Using Privileged Account Workflow
As a member of the System Administrator role or a role with the Role Management administrative right, you can enable workflow for all other users. Initially, only the members of the System Administrator role have the ability to enable a request and approval workflow. This also includes specifying the users or roles with authority to approve access requests. The workflow and approval authority can be configured to apply globally for all accounts or apply only for selected account and system combinations, or apply globally except where there are account-specific restrictions.
After you enable workflow for privileged account access requests, users can request access to the privileged local, domain, database, or service accounts that you specify. If the request is approved, the user can then check out the account password or use the account to log on to a system, domain, or database remotely.
Users requesting access must still be assigned to a role with Privileged Access Service Administrator or Privileged Access Service Power User administrative rights and have View permission to see the systems and accounts that are available in the Privileged Access Service. If a user is a member of a role with one of these rights, however, they can search or browse for systems and accounts, then submit a request to a designated approver for login access or for password checkout. The approver might be a specific user or any member of a specific role. If you configure a role as the approver, the first member to respond to the request is given the authority to approve or reject the request.
The steps involved in configuring a workflow include:
-
Create one or more roles that can enable a request and approval workflow.
Members of the System Administrator role can enable workflow globally for all accounts. Users with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right can enable workflow and select an approver for specific accounts where they have the Grant and Edit permissions.
-
Create one or more roles that can approve access requests for accounts.
-
Create one or more roles that can request access to privileged accounts.
Any member of a role with the Privileged Access Service Administrator or Privileged Access Service Power User right can request access to any account where workflow is enabled. The appropriate permissions are granted if the request is approved.
-
Determine whether to enable the workflow globally for all accounts, individually for specific accounts, or a combination of both.
-
Enable the workflow option where appropriate and select the user or role with authority to approve requests.
The following topics describe how to configure request and approval workflow for account access requests, how to use a workflow to request account access, how to approve or reject a request, and how to view and manage requests that are being processed:
- Enabling Workflow For Privileged Accounts
- Configuring Workflow Globally For All Accounts
- Requesting Password Checkout Access
- Requesting Login Access
- Responding to Access Requests
- Viewing Request Details
- Deleting Requests
- Customizing Account Workflow Notification Email
Enabling Workflow For Privileged Accounts
The first few steps in configuring the request and approval workflow are optional and involve creating one or more roles for users who are allowed to define the request and approval workflow and the roles that can approve access requests. These steps are optional because you can choose to only allow members of the System Administrator role to be the users permitted to configure a workflow and members of the System Administrator role can assign approval authority to individual users without creating any approval roles. In most cases, however, creating roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval.
If you don’t create any intermediary roles with the appropriate administrative rights to enable a workflow, only members of the System Administrator role will be able to configure any request and approval workflow you might want to implement.
If you are configuring a request and approval workflow for privileged accounts, you must create at least one role for users who are allowed to view systems and accounts. Only the members of a role with access to the Privileged Access Service and View permission can request login and password checkout access. Only members of the System Administrator role or a role with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right can enable a request and approval workflow for stored accounts where they have the Grant and Edit permissions.
To configure roles that can enable a workflow:
-
Click Access > Roles.
-
Click Add Role or select an existing role to display the role details.
-
If you are creating a new role, you must provide at least a unique name for the role.
-
Click Members, then click Add.
-
Type a search string to search for and select users and groups for this role.
-
Click Administrative Rights, then click Add.
-
Select the appropriate rights, then click Add.
-
Click Save to save the role.
For example, if you are creating a role with permission to enable a workflow for access to systems and accounts, select Privilege Service Administrator or Privilege Service Power User. You can select any additional rights you want included in this role, but you must select at least one of the required administrative rights.
Only members of the System Administrator role can enable workflow globally for all accounts. Members of a role with the Privileged Access Service Administrator or Privileged Access Service Power User right can enable workflow for accounts where they have the Grant and Edit permissions.
Creating Roles For Approvers
You can assign approval authority to individual users. However, in most cases, creating “approver” roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval. If you don’t create any intermediary roles with the appropriate administrative rights to approve access requests, only members of the System Administrator role will be able to approve access requests. You can follow the same steps described in Enabling Workflow For Privileged Accounts to create roles for approvers.
Keep in mind that if you are creating a role with permission to approve access requests to stored accounts with managed or unmanaged passwords, you must include an appropriate administrative right with access to the Privileged Access Service in the role. You can select any additional rights you want included in this role, but you must select at least one of the required administrative rights.
Creating a Role with Access To Stored Accounts
In addition to the role that allows selected users to configure a workflow, you might want to create one or more roles for the users who will be requesting login and password checkout access to the systems and accounts stored in the Privileged Access Service. For those users to be able to search for or browse accounts and systems, they must be assigned to a role that includes the Privilege Service Administrator or Privileged Access Service Power User administrative right. You can follow the same steps described in Enabling Workflow For Privileged Accounts to create the role. In most cases, you would add users who might need temporary administrative access as members of this role and give the role the Privileged Access Service Power User administrative right.
Configuring Workflow For Stored Accounts
As a member of the System Administrator role, you can configure a request and approval workflow globally for all accounts, for specific accounts, or using a combination of global and account and system-specific settings. As a member of a role with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right, you can configure a request and approval workflow for specific accounts where you have Grant and Edit permissions.
For more information, see the following topics:
Configuring Workflow Globally For All Accounts
To simplify the process of configuring a request and approval workflow for privileged accounts, you can enable workflow as a feature that applies to all accounts stored in the Privileged Access Service. You can then select a single user or role to approve all login and password checkout requests. You can also use this global setting in conjunction with account-specific settings to selectively restrict access requests for some accounts or modify the user or role with approval authority. In other words, you can configure the approval workflow globally so that it applies for all resources and accounts, or on a per-resource and account basis, or using a combination of the two. If you use a combination of global-and account-specific approval settings, the account-specific approval settings take precedence over the global approval settings. For example, you might give members of the IT Outsource role global authority to approve login and password checkout requests for all resources and accounts, then identify specific system and account combinations where only members of the IT Supervisors role can approve access requests.
To configure workflow for all accounts:
- Click Settings > Resources > Global Account Workflow.
- Select Enable Workflow for all accounts.
- Click Select and type a search string to search for and select a user or role with authority to approve login and password checkout requests, then click Add.
- Click Save.
After you have configured the workflow for all accounts, users with Privileged Access Service Administrator or Privileged Access Service Power User rights can request login and password checkout access for the accounts stored in the Privileged Access Service.
Configuring Workflow For Specific Accounts
If you are a member of the System Administrator role or a member of a role with Privileged Access Service Administrator or Privileged Access Service Power User rights and have the Grant and Edit permissions, you can configure a request and approval workflow for specific accounts or use account-specific settings to override global workflow settings. If you enable or disable workflow for individual account and system combinations, the account-specific settings take precedence over the global settings. For example, you can use account-specific settings to prevent access requests for some accounts or to modify the user or role with approval authority.
To configure workflow for specific accounts:
-
Click Resources > Accounts, then select an account to display the account details.
-
Click Workflow.
-
Set the Enable Account Workflow to Yes if you want to select a user or role with authority to approve access requests.
If you enabled workflow for all accounts, selecting Yes allows you to select a different user or role with approval authority. If you are not enabling workflow for all accounts, selecting Yes makes this specific account available for users requesting login or password checkout access.
If you disabled workflow for all accounts, selecting No prevents users from requesting login or password checkout access.
-
Click Save.
After you have configured the workflow for an account, users can request login or checkout access to the account through the Privilege Manager portal.
Working with Privileged Account Workflow
Users who are assigned to a role with the appropriate administrative rights can see the systems, domains, databases, and accounts where they have View permission in the Privileged Access Service. What you can do depends on the additional permissions you have been granted. For example, if you don’t have the Checkout permission, you cannot check out the password for a stored account. However, if one or more accounts are configured to use a request and approval workflow, you might be able to request access to the account password from a designated user or member of a designated role. It is at the approver’s discretion to approve or reject your request, and if approved, to grant you permanent or temporary Checkout permission. For more information on available account permissions, see Additional account permissions.
If an account is configured to require the approval of a designated user or role, you might see the Request Login or Request Checkout actions in the Accounts > Actions menu. Selecting Request Login or Request Checkout sends an email request to the designated user or to the members of a designated role for approval. If your request is approved, you have limited period of time to take the action you requested.
In addition to requesting an account login or requesting to checkout a password, this section also includes information for the following:
- Responding to Access Requests
- Viewing Request Details
- Deleting Requests
- Customizing Account Workflow Notification Email
Requesting Password Checkout Access
If you are granted permission to checkout the password for a target system, you can access the system for the period specified. You can continue to use the session on the target system after the approved period of time expires as long as you don't exit the session. If you exit the session, however, and attempt to check out the password to start a new session after the temporarily approved period expires, you must submit a new Checkout access request.
Although you can check out local system account passwords on registered mobile devices, you cannot check out the password if the account has workflow enabled. If the password checkout for a local system account requires an approver, the Checkout feature on the mobile device is not supported.
To request a password checkout:
-
In the Admin Portal, click Resources, then click Systems, Domains, Databases, or Accounts to locate the account for which you want to check out a password.
For example:
- Click Systems if you want to check out the password for an account with access to a specific system name or system type.
- Click Domains if you want to check out the password for an account with access to a specific domain.
- Click Databases if you want to check out the password for an account with access to a specific database.
- Click Accounts if you want to search or filter the accounts listed by account name or check the account health before requesting access to the password.
-
Select the account and open the Actions menu, then click Request Checkout.
If Workflow is enabled on the account, the password can only be checked out during the time period specified by the admin. For example between 1pm - 2pm. This adjusts the checkout duration to ensure the password is checked back in by the end of the time period. For example 2pm.
-
Type the business reason for requesting permission to check out the password.
-
Select whether you are requesting permanent access or access during a specific window of time.
If you select Windowed access, specify the start date and time and the end data and time. For example:
-
Click Submit.
An email notification of your request is sent directly to the designated approver and your request will be displayed on the Requests tab in the Admin Portal.
-
Click the Requests tab to see the status of your request.
You will also receive an email notification when you request is approved or denied. If your request is approved and you have been granted temporary access, you will have a limited time to select the Checkout action. If the temporary approval period expires before you check out the password, you can submit a new request. Keep in mind that the request approval period is separate from the maximum password checkout time, which is controlled by a global- or object-specific policy.
Requesting Login Access
Users who are assigned to a role with the appropriate administrative rights can see the systems, domains, databases, and accounts where they have View permission in the Privileged Access Service.
What you can do when you select a system, domain, database, or account will depend on the additional permissions you have been granted. For example, if you don’t have the Login permission granted, you cannot log on to target systems using stored account information. However, if one or more accounts are configured to use a “request and approval” workflow, you might be able to request access to a target system. Your request is sent to a designated user or member of a designated role for approval. It is at the approver’s discretion to approve or reject your request, and if approved, to grant you permanent or temporary Login permission.
If your request is approved and you are only temporarily granted the Login permission, you will have a limited period of time in which to log on to the selected system using the selected account. If you are granted temporary Login permission, you can continue to use the session on the target system after the approved period of time expires. If you exit the session, however, and attempt to log on after the temporarily approved period expires, you must submit a new access request.
To request login access:
-
In the Admin Portal, click Resources, then click Systems, Domains, or Accounts to locate the account combination to which you want to request access.
For example:
- Click Systems if you want to search or filter the systems listed based on the system name or system type.
- Click Domains if you want to search or filter the domains to which you want access.
- Click Accounts if you want to search or filter the accounts listed by account name or check the account health before requesting access.
-
Select the account you want to use to log on to the target system or domain.
Depending on how you navigate to the Actions menu, you can request access to an account in one of two ways:
- If you open the Actions menu for a system, you can click Select/Request Account to search for and select the account you want to use.
- If you open the Actions menu for a specific account, you can click Request Login to request access to that account.
-
Type the business reason for requesting permission to log on to the selected system using the stored account information.
-
Select whether you are requesting permanent access or access during a specific window of time.
If you select Windowed access, specify the start date and time and the end data and time.
-
Click Submit.
An email notification of your request is sent directly to the designated approver and your request will be displayed on the Requests tab in the Admin Portal.
-
Click the Requests tab to see the status of your request.
You will also receive an email notification when you request is approved or denied. If your request is approved and you have been granted temporary access, you will have a limited time to select the system and account combination and the Login action. If you have been granted temporary access and the approval period expires before you log on, you can submit a new request.
Maintaining an Active Session After Approval
If your request is approved and you log on successfully before a temporary approval period expires, there’s no time limit on your active session. However, an administrator with the appropriate permission can terminate the session.
In addition, you can log on multiple times during the approval period, if needed. For example, if you must restart a computer multiple times for maintenance—such as the installation or removal of software—you can do so until the request temporary approval period expires.
If you expect maintenance to require you to log on multiple times, you might want to request access for a specific window of time such as over a weekend or during a period when you know there will be little network activity.
Responding to Access Requests
There are no special privileges required to respond to requests. Anyone with access to the Privileged Access Service can be designated as an approver.
If you have been designated as an approver for login and password checkout requests, you will receive email notification when others request access. You can click the View Request link in the email to view the request details. If you are authorized to approve the request and the request is still pending a response, the Request Details displays the options to Approve or Reject the request.
- Click Approve to approve the request by granting permanent or temporary permission and specify a grant duration time in minutes, hours, or days. If you click Submit to continue with the approval, the request details are updated with the date and time the request was resolved and the approved status.
- Click Reject to reject the request and type the reason you are rejecting the request. If you click Submit to continue with the rejection, the request details are updated with the reason the request was rejected, the date and time the request was resolved, and the rejected status.
After you respond to the request, the Requests tab is also updated with the latest activity and email is sent to the requester as notification of your response to the request.
Viewing Request Details
If you have made or responded to a request, you can click the Requests tab to view the status of access requests and the history of request activity. You can click the Requests tab from the Admin Portal to see the status of your own pending requests, the requests awaiting your approval, or the results of request activity. You can then select any request displayed on the Request tab to see request details.
If you are an approver, you can also go directly to Request Details by clicking the link in the email notifying you of the request.
If you have the authority to approve requests and the request is still pending a response, you can click Approve or Reject from the Request details. For more information about approving or rejecting a request, see Responding to Access Requests.
The request information table displays details appropriate for the current state of the request. For example, you might see the following information:
-
Posted displays the date and time of the most recent activity for each request.
-
Description provides a brief summary of the request indicating the type of access or application requested.
-
Requestor displays the user who submitted the request.
-
Requestor’s Reason displays the business reason provided by the user who submitted the request.
-
Approver displays the user or role designated for approving access requests if the approval is pending or the specific user who approved or rejected the request if the request has been resolved.
-
Status displays the current status of the request as Pending, Approved, Rejected, or Failed.
Depending on the status of the request, you might see the reason the request was rejected or the reason why the request failed.
Deleting Requests
If you have the Delete permission, you can remove requests from the Requests list if the request history is no longer needed.
To remove a request:
- Click Access > Requests.
- Select a request from the list to display its details.
- Click the Actions menu, then click Delete.
- Click Yes to confirm that you want to proceed with deleting the request.
Customizing Account Workflow Notification Email
Templates are provided for email notification that is sent when account access is requested, approved, rejected, or cannot be processed. You can use the email templates as-is, or you can customize them.
To customize account workflow notification email:
-
Open the Admin Portal, click Setting, then General, then click Account Customization.
-
Scroll to locate the Message Customization section.
-
Select any of the following message templates to customize the content for access requests:
-
For more information about customizing message templates, see How to customize email message contents.