Symantec Privileged Access Management

Expand all | Collapse all

Is there a way to configure the dual authorization workflow to approve requests to specific servers instead of a target account?

  • 1.  Is there a way to configure the dual authorization workflow to approve requests to specific servers instead of a target account?

    Posted Jul 24, 2017 01:13 PM

    Assuming a windows domain service environment with domain accounts, the main interface (Access tab) of PAM seems to mislead the user that the dual authorization approval workflow is required for each server on the list, since the user needs to click on RDP for a specific server.

     

    However, when having the request approved for one specific server, if the account grants access to other servers, the user won't need to go through the dual authorization workflow anymore.

     

    Is there any configuration of policies, target accounts, devices and devices groups that can accomplish this?

     

    Sample:

    Windows domain account: XAccount has access to 2 servers: ServerA and ServerB.

    When I click on RDP for ServerA, after the approval is done, I also have access to ServerB. I would like to have separate approval workflows without needing two separate accounts: XAccountA and XAccountB.



  • 2.  Re: Is there a way to configure the dual authorization workflow to approve requests to specific servers instead of a target account?
    Best Answer

    Broadcom Employee
    Posted Jul 24, 2017 02:50 PM

    Hello Lucas, This is how the current workflow works. You are granted access to a target account password, not to a specific device. There is an open idea already to make approvals more granular, see https://communities.ca.com/ideas/235734985-password-view-policy-on-device-group-more-granular-control . Please go to idea, vote it up and optionally add a comment.



  • 3.  Re: Is there a way to configure the dual authorization workflow to approve requests to specific servers instead of a target account?

    Posted Jul 28, 2017 09:49 AM

    As Ralf said, this is how PAM is designed.  It requires approval for each user that requests a password.  This reduces the likelihood that someone will gain access to a password in error.