If a user cannot check out a shared account and does not need immediate access to the account, the user can submit a shared account request. The manager can approve or reject the request. This topic explains what privileged access roles a user needs to perform shared account request tasks.
Important! A user must have an endpoint privileged access role to perform tasks on an endpoint type. Endpoint privileged access roles specify the types of endpoints on which a user can perform tasks using a privileged access account.
For example, if you assign the Windows endpoint privileged access role to a user, the user can perform endpoint tasks on Windows endpoints that use shared accounts. If you assign the Break Glass, Privileged Account Request, or SAM User role to a user,also assign the user an endpoint privileged access role, or the user will not be able to complete any tasks.
The following process describes how privileged access roles affect the shared account request tasks that a user can perform:
Note: A user must have the SAM Approver role and must be the user's manager to receive the shared account request.
The user with the Privileged Account Request role cannot check out the shared account.
No other user can approve or reject the request. The user with the Privileged Account Request role cannot check out the shared account until the SAM Approver chooses to approve the request.
The user with the Privileged Account Request role is granted a shared account exception, and can check out and check in the account.
The user with the Privileged Account Request role can no longer check out the shared account.
The following diagram illustrates how privileged access roles affect the shared account request tasks that a user can perform:
Example: Make and Respond to a Shared Account Request
You have the System Manager role. You assign Alice the Shared Account Request role and the SSH Device Connection endpoint privileged access role. Bob is Alice's manager, and you assign Bob the SAM Approver role.
Alice logs in to CA ControlMinder Enterprise Management, and sees only the tasks that let her submit a shared account request for accounts on UNIX endpoints. Alice submits a shared account request for the example_ux account on a UNIX endpoint.
Bob logs in to CA ControlMinder Enterprise Management, and sees only the tasks that let him respond to shared account requests. Bob approves Alice's shared access request and specifies that the shared account exception is valid until 6pm. Alice can now check in and check out the example_ux account. At 6pm, the shared account exception expires and Alice can no longer check out the example_ux account.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|