileged account request tasks that a user can perform:

The flowchart shows the privileged access role that performs each step of the process that is initiated by a privileged account request.

Example: Make and Respond to a Privileged Account Request

You have the System Manager role. You assign Alice the Privileged Account Request role and the SSH Device Connection endpoint privileged access role. Bob is Alice's manager, and you assign Bob the PUPM Approver role.

Alice logs in to CA Access Control Enterprise Management, and sees only the tasks that let her submit a privileged account request for accounts on UNIX endpoints. Alice submits a privileged account request for the example_ux account on a UNIX endpoint.

Bob logs in to CA Access Control Enterprise Management, and sees only the tasks that let him respond to privileged account requests. Bob approves Alice's privileged access request and specifies that the privileged account exception is valid until 6pm. Alice can now check in and check out the example_ux privileged account. At 6pm, the privileged account exception expires and Alice can no longer check out the example_ux privileged account.