• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Security, Governance and Regulatory Compliance
  • Reduce IT Support Cost
  • Improve User Service
• Support
  • Shipping products
  • Supported versions
  • Customer Portal
  • Create Incident
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Technology Workflow Requests and Approvals

  

Workflow Requests and Approvals

Workforce Flexibility

In many organizations, there are many IT workers who have the right skills to manage a wide range of systems, but whose normal responsibility is narrow. These people should not and normally do not have administrative access to systems outside their scope of responsibility.

Using Hitachi ID Privileged Password Manager, this pool of talent can be leveraged when needed -- during periods of high workload or in emergencies -- without having to grant large numbers of users permanent access to systems.

1. Privileged Password Manager ensures that every administrator account has a unique, frequently changing password:
   1. Sensitive passwords cannot be shared, since they are always changing.
   2. It is possible to give out passwords for a limited time, since administrative access will naturally expire.

2. Privileged Password Manager controls password disclosure with using a variety of mechanisms, including a workflow engine that supports granting temporary or exceptional access:
   1. Business logic restricts which passwords can be requested.
   2. Authorization logic routes requests to application owners.
   3. Business users can authorize one-time password disclosure to technical users.

Some examples of this flexibility are common in specific industries:

1. Universities and Colleges: computer science students can be asked to help with IT tasks.
2. IT Outsourcers: one customer's support team can be asked to help with another customer's systems.
3. In general: developers can provide assistance with production systems.

Workflow Engine to Authorize Privileged Access

Privileged Password Manager includes the same authorization workflow engine as is used in other Hitachi ID Systems products -- Hitachi ID Identity Manager, Hitachi ID Access Certifier and Hitachi ID Group Manager. Workflow enables one user to request release of a given password. When this happens, one or more other users are invited (via e-mail) to review and approve the request. Approved requests trigger an e-mail to the password recipient, including a URL to Privileged Password Manager where he or she can re-authenticate to display the requested password or launch a login session to the device in question.

The workflow process is illustrated by the following series of steps:

1. User UA signs in and requests that the then-current password to login account LA on system S be made available to user UB at some later time T. UA may or may not be the same person as UB.
2. Privileged Password Manager looks up authorizers associated with LA on S.
3. Privileged Password Manager may run business logic to supplement this authorizer list, for example with someone in the management chain for UA or UB. The final list of authorizers is LA. There are N authorizers but approval by just M (M <= N) is sufficient to disclose the password to AZ.
4. Privileged Password Manager sends e-mail invitations to authorizers LA.
5. If authorizers fail to respond, they get automatic reminder e-mails.
6. If authorizers continue to fail to respond, Privileged Password Manager runs business logic to find replacements for them, effectively escalating the request and invites the replacement authorizers as well.
7. Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate themselves to the Privileged Password Manager web login page, review the request and approve or reject it.
8. If any authorizers reject the request, e-mails are sent to all participants (UA, UB and AZ) and the request is terminated.
9. If M authorizers approve the request, thank-you e-mails are sent to all participants. A special e-mail is sent to the recipient -- UB with a URL to a password disclosure page.
10. UB clicks on the e-mail URL and authenticates to Privileged Password Manager and displays the password.
11. UB clicks on a button to "check-out privileged access."
12. UB then may click on a button to do one of the following (the options available will vary based on policy):
    1. Display the password.
    2. Place a copy of the password in the operating system copy buffer.
    3. Launch an RDP, SSH or similar remote control session to the server in question.

    In other words, display of a sensitive password is not a mandatory part of the solution.

© Hitachi ID Systems, Inc. . All rights reserved.