Symantec Privileged Access Management

Expand all | Collapse all

Is it possible to enable dual authorization only for password display?

Jump to Best Answer
  • 1.  Is it possible to enable dual authorization only for password display?

    Posted 12-12-2019 04:26 PM
    Hello community


    I am implementing a new PAM project and again the client requests that the flow be enabled/implemented only for the events in which the user needs to see the password but not for the EndPoint connection events.

    I understand that PAM does not allow this, my question is why is this functionality not enabled?

    Is there a procedure or configuration that allows me to generate an approval event when a user wants to see the password of the account associated with an EndPoint?

    Any idea how to handle these types of events?

    ------------------------------
    Julian Riaño
    MSL
    ------------------------------


  • 2.  RE: Is it possible to enable dual authorization only for password display?
    Best Answer

    Posted 12-12-2019 07:16 PM
    Hi Julian, You answered the question in the subject yourself already, it's not possible. I can't comment on the "why". Whether there's a way to handle it depends on the exact use case and what the main reason is for having a policy to view a password, but only after authorization. E.g. the PVP has an option to change the password on view, not on autoconnect. So if it's viewed, it gets changed after a while, preventing future use of the password. You can also require a reason for view, but not for autoconnect. If none of that works, you'll have to remove password view access for the users, and have them raise a request outside of PAM to have a PAM admin provide the password, or grant temporary access to the password.


  • 3.  RE: Is it possible to enable dual authorization only for password display?

    Posted 12-13-2019 11:17 AM
    If I had to guess, the reason why you cannot require approval for view but not access is because the approval requirement is attached to the target account, not the password view policy or access policy.  I'd encourage you to submit an Ideation (https://community.broadcom.com/ideation/allideas) for this if one does not already exist.  I have often run into scenarios where having the approval requirement tied to a PVP or a access policy would make more sense.

    That said, what I commonly do is add additional accounts to the endpoints for password checkout only.  Because these accounts are only used for password checkout, they can be subject to approval.  A great way to encourage users to use PAM access methods when the server is online and accessable, while still providing the ability to get into a server with a crash cart.