Previous Topic: Troubleshooting SAMNext Topic: RunAs Password Consumer Request Times Out


Break Glass Approval Workflow

Symptom:

I want to configure a single-step break-glass workflow to verify that the SAM endpoint system administrator that the request applies to is notified and not the user manager.

Solution:

You can configure a single step, break glass workflow to specify that break glass requests are approved by the system administrator and not by the default approver.

Follow these steps:

  1. In CA ControlMinder Enterprise Management, select Users and Group, Tasks, Modify Admin Tasks.

    The modify admin task: select task search window opens.

  2. Select Category from the pull-down menu and enter *home* in the text box area. Click Search.

    CA ControlMinder Enterprise Management displays the tasks that correspond with the search criteria.

  3. Select the Break Glass WF task, then click Select.

    The Break Glass WF properties window opens.

  4. Navigate to the Events tab and click the right pointing arrow.

    The workflow mapping window opens.

  5. Select SingleStepApproval from the Workflow Process pull-down menu.
  6. Do the following in the Primary Approver section:
    1. Select Approve Break Glass Privileged Account from the Approval Task pull-down menu.
    2. Select Custom: PrivilegedAccountOwnerResolver from the Participant Resolver pull-down menu.

      A message appears, informing you that participant resolver configuration parameters are not set.

    3. Specify SourceObject in the New Parameter Name text box.
    4. Specify TaskAdmin in the Value text box.
    5. Click Add Parameter.

      CA ControlMinder Enterprise Management adds the approver task.

    6. Repeat steps c through e, using the following parameter name and values:
      • SourceObjectAttribute—tblUser.manager
      • TargetType—USER
  7. Click OK.

    You have configures a single step break glass workflow and defined the system administrator as an approver.