Request and Approval Workflow Overview
While it is possible to give users access by statically assigning them to a role with specific administrative rights, a more secure method for controlling access is to establish a request and approval workflow. A request and approval workflow gives specific users or members of specific roles the ability to approve or reject access requests. A request and approval workflow improves security by controlling which users can request access, which users can grant access, and how long access is allowed if it is granted.
If you are a member of the System Administrator role or have the appropriate permissions, you can configure a request and approval workflow for different types of access requests. The procedure for configuring the workflow depends of the type of access request and the service offerings you use.
If Workflow is enabled on the user's account, and the user requests permission using Request Checkout, the password can only be checked out during the time period specified by the admin. For example between 1pm - 2pm. This adjusts the checkout duration to ensure the password is checked back in by the end of the time period. For example 2pm.
We provide a number of ways of configuring workflow, depending on the kind of situation. Some require a connector to be installed on the system, some require the system to be enrolled in the service with the Cloud Client, and some require that the Server Suite Agent is installed on the system.
Workflow Type | Use Case Description | Requires a Connector? | Requires a Server Suite Agent? | Is there a global setting? | |
---|---|---|---|---|---|
Zone role workflow | A user wants permissions to do something on a Linux or Windows system | Yes | No | Yes | |
Zone role workflow | A user wants permissions to do something on a Linux or Windows system | Yes | No | Yes | |
Privileged account workflow | A user wants permissions to use a vaulted account | Yes | No | No | Yes |
Application workflow | A user wants permissions to access an application | Yes | No | No | |
Client-based worfklow / Agent Auth workflow | A user wants permissions to log in to a Linux or Windows system using the Cloud Client | No | Yes | No | |
Privilege elevation workflow | A user wants permissions to run privileged commands on an enrolled system | No | Yes | No |
For details about configuring a request and approval workflow for a specific type of access request, see the following topics:
- Using Zone Role Workflow for details about allowing Active Directory users who are registered as Privileged Access Service users to request a role assignment on a computer that is joined to a Server Suite zone.
- Using Privileged Account Workflow for details about managing account password checkout access requests and login access for systems, domains, and databases if you have Server Suite deployed.
- Managing Application Access Requests for details about managing application access requests to specific applications if you have Application Services deployed.
- Using Agent Auth Workflow for details on how to enable global login workflow for privileged accounts.
- Privilege Elevation Workflow for details about how to enable and use privilege elevation workflow.
If you are managing Privileged Access Service on your internal network or a private cloud, you can configure a request and approval workflow. However, request and approval messages require you to have a mail server for outgoing email requests. You can configure the settings for a custom Simple Mail Transport Protocol (SMTP) mail server in the administrative portal. For details about post-installation configuration steps when you deploy Privileged Access Service as a self-managed service, see the Installation and Configuration Guide for On-Site Deployment.