How Privileged Access Roles Affect Check Out and Check In Tasks

Enterprise Administration Guide › Planning Your SAM Implementation › Privileged Access Roles and Privileged Accounts › How Privileged Access Roles Affect Check Out and Check In Tasks

How Privileged Access Roles Affect Check Out and Check In Tasks

You check out shared accounts to perform administrative tasks on endpoints, and check in the accounts when you have finished working on the endpoint.

Important! A user must have an endpoint privileged access role to perform tasks on an endpoint type. Endpoint privileged access roles specify the types of endpoints on which a user can perform tasks using a privileged access account.

For example, if you assign the Windows endpoint privileged access role to a user, the user can perform endpoint tasks on Windows endpoints that use shared accounts. If you assign the Break Glass, Privileged Account Request, or SAM User role to a user, assign the user an endpoint privileged access role, or the user is not able to complete any tasks.

The following process describes how privileged access roles affect the check-out and check-in tasks that users perform:

A user checks out a shared account, using one of the following methods:
- A user with the SAM User role checks out an account.
- A user with the Break Glass role performs a break glass checkout.
- An application, for example a CLI password consumer, on a CA ControlMinder endpoint checks out an account.
The shared account is checked out.

Note: If a user performs a break glass checkout, CA ControlMinder notifies the role owner. The role owner can choose to add information to this message for auditing purposes.
A user checks in a shared account, using one of the following methods:
- The user with the SAM User role checks in the account.
- The user with the Break Glass role checks in the account.
- The application on the CA ControlMinder endpoint checks in the account.
- A user with the SAM Target System Manager role forces the check-in of the account.
The shared account is checked in.

The following diagram illustrates how privileged access roles affect the check in and check out tasks that users perform: The flowchart shows the privileged access role that performs each step of the process to check out and check in a privileged account.

Example: Check Out a Shared Account

You have the System Manager role. You assign Joe the SAM User role and the Windows Agentless Connection endpoint privileged access role. Joe logs in to CA ControlMinder Enterprise Management, and sees only the tasks that let him check out and check in shared accounts on Windows endpoints.

Example: Break Glass for a Shared Account

You have the System Manager role. You assign Fiona the Break Glass role and the Oracle Server Connection endpoint privileged access role. Fiona needs immediate access to an Oracle endpoint. She logs in to CA ControlMinder Enterprise Management and sees only the tasks that let her perform a break glass check out for accounts on Oracle endpoints. Fiona performs a break glass check out for an Oracle privileged account, and CA ControlMinder sends a notification message to the Break Glass role owner.

Note: By default, the Break Glass role owner is the System Manager admin role.