Symantec Privileged Access Management

As per our security policy, no one is allowed to view password except password custodian. Hence being a global administrator, we are not allowed to view password. But, we need to login to end devices. At this moment, we are not being able to login into end devices as a global administrator. Only standard users can log in to end devices. 

Please provide a solution to this issue ASAP.

------------------------------
Network and security Engineer technical associative
Cas Trading House
------------------------------

​Hi Sudip, Using a password for auto-login to a device constitutes a password view in PAM. This is how it works. If you want PAM users to be able to use credentials for auto-login, you have to give them the privilege to view passwords.
Original Message:
Sent: 07-15-2019 11:58 PM
From: sudip karmacharya
Subject: Dont view password by administrator but need to login device

As per our security policy, no one is allowed to view password except password custodian. Hence being a global administrator, we are not allowed to view password. But, we need to login to end devices. At this moment, we are not being able to login into end devices as a global administrator. Only standard users can log in to end devices. 

Please provide a solution to this issue ASAP.

------------------------------
Network and security Engineer technical associative
Cas Trading House
------------------------------

If I understand you correctly,  you created a new password manager ROLE in PAM that restricts your global admin users from viewing passwords, and now you need them to be able to log into devices but that restriction is preventing it from working.  This is a common problem and one that there is no easy solution for... even standard PAM users need the 'view password' permissions... but policy limits which passwords they can see.

The easiest solution, if possible, is to give your admins two accounts.  One Admin account, and one standard PAM user account.  This is useful for both testing policies, as well as a good security model to follow... in an ideal world, privileged accounts are used sparingly and only for admin tasks.

Adding a separate account for PAM admins can be made difficult if using smartcard authentication... however I would argue that PAM is such a critical system that it may be worth giving those admins an additional card just for that purpose.

Alternately, post the configuration for your roles for review, perhaps there is a way to make it work; though I think I have tried and never been able to achieve what you want, being a PAM admin comes with a certain level of trust, if they cannot be trusted they shouldn't be PAM admins (there is nothing stopping them from just changing the policy to get access to the passwords if they really want to anyway).

Finally, regardless of your solution, you should use Splunk/syslog to record all admin activity, perhaps setting alerts as appropriate to make sure your management is informed of any PAM admin activity so that they have oversight of admin activities.
Original Message:
Sent: 07-15-2019 11:58 PM
From: sudip karmacharya
Subject: Dont view password by administrator but need to login device

As per our security policy, no one is allowed to view password except password custodian. Hence being a global administrator, we are not allowed to view password. But, we need to login to end devices. At this moment, we are not being able to login into end devices as a global administrator. Only standard users can log in to end devices. 

Please provide a solution to this issue ASAP.

------------------------------
Network and security Engineer technical associative
Cas Trading House
------------------------------