Layer7 Privileged Access Management

Expand all | Collapse all

can two accounts have transparent login for same role and server?

Jump to Best Answer
  • 1.  can two accounts have transparent login for same role and server?

    Posted 02-16-2018 08:05 AM

    I have a use case that requires one role to access two credentials via su transparent login on the same target server. When creating the access policy for the role and server you can not enter more than one credential in the transparent login area. Is this a bug or by design? How would we implement something like this?



  • 2.  Re: can two accounts have transparent login for same role and server?

    Posted 02-22-2018 11:11 AM

    Is this related to CA Directory product? If yes, please provide version and service pack of product in use along with what application CA Directory is being used with. This will help us to understand the request better.



  • 3.  Re: can two accounts have transparent login for same role and server?

    Posted 02-23-2018 07:04 AM
      |   view attached

    This is related to CA PAM 2.8.3 not CA Directory.

     

    Daniel Yodice

     

    InfoSec Analyst

    201-828-7061 Atlas 283-7061

     



  • 4.  Re: can two accounts have transparent login for same role and server?

     
    Posted 02-26-2018 09:43 AM

    Not sure if this is by design or not but I believe you should be able to create multiple RDP applications for each set of credentials.

     

    - Mike Pass



  • 5.  Re: can two accounts have transparent login for same role and server?
    Best Answer

    Posted 02-26-2018 09:58 AM

    This is a limitation of PAM and is working as designed. Even if you did manage to get this 'configured' by using multiple stacked policies, there is currently no way to select which TL account you would be using, so PAM would always pick one for you (I believe it is the first one it sees from DB).

     

    One way you could work around this is by creating 2 seperate 'devices', one pointing to the IP and the other to hostname/FQDN. Then users would need to select the correct one when they first start the session to get the proper TL account.

     

    If you would like to see the ability to use multiple accounts I would suggest creating an Idea (enhancement request) in the CA PAM Communities page.

     

    Regards,

    Christian Lutz

    Support Engineer

    CA Technologies - North America



  • 6.  Re: can two accounts have transparent login for same role and server?

    Posted 02-26-2018 10:07 AM


  • 7.  Re: can two accounts have transparent login for same role and server?

    Posted 02-26-2018 10:33 AM
      |   view attached

    That is my idea.

     

    Daniel Yodice

     

    InfoSec Analyst

    201-828-7061 Atlas 283-7061

     



  • 8.  Re: can two accounts have transparent login for same role and server?

    Posted 02-26-2018 10:32 AM
      |   view attached

    Thank you Christian

     

    Daniel Yodice

     

    InfoSec Analyst

    201-828-7061 Atlas 283-7061