Using Agent Auth Workflow

Workflow for AgentAuth provides a user who has only view permission on a system to request Agent Auth access. Once the request is made, one or more approvers indicate whether the request is granted. If granted, the permissions on the system are updated to give the user access. The following sections detail how to use the global Agent Auth workflow:

  1. Enabling Agent Auth workflow.
  2. Requesting Agent Auth access.
  3. Agent Auth access request process.
  4. AgentAuth access permissions.

Enabling Agent Auth Workflow

You can enable Agent Auth workflow one of two ways: globally for all systems or locally on the system level.

Enabling Global Agent Auth Workflow

Workflow may be enabled at a global level by navigating to Settings > Resources > Agent AuthWorkflow and checking the Enable Workflow for all Systems checkbox.

Enabling Login Workflow on an Individual System

Workflow may be enabled at a system level by navigating to Resources > Systems. Select and existing system and navigate to Workflow. Check the Enable AgentAuthWorkflow checkbox.

The approvers may be:

  • the user's manager.
  • a specific user.
  • a role.

Once enabled, anyone who has view access to a system may request Agent Auth access through workflow. More than one approver may be specified. As such, each approver, in turn, must approve the request. By default, the global workflow settings apply to all systems. An an individual system, however, may specify that Delinea PAS:

  • Use the global setting - this is the default settings.
  • Override the global setting to disable workflow for this system.
  • Override the global setting to enable workflow, specifying a set of approvers that apply only to this system.

For more information on enabling global Agent Auth workflow, see Configuring global Agent Auth workflow.

Requesting Agent Auth Access

Once Agent Auth is enabled, users with View access on an enrolled system with no permanent Agent Auth access may right-click on a system select Request Agent Auth Access on a system as seen below.

alt

and you will see the Agent Auth request screen:

alt

whereby you can make the following settings and click Submit.

  • Reason Message.
  • Assignment Type.
  • Start Time after approval.
  • Duration.
  • Ticket.

Agent Auth Access Request Process

Once the request is submitted, the following occurs:

An Email is Sent to the First Approver

An email is sent to the first approver indicating that an Agent Auth request is pending, the email includes:

  • System name.
  • Ticket.
  • Requestor.
  • Reason for the ticket.
  • Approver 1 name and email address.
  • A link to the request in the PAS Admin Portal.

The Request Appears in the Approver's PAS Instance

The request appears in the approver's Admin Portal under: Access > Requests with the following information:

  • Request post date and time.
  • Request description - includes name and folder of the system secret.
  • Requested system.
  • DNS Name.
  • Ticket.
  • Requestor.
  • Requestor reason.
  • Approver 1 email address.
  • Status.
  • Latest log entry for the workflow.

Approving or Rejecting an Agent Auth Workflow

  1. To approve or reject a workflow request, you can either follow the link from the request email or navigate to the Admin Portal > Access > Requests. Here, you can do the following:

    • Approve: The first approver may adjust access request (temporary, permanent, or windowed) and start/end times of temporary and windowed requests:

    alt

    • Reject: specify a reason the request is denied.

    If there is more than one approver, the next approver on the list is sent an email as described above and they can approve or reject the request. If an approver is a role, any member of the role may approve/reject.

  2. The request is copied to the requestor's and approver's Admin Portal under Access > Request.

Approval and Rejection Email Information

The following information is included in approval and rejection emails:

Approval email: when the final approver approves a request, an email is sent to the requester with the following:

  • System name.
  • Ticket.
  • Assignment details:

    • For temporary and windowed assignments: the start/end time (which may have been adjusted from original request).
    • For permanent assignments: assignment type.
    • List of persons who approved and rejected the request.

Rejection email: When any approver rejects a request, an e-mail is sent to the requestor with the following:

  • System name.
  • Ticket.
  • List of persons who approved and rejected the request.
  • Reason for rejection.
  • A link to the request.

Agent Auth Access Permissions

If approved, you will have the following permissions with Agent Auth workflow:

  • The AgentAuth access right is added to the System / <system> / Permissions tab. The permissions list has Starts and Expires columns to indicate a windowed assignment of permission.
  • The requester is permitted to use the AgentAuth to login to the system directly using his or her account or may Use My Account (as seen below). As with any other permission, the administrator may remove the permission assignment at any time.

alt