How Privileged Access Roles Affect Shared Account Request Tasks

Enterprise Administration Guide › Planning Your SAM Implementation › Privileged Access Roles and Privileged Accounts › How Privileged Access Roles Affect Shared Account Request Tasks

How Privileged Access Roles Affect Shared Account Request Tasks

If a user cannot check out a shared account and does not need immediate access to the account, the user can submit a shared account request. The manager can approve or reject the request. This topic explains what privileged access roles a user needs to perform shared account request tasks.

Important! A user must have an endpoint privileged access role to perform tasks on an endpoint type. Endpoint privileged access roles specify the types of endpoints on which a user can perform tasks using a privileged access account.

For example, if you assign the Windows endpoint privileged access role to a user, the user can perform endpoint tasks on Windows endpoints that use shared accounts. If you assign the Break Glass, Privileged Account Request, or SAM User role to a user,also assign the user an endpoint privileged access role, or the user will not be able to complete any tasks.

The following process describes how privileged access roles affect the shared account request tasks that a user can perform:

A user with the Privileged Account Request role requests access to a shared account.
CA ControlMinder sends the shared account request to the user's manager, who also has the SAM Approver role.
Note: A user must have the SAM Approver role and must be the user's manager to receive the shared account request.
The user with the SAM Approver role responds to the request, and does one of the following:
- Rejects the shared account request.
  The user with the Privileged Account Request role cannot check out the shared account.
- Reserves the privileged shared request.
  No other user can approve or reject the request. The user with the Privileged Account Request role cannot check out the shared account until the SAM Approver chooses to approve the request.
- Approves the shared account request.
  The user with the Privileged Account Request role is granted a shared account exception, and can check out and check in the account.
The shared account exception expires, for one of the following reasons:
- The expiration time specified in the shared account exception is reached.
- A user with the SAM Target System Manager role deletes the shared account exception.
The user with the Privileged Account Request role can no longer check out the shared account.

The following diagram illustrates how privileged access roles affect the shared account request tasks that a user can perform:

The flowchart shows the privileged access role that performs each step of the process that is initiated by a privileged account request.

Example: Make and Respond to a Shared Account Request

You have the System Manager role. You assign Alice the Shared Account Request role and the SSH Device Connection endpoint privileged access role. Bob is Alice's manager, and you assign Bob the SAM Approver role.

Alice logs in to CA ControlMinder Enterprise Management, and sees only the tasks that let her submit a shared account request for accounts on UNIX endpoints. Alice submits a shared account request for the example_ux account on a UNIX endpoint.

Bob logs in to CA ControlMinder Enterprise Management, and sees only the tasks that let him respond to shared account requests. Bob approves Alice's shared access request and specifies that the shared account exception is valid until 6pm. Alice can now check in and check out the example_ux account. At 6pm, the shared account exception expires and Alice can no longer check out the example_ux account.