Layer 7 Privileged Access Management

Expand all | Collapse all

Dual authorization without setting a password

Jump to Best Answer
  • 1.  Dual authorization without setting a password

    Posted 09-09-2019 02:08 AM
    Edited by Fumiko Nishimura 09-11-2019 09:42 AM
    Hi All,

    Please let me know if I can provide a solution.

    My customer want to do below.
     - definately use "dual Authorization" when using AD account.
     - the password of AD account is changed by user (Not PAM).
       *PAM can hold the password, but there will be mismatch someday.

    The user know the password , so it is OK to enter a password when connecting.
     *I understand it is abnormal (Normally, the user does not know the password).

    Do you have a good ideas for solving my customer wish?

    Thank you in advance.

    Fumiko Nishimura​

    ------------------------------------------------
    Sep 11, 2019

    Is there anyone who knows about that?
    Could you please tell me what I should do ?


  • 2.  RE: Dual authorization without setting a password

    Posted 09-11-2019 10:30 AM
    Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.


  • 3.  RE: Dual authorization without setting a password

    Posted 09-12-2019 08:18 AM
    ​Hi Ralf,

    Thank you for your helpful response.

    Your guess is toataly correct.

    >Is it that the customer wants to require approval for access to devices that can only be accessed through PAM?

    Yes.

    >We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts.
    Maybe that is what you want.

    Yes,I think so.

    Please let me know how I should configure Credential Manager roles.
    I will try to check the operetion on my machine before providing a solution to my customer.

    Thank you in advance.

    Fumiko


  • 4.  RE: Dual authorization without setting a password
    Best Answer

    Posted 09-12-2019 12:32 PM
    Hi Fumiko, Credential Manager roles, target groups and user groups are discussed in detail in our online documentation. Here is a brief summary to allow users access to a configured set of accounts:

    - Create a CM role (Credentials > Manage Credential Groups > Credential Roles) that allows listing and updates of target accounts. An example for a set of privileges in a role that lets you view, verify and update target accounts would be "getMostRecentPasswordHistory,getPasswordHistory,getPasswordViewPolicy,getTargetAccount,listTargetAccounts,searchTargetAccount,searchTargetApplication,searchTargetServer,updatePasswordHistory,updateTargetAccount,updateTargetAccountPassword,verifyAccountPassword,viewAccountPassword". Depending on your use cases, you may want to use a different set of privileges.
    - Create a target group (Credentials > Manage Targets > Target Groups) and configure it to include all accounts that you want a specific user or user group to be able to manage. When you create a new target group, you will see what possibilities you have, I won't go into detail here.
    - Create a CM group (Credentials > Manage Credential Groups > Credential Groups) and assign it the new role and target group.
    - Edit the user(s) of interest, add the Password Manager role under Roles, and specify the new CM group under "Credential Manager Groups". Now log in as that user and verify that you can manage the target accounts included in the new target group, and only those. These accounts will also be available to the user for device access.


  • 5.  RE: Dual authorization without setting a password

    Posted 09-18-2019 03:07 AM
    Hello Ralf,

    I am sorry for my late response.

    I could mostly do what I want thanks to your advice.Thank you so much.
    But...I am afraid that I would like your help a little more.

    I set a Credential Manager Roles below.
    Credential Manager Role

    Question #1:
    I can not see the history on Target Account lists when I select a [eyes icon]. Is it correct?

    Question #2:
    I do not want to appear the first row (a [Select icon]) on Access list.  Would it be possible to disappear it?
     * 192.168.32.80 is an AD domain controller and 192.168.32.82 is a member server.

    i do not configure a device (192.168.32.80) on policies.
    Thank you in advice.

    Best Regards,

    Fumiko



  • 6.  RE: Dual authorization without setting a password

    Posted 09-19-2019 12:34 AM
    Hi Fumiko,
    1. Yes, this is correct. The eye icon shows the current password. There is a separate icon to view password history when you edit an account.
    2. This is caused by dynamic addition of devices and target accounts for users with specific Credential Management roles, see https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-2-4/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-access-policies/set-up-a-policy/Dynamic-Addition-of-Devices-to-the-Access-Page-Based-on-Credential-Manager-Target-Group-Membership.html. You get the target accounts that you can manage on the access page. Since you want the user to see and update passwords for these accounts, it shouldn't be a problem that it can be accessed from the access page, not only from the target accounts page.

    Regards,
    Ralf