Privilege Elevation Workflow
Privilege elevation workflow provides a way for a user to request access to commands that require elevated privileges when the user doesn't already have that access. After the user submits a request, one or more approvers can grant or deny access. If the request is granted, the user can then operate privileged commands on the specified system for the specified time frame.
Here's the overall process for using the privilege elevation workflow:
- Enabling Privilege Elevation Workflow, either for a system or for all systems (global).
- Requesting Privilege Elevation Access.
- The Access Request Process.
- If granted, the user has Privilege Elevation Permissions on the affected system.
For privilege elevation workflow activity, the events in the Activity log show that commands were run without an authentication challenge when in fact the user was challenged with additional authentication requests when running the command after the workflow request is approved.
For information about privilege elevation in general, such as requirements, see Working with Privilege Elevation.
Enabling Privilege Elevation Workflow
You can enable privilege elevation workflow either for a system, all systems, or both. If you enable privilege elevation workflow for a system and all systems, the service uses the approver list specified on the individual system.
To Enable Privilege Elevation Workflow on an Individual System
-
Go to Resources > Systems, and then select the desired system.
-
Click the Workflow tab.
-
Select Yes for the Enable Privilege Elevation Request Workflow option.
-
Specify who can approve the requests:
-
Click Add.
-
In the drop-down list, select one of the types of accounts:
-
Requestor's Manager: For this approver type, the user's manager will be the approver. Also specify what the recommended action is if the user has no manager defined in the system — the options are:
-
Automatically approve: If the user requesting access doesn't have a manager, the service automatically approves all requests.
-
Automatically deny: If the user requesting access doesn't have a manager, the service automatically rejects all requests.
-
Route to user or role: If the user requesting access doesn't have a manager, you can select a specific user or role to be the approver. Click Add and search for the desired role or user. Select the desired account and click Add.
Click Add to add the specified selection to the list of approvers.
-
-
Specified user or role: Here you add the specific user or role who will be the approver. Click Add and search for the desired role or user. Select the desired account and click Add.
-
-
If you've specified more than one approver, click and drag the approvers so reflect the order of priority.
Each approver must approve the request.
-
-
Click Save.
To Enable Global Privilege Elevation Workflow
- Go to Settings > Resources > Global Workflow > Privilege Elevation Workflow and select the Enable workflow for privilege elevation requests on all systems option.
-
Specify who can approve the requests:
-
Click Add.
-
In the drop-down list, select one of the types of accounts:
-
Requestor's Manager: For this approver type, the user's manager will be the approver. Also specify what the recommended action is if the user has no manager defined in the system — the options are:
-
Automatically approve: If the user requesting access doesn't have a manager, the service automatically approves all requests.
-
Automatically deny: If the user requesting access doesn't have a manager, the service automatically rejects all requests.
-
Route to user or role: If the user requesting access doesn't have a manager, you can select a specific user or role to be the approver. Click Add and search for the desired role or user. Select the desired account and click Add.
Click Add to add the specified selection to the list of approvers.
-
-
Specified user or role: Here you add the specific user or role who will be the approver. Click Add and search for the desired role or user. Select the desired account and click Add.
-
-
If you've specified more than one approver, click and drag the approvers so reflect the order of priority.
Each approver must approve the request.
-
Requesting Privilege Elevation Access
You must have at least View and Agent Auth (login) access to a system in order to request privilege elevation access.
After you request privilege elevation access, you might need to complete another MFA authentication challenge-- depending on how authentication profiles are configured).
To Request Privilege Elevation Access from a Windows System
-
Log in to the Windows system and try to run a privileged operation (for example, open a PowerShell window as Administrator).
The Windows User Account Control displays with a message saying that you're not authorized to run with privilege and asks you if you want to submit a workflow request.
-
Select the type of workflow request:
-
Temporary: You specify when you want your access to begin by specifying how long after the request is approved (in minutes), how long you want your access to last (in minutes), and you can also enter a relevant ticket number (if applicable).
-
Windowed: You specify a start and end date and time during which you want to have access. You can also enter a relevant ticket number (if applicable).
-
Permanent: You can also enter a relevant ticket number (if applicable).
Click Yes to continue.
The service forwards your request.
-
To Request Privilege Elevation Access From a Linux System
-
Log in to the Linux system and try to run a privileged operation (for example, try to run sudo).
The Linux system displays a message saying that you're not authorized to run with privilege and asks you if you want to submit a workflow request.
-
Enter Y and press Enter to submit a workflow request.
-
Enter a reason for the request and press Enter.
You don't have to enter a reason, but it can be helpful to enter additional information (for example, a link to a ticketing system).
-
If your organization requires a support ticket, enter it and press Enter.
If not, just press Enter.
-
Enter the number for the type of workflow request and then press Enter:
-
1- Permanent: You can also enter a relevant ticket number (if applicable).
-
2- Windowed: You specify a start and end date and time during which you want to have access. You can also enter a relevant ticket number (if applicable).
-
3- Temporary: You specify when you want your access to begin by specifying how long after the request is approved (in minutes), how long you want your access to last (in minutes), and you can also enter a relevant ticket number (if applicable).
The service forwards your request.
-
To Request Privilege Elevation Access on a Windows or Linux System from the Admin Portal
-
In the Systems view of the Admin Portal, right-click the desired system and select Request Privilege Elevation.
If you're in the system details page, go to the Action menu and select Request Privilege Elevation.
The Request Privilege Elevation Permission dialog box displays.
-
Enter a reason message. The text box has the following prompt message automatically started for you: "I need to run the requested commands with privilege because..."
-
Select the type of workflow request:
- Temporary: You specify when you want your access to begin by specifying how long after the request is approved (in minutes), how long you want your access to last (in minutes), and you can also enter a relevant ticket number (if applicable).
- Windowed: You specify a start and end date and time during which you want to have access. You can also enter a relevant ticket number (if applicable).
- Permanent: You can also enter a relevant ticket number (if applicable).
-
Select the command listing to grant access to it.
- To grant access to all commands, select All Commands.
- To grant access to specific commands, select Specific Commands.
- To grant access to all sets of commands, select Command Sets.
If Specific Commands or Command Sets are selected, you will be presented with the option to Add items to the request based on the selection above. The Search Command or Application screen displays so that you can search for Specific Commands or Command Sets.
Click __Submit__ to continue.
The service forwards your request.
The Access Request Process
Here's what happens after you submit a request:
The Service Sends an Email to the First Approver
The service sends an email to the approver listed first, indicating that privilege elevation request is pending. The email doesn't include some of the request details, such as requestor, system name, the reason, and a link to the request in the Admin Portal.
The Request Appears in the Admin Portal
The approver can view the request in the Admin portal under: Access > Requests . The request includes the details pertaining to the request and type of access requested (temporary, windowed, or permanent).
To Approve or Reject a Workflow Request
-
To approve or reject a workflow request, you can either follow the link from the request email or navigate to the Access > Requests.
In order to approve a workflow request, you need at least the Privileged Access Service User administrative right.
Here, you can do the following:
-
Approve: The approver first in the list may adjust access request (temporary, permanent, or windowed) and start/end times of temporary and windowed requests.
If the user has requested access to a command that is affected by more than one defined privileged elevation command, then the one with the highest priority is selected.
-
Reject: Specify a reason that you're denying the request.
Note: If there is more than one approver, after the first approver has approved the request, the service sends the next approver on the list an email as described above and they can approve or reject the request. If an approver is a role, any member of the role may approve or reject the request.
-
The requestor and approver can also view the request under Access > Request.
Approval and Rejection Email Information
The following information is included in approval and rejection emails:
Approval email: After the final approver approves a request, an email is sent to the requester with the following:
- System name
- Ticket
-
Request types:
- For temporary and windowed assignments: the start/end time (which may have been adjusted from original request)
- For permanent assignments: assignment type
- List of persons who approved and rejected the request
Rejection email: When any approver rejects a request, the service sends an e-mail to the requestor with the following information:
- System name
- Ticket
- List of persons who approved and rejected the request
- Reason for rejection
- A link to the request
Privilege Elevation Permissions
If your request is approved, the Privilege Elevation tab lists your account. If you have temporary access, the page displays the start and ending timestamps.
As with any other permission, an administrator may remove the permission assignment at any time.
Known Issues
Timestamps in the cloud client logs are based on UTC (CC-63703).