Symantec Privileged Access Management

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------

If you want quick steps to assign a user to password view approver with pre-defined roles, you can do the following.

I have following 3 user accounts.

1. super (Global Administrator)
2. funnyuser (AD User, for password view approver)
3. OU1Group1User1 (target account which has dual approval)
4. pam-ad-svc (AD User, target account, Enterprise Admin)

funnyuser is configured with following role.

"Password Manager" Role



PAM User logon and tries to access target device using OU1Group1User1 account which requires approval.

Asked to provide how long the password access is required.


Need to wait approver to approve this access.

Logon as funnyuser and check for "My Password View Approvals" list.
OU1Group1User1 password request is in "Pending" status.



Approve the password access.


------------------------------
Support Engineer 5
Broadcom
------------------------------

Original Message:
Sent: 11-01-2019 04:42 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------

You misunderstood, i didn't meant how to create account that can approve password view request. I want the approver to be able to approve password view request only, that means it cannot add/modify/delete/view anything else under "Credentials" tab, especially Target Application and Target Account.
Original Message:
Sent: 11-05-2019 12:12 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

If you want quick steps to assign a user to password view approver with pre-defined roles, you can do the following.

I have following 3 user accounts.

1. super (Global Administrator)
2. funnyuser (AD User, for password view approver)
3. OU1Group1User1 (target account which has dual approval)
4. pam-ad-svc (AD User, target account, Enterprise Admin)

funnyuser is configured with following role.

"Password Manager" Role

"System Admin Group"

Now this funnyuser will appear in the "Available Approvoers" list in the PVP under Dual Authorization tab.

OU1Group1User1 Target Account has PVP requiring Password Approval.

Password update is performed using pam-ad-svc (AD Account, Enterprise Admin)

PAM User logon and tries to access target device using OU1Group1User1 account which requires approval.

Asked to provide how long the password access is required.

Need to wait approver to approve this access.

Logon as funnyuser and check for "My Password View Approvals" list.
OU1Group1User1 password request is in "Pending" status.

Approve the password access.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-01-2019 04:42 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------

Let's see if other people might have tried to test what would be the very minimum privilege that was possible to assign to an approver.
From my point of view, each role would have certain required inheritence of privileges.
You may create a custom role to give the least possible privileges but you will still find that it has other access/privileges.

------------------------------
Support Engineer 5
Broadcom
------------------------------

Original Message:
Sent: 11-05-2019 01:32 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

You misunderstood, i didn't meant how to create account that can approve password view request. I want the approver to be able to approve password view request only, that means it cannot add/modify/delete/view anything else under "Credentials" tab, especially Target Application and Target Account.
Original Message:
Sent: 11-05-2019 12:12 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

If you want quick steps to assign a user to password view approver with pre-defined roles, you can do the following.

I have following 3 user accounts.

1. super (Global Administrator)
2. funnyuser (AD User, for password view approver)
3. OU1Group1User1 (target account which has dual approval)
4. pam-ad-svc (AD User, target account, Enterprise Admin)

funnyuser is configured with following role.

"Password Manager" Role

"System Admin Group"

Now this funnyuser will appear in the "Available Approvoers" list in the PVP under Dual Authorization tab.

OU1Group1User1 Target Account has PVP requiring Password Approval.

Password update is performed using pam-ad-svc (AD Account, Enterprise Admin)

PAM User logon and tries to access target device using OU1Group1User1 account which requires approval.

Asked to provide how long the password access is required.

Need to wait approver to approve this access.

Logon as funnyuser and check for "My Password View Approvals" list.
OU1Group1User1 password request is in "Pending" status.

Approve the password access.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-01-2019 04:42 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------

I've tried using FirecallApprover, but it's still able to see password of Target Accounts. The only way is to use custom credential role, but which privileges should be attached to it?
Original Message:
Sent: 11-05-2019 01:39 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

Let's see if other people might have tried to test what would be the very minimum privilege that was possible to assign to an approver.
From my point of view, each role would have certain required inheritence of privileges.
You may create a custom role to give the least possible privileges but you will still find that it has other access/privileges.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-05-2019 01:32 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

You misunderstood, i didn't meant how to create account that can approve password view request. I want the approver to be able to approve password view request only, that means it cannot add/modify/delete/view anything else under "Credentials" tab, especially Target Application and Target Account.
Original Message:
Sent: 11-05-2019 12:12 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

If you want quick steps to assign a user to password view approver with pre-defined roles, you can do the following.

I have following 3 user accounts.

1. super (Global Administrator)
2. funnyuser (AD User, for password view approver)
3. OU1Group1User1 (target account which has dual approval)
4. pam-ad-svc (AD User, target account, Enterprise Admin)

funnyuser is configured with following role.

"Password Manager" Role

"System Admin Group"

Now this funnyuser will appear in the "Available Approvoers" list in the PVP under Dual Authorization tab.

OU1Group1User1 Target Account has PVP requiring Password Approval.

Password update is performed using pam-ad-svc (AD Account, Enterprise Admin)

PAM User logon and tries to access target device using OU1Group1User1 account which requires approval.

Asked to provide how long the password access is required.

Need to wait approver to approve this access.

Logon as funnyuser and check for "My Password View Approvals" list.
OU1Group1User1 password request is in "Pending" status.

Approve the password access.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-01-2019 04:42 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------

Hello Jorghy, Privileges are discussed on documentation page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/implementing/protect-privileged-account-credentials/delegate-password-management-tasks-to-groups/add-or-modify-credential-manager-roles.html
One way to go about custom roles is to copy the privileges from an existing role that is close to what you need to a new custom role, and then add/subtract privileges as needed for your specific use case. E.g. if you don't want your approvers to be able to view passwords, you remove the "View Account Password" (== viewAccountPassword) privilege from the role.
Original Message:
Sent: 11-05-2019 01:58 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

I've tried using FirecallApprover, but it's still able to see password of Target Accounts. The only way is to use custom credential role, but which privileges should be attached to it?
Original Message:
Sent: 11-05-2019 01:39 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

Let's see if other people might have tried to test what would be the very minimum privilege that was possible to assign to an approver.
From my point of view, each role would have certain required inheritence of privileges.
You may create a custom role to give the least possible privileges but you will still find that it has other access/privileges.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-05-2019 01:32 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

You misunderstood, i didn't meant how to create account that can approve password view request. I want the approver to be able to approve password view request only, that means it cannot add/modify/delete/view anything else under "Credentials" tab, especially Target Application and Target Account.
Original Message:
Sent: 11-05-2019 12:12 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

If you want quick steps to assign a user to password view approver with pre-defined roles, you can do the following.

I have following 3 user accounts.

1. super (Global Administrator)
2. funnyuser (AD User, for password view approver)
3. OU1Group1User1 (target account which has dual approval)
4. pam-ad-svc (AD User, target account, Enterprise Admin)

funnyuser is configured with following role.

"Password Manager" Role

"System Admin Group"

Now this funnyuser will appear in the "Available Approvoers" list in the PVP under Dual Authorization tab.

OU1Group1User1 Target Account has PVP requiring Password Approval.

Password update is performed using pam-ad-svc (AD Account, Enterprise Admin)

PAM User logon and tries to access target device using OU1Group1User1 account which requires approval.

Asked to provide how long the password access is required.

Need to wait approver to approve this access.

Logon as funnyuser and check for "My Password View Approvals" list.
OU1Group1User1 password request is in "Pending" status.

Approve the password access.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-01-2019 04:42 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------

One way i do it is to use all privileges that have "Password View" in it, which i think is overkill. I guess the only way to use the least privileges is to test each privileges.
Original Message:
Sent: 11-06-2019 10:20 AM
From: Ralf Prigl
Subject: Role for Password View Approver

Hello Jorghy, Privileges are discussed on documentation page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/implementing/protect-privileged-account-credentials/delegate-password-management-tasks-to-groups/add-or-modify-credential-manager-roles.html
One way to go about custom roles is to copy the privileges from an existing role that is close to what you need to a new custom role, and then add/subtract privileges as needed for your specific use case. E.g. if you don't want your approvers to be able to view passwords, you remove the "View Account Password" (== viewAccountPassword) privilege from the role.
Original Message:
Sent: 11-05-2019 01:58 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

I've tried using FirecallApprover, but it's still able to see password of Target Accounts. The only way is to use custom credential role, but which privileges should be attached to it?
Original Message:
Sent: 11-05-2019 01:39 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

Let's see if other people might have tried to test what would be the very minimum privilege that was possible to assign to an approver.
From my point of view, each role would have certain required inheritence of privileges.
You may create a custom role to give the least possible privileges but you will still find that it has other access/privileges.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-05-2019 01:32 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

You misunderstood, i didn't meant how to create account that can approve password view request. I want the approver to be able to approve password view request only, that means it cannot add/modify/delete/view anything else under "Credentials" tab, especially Target Application and Target Account.
Original Message:
Sent: 11-05-2019 12:12 AM
From: Sung Hoon Kim
Subject: Role for Password View Approver

If you want quick steps to assign a user to password view approver with pre-defined roles, you can do the following.

I have following 3 user accounts.

1. super (Global Administrator)
2. funnyuser (AD User, for password view approver)
3. OU1Group1User1 (target account which has dual approval)
4. pam-ad-svc (AD User, target account, Enterprise Admin)

funnyuser is configured with following role.

"Password Manager" Role

"System Admin Group"

Now this funnyuser will appear in the "Available Approvoers" list in the PVP under Dual Authorization tab.

OU1Group1User1 Target Account has PVP requiring Password Approval.

Password update is performed using pam-ad-svc (AD Account, Enterprise Admin)

PAM User logon and tries to access target device using OU1Group1User1 account which requires approval.

Asked to provide how long the password access is required.

Need to wait approver to approve this access.

Logon as funnyuser and check for "My Password View Approvals" list.
OU1Group1User1 password request is in "Pending" status.

Approve the password access.

------------------------------
Support Engineer 5
Broadcom

Original Message:
Sent: 11-01-2019 04:42 AM
From: Jorghy Misnan
Subject: Role for Password View Approver

CA PAM v3.2.6

So i have a requirements for user who want to access device, they need approval for another user. For that i need the approver be assigned as Password Manager, but with privileges limited to only and only approval. Existing Credential Roles doesn't provide what i need so i have to create custom Credential Role with privileges that only and only allow approval function. What privileges do i need to accomplish this? Thank you.

------------------------------
Regards,
Jorghy M.
------------------------------