Symantec Privileged Access Management

Hi All,

Please let me know if I can provide a solution.

My customer want to do below.
 - definately use "dual Authorization" when using AD account.
 - the password of AD account is changed by user (Not PAM).
   *PAM can hold the password, but there will be mismatch someday.

The user know the password , so it is OK to enter a password when connecting.
 *I understand it is abnormal (Normally, the user does not know the password).

Do you have a good ideas for solving my customer wish?

Thank you in advance.

Fumiko Nishimura​

------------------------------------------------
Sep 11, 2019

Is there anyone who knows about that?
Could you please tell me what I should do ?

Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.
Original Message:
Sent: 09-09-2019 02:08 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

Hi All,

Please let me know if I can provide a solution.

My customer want to do below.
 - definately use "dual Authorization" when using AD account.
 - the password of AD account is changed by user (Not PAM).
   *PAM can hold the password, but there will be mismatch someday.

The user know the password , so it is OK to enter a password when connecting.
 *I understand it is abnormal (Normally, the user does not know the password).

Do you have a good ideas for solving my customer wish?

Thank you in advance.

Fumiko Nishimura​

------------------------------------------------
Sep 11, 2019

Is there anyone who knows about that?
Could you please tell me what I should do ?

​Hi Ralf,

Thank you for your helpful response.

Your guess is toataly correct.

>Is it that the customer wants to require approval for access to devices that can only be accessed through PAM?

Yes.

>We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts.
Maybe that is what you want.

Yes,I think so.

Please let me know how I should configure Credential Manager roles.
I will try to check the operetion on my machine before providing a solution to my customer.

Thank you in advance.

Fumiko
Original Message:
Sent: 09-11-2019 10:29 AM
From: Ralf Prigl
Subject: Dual authorization without setting a password

Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.
Original Message:
Sent: 09-09-2019 02:08 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

Hi All,

Please let me know if I can provide a solution.

My customer want to do below.
 - definately use "dual Authorization" when using AD account.
 - the password of AD account is changed by user (Not PAM).
   *PAM can hold the password, but there will be mismatch someday.

The user know the password , so it is OK to enter a password when connecting.
 *I understand it is abnormal (Normally, the user does not know the password).

Do you have a good ideas for solving my customer wish?

Thank you in advance.

Fumiko Nishimura​

------------------------------------------------
Sep 11, 2019

Is there anyone who knows about that?
Could you please tell me what I should do ?

Hi Fumiko, Credential Manager roles, target groups and user groups are discussed in detail in our online documentation. Here is a brief summary to allow users access to a configured set of accounts:

- Create a CM role (Credentials > Manage Credential Groups > Credential Roles) that allows listing and updates of target accounts. An example for a set of privileges in a role that lets you view, verify and update target accounts would be "getMostRecentPasswordHistory,getPasswordHistory,getPasswordViewPolicy,getTargetAccount,listTargetAccounts,searchTargetAccount,searchTargetApplication,searchTargetServer,updatePasswordHistory,updateTargetAccount,updateTargetAccountPassword,verifyAccountPassword,viewAccountPassword". Depending on your use cases, you may want to use a different set of privileges.
- Create a target group (Credentials > Manage Targets > Target Groups) and configure it to include all accounts that you want a specific user or user group to be able to manage. When you create a new target group, you will see what possibilities you have, I won't go into detail here.
- Create a CM group (Credentials > Manage Credential Groups > Credential Groups) and assign it the new role and target group.
- Edit the user(s) of interest, add the Password Manager role under Roles, and specify the new CM group under "Credential Manager Groups". Now log in as that user and verify that you can manage the target accounts included in the new target group, and only those. These accounts will also be available to the user for device access.
Original Message:
Sent: 09-12-2019 08:18 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

​Hi Ralf,

Thank you for your helpful response.

Your guess is toataly correct.

>Is it that the customer wants to require approval for access to devices that can only be accessed through PAM?

Yes.

>We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts.
Maybe that is what you want.

Yes,I think so.

Please let me know how I should configure Credential Manager roles.
I will try to check the operetion on my machine before providing a solution to my customer.

Thank you in advance.

Fumiko
Original Message:
Sent: 09-11-2019 10:29 AM
From: Ralf Prigl
Subject: Dual authorization without setting a password

Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.
Original Message:
Sent: 09-09-2019 02:08 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

Hi All,

Please let me know if I can provide a solution.

My customer want to do below.
 - definately use "dual Authorization" when using AD account.
 - the password of AD account is changed by user (Not PAM).
   *PAM can hold the password, but there will be mismatch someday.

The user know the password , so it is OK to enter a password when connecting.
 *I understand it is abnormal (Normally, the user does not know the password).

Do you have a good ideas for solving my customer wish?

Thank you in advance.

Fumiko Nishimura​

------------------------------------------------
Sep 11, 2019

Is there anyone who knows about that?
Could you please tell me what I should do ?

Hello Ralf,

I am sorry for my late response.

I could mostly do what I want thanks to your advice.Thank you so much.
But...I am afraid that I would like your help a little more.

I set a Credential Manager Roles below.

Question #1:
I can not see the history on Target Account lists when I select a [eyes icon]. Is it correct?

Question #2:
I do not want to appear the first row (a [Select icon]) on Access list.  Would it be possible to disappear it?
 * 192.168.32.80 is an AD domain controller and 192.168.32.82 is a member server.

Original Message:
Sent: 09-12-2019 12:32 PM
From: Ralf Prigl
Subject: Dual authorization without setting a password

Hi Fumiko, Credential Manager roles, target groups and user groups are discussed in detail in our online documentation. Here is a brief summary to allow users access to a configured set of accounts:

- Create a CM role (Credentials > Manage Credential Groups > Credential Roles) that allows listing and updates of target accounts. An example for a set of privileges in a role that lets you view, verify and update target accounts would be "getMostRecentPasswordHistory,getPasswordHistory,getPasswordViewPolicy,getTargetAccount,listTargetAccounts,searchTargetAccount,searchTargetApplication,searchTargetServer,updatePasswordHistory,updateTargetAccount,updateTargetAccountPassword,verifyAccountPassword,viewAccountPassword". Depending on your use cases, you may want to use a different set of privileges.
- Create a target group (Credentials > Manage Targets > Target Groups) and configure it to include all accounts that you want a specific user or user group to be able to manage. When you create a new target group, you will see what possibilities you have, I won't go into detail here.
- Create a CM group (Credentials > Manage Credential Groups > Credential Groups) and assign it the new role and target group.
- Edit the user(s) of interest, add the Password Manager role under Roles, and specify the new CM group under "Credential Manager Groups". Now log in as that user and verify that you can manage the target accounts included in the new target group, and only those. These accounts will also be available to the user for device access.
Original Message:
Sent: 09-12-2019 08:18 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

​Hi Ralf,

Thank you for your helpful response.

Your guess is toataly correct.

>Is it that the customer wants to require approval for access to devices that can only be accessed through PAM?

Yes.

>We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts.
Maybe that is what you want.

Yes,I think so.

Please let me know how I should configure Credential Manager roles.
I will try to check the operetion on my machine before providing a solution to my customer.

Thank you in advance.

Fumiko
Original Message:
Sent: 09-11-2019 10:29 AM
From: Ralf Prigl
Subject: Dual authorization without setting a password

Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.
Original Message:
Sent: 09-09-2019 02:08 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

Hi All,

Please let me know if I can provide a solution.

My customer want to do below.
 - definately use "dual Authorization" when using AD account.
 - the password of AD account is changed by user (Not PAM).
   *PAM can hold the password, but there will be mismatch someday.

The user know the password , so it is OK to enter a password when connecting.
 *I understand it is abnormal (Normally, the user does not know the password).

Do you have a good ideas for solving my customer wish?

Thank you in advance.

Fumiko Nishimura​

------------------------------------------------
Sep 11, 2019

Is there anyone who knows about that?
Could you please tell me what I should do ?

Hi Fumiko,
1. Yes, this is correct. The eye icon shows the current password. There is a separate icon to view password history when you edit an account.
2. This is caused by dynamic addition of devices and target accounts for users with specific Credential Management roles, see https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-2-4/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-access-policies/set-up-a-policy/Dynamic-Addition-of-Devices-to-the-Access-Page-Based-on-Credential-Manager-Target-Group-Membership.html. You get the target accounts that you can manage on the access page. Since you want the user to see and update passwords for these accounts, it shouldn't be a problem that it can be accessed from the access page, not only from the target accounts page.

Regards,
Ralf
Original Message:
Sent: 09-18-2019 03:07 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

Hello Ralf,

I am sorry for my late response.

I could mostly do what I want thanks to your advice.Thank you so much.
But...I am afraid that I would like your help a little more.

I set a Credential Manager Roles below.

Question #1:
I can not see the history on Target Account lists when I select a [eyes icon]. Is it correct?

Question #2:
I do not want to appear the first row (a [Select icon]) on Access list.  Would it be possible to disappear it?
 * 192.168.32.80 is an AD domain controller and 192.168.32.82 is a member server.

Thank you in advice.

Best Regards,

Fumiko

Original Message:
Sent: 09-12-2019 12:32 PM
From: Ralf Prigl
Subject: Dual authorization without setting a password

Hi Fumiko, Credential Manager roles, target groups and user groups are discussed in detail in our online documentation. Here is a brief summary to allow users access to a configured set of accounts:

- Create a CM role (Credentials > Manage Credential Groups > Credential Roles) that allows listing and updates of target accounts. An example for a set of privileges in a role that lets you view, verify and update target accounts would be "getMostRecentPasswordHistory,getPasswordHistory,getPasswordViewPolicy,getTargetAccount,listTargetAccounts,searchTargetAccount,searchTargetApplication,searchTargetServer,updatePasswordHistory,updateTargetAccount,updateTargetAccountPassword,verifyAccountPassword,viewAccountPassword". Depending on your use cases, you may want to use a different set of privileges.
- Create a target group (Credentials > Manage Targets > Target Groups) and configure it to include all accounts that you want a specific user or user group to be able to manage. When you create a new target group, you will see what possibilities you have, I won't go into detail here.
- Create a CM group (Credentials > Manage Credential Groups > Credential Groups) and assign it the new role and target group.
- Edit the user(s) of interest, add the Password Manager role under Roles, and specify the new CM group under "Credential Manager Groups". Now log in as that user and verify that you can manage the target accounts included in the new target group, and only those. These accounts will also be available to the user for device access.
Original Message:
Sent: 09-12-2019 08:18 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

​Hi Ralf,

Thank you for your helpful response.

Your guess is toataly correct.

>Is it that the customer wants to require approval for access to devices that can only be accessed through PAM?

Yes.

>We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts.
Maybe that is what you want.

Yes,I think so.

Please let me know how I should configure Credential Manager roles.
I will try to check the operetion on my machine before providing a solution to my customer.

Thank you in advance.

Fumiko
Original Message:
Sent: 09-11-2019 10:29 AM
From: Ralf Prigl
Subject: Dual authorization without setting a password

Hi Fumiko, Can you explain the use case behind this question? Given that the user knows the credentials w/o using PAM, dual authorization for use of the target account doesn't seem to make sense. Is it that the customer wants to require approval for access to devices that can only be accessed through PAM? We have customers who configure Credential Management roles and groups so that users can use and also manage selected target accounts. Maybe that is what you want. The users would then be able to edit their target accounts and update the password so it matches again the password in AD. You could have a PVP in place that requires dual authorization for password view.
Original Message:
Sent: 09-09-2019 02:08 AM
From: Fumiko Nishimura
Subject: Dual authorization without setting a password

Hi All,

Please let me know if I can provide a solution.

My customer want to do below.
 - definately use "dual Authorization" when using AD account.
 - the password of AD account is changed by user (Not PAM).
   *PAM can hold the password, but there will be mismatch someday.

The user know the password , so it is OK to enter a password when connecting.
 *I understand it is abnormal (Normally, the user does not know the password).

Do you have a good ideas for solving my customer wish?

Thank you in advance.

Fumiko Nishimura​

------------------------------------------------
Sep 11, 2019

Is there anyone who knows about that?
Could you please tell me what I should do ?