Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  PAM 3.3.1 scenarios of PVP

    Posted Feb 27, 2020 12:03 PM
    Hello experts


    I have the following scenarios in which I require your support

    First scenario

    The client has several servers in which he has a user in charge of administering the application and other users in charge of administering the server as such. both application management and server administration is done with the sofiaadmin account. The client requires that application administrators have dual approval while operators should not have any restrictions.

    How can I handle this scenario?

    Second scenario

    The client requires that access to the servers via SSH or RDP be free and has no dual authorization, but for certain users who have the option to see the password an authorization is generated. In other words, access is without dual authorization while the password display has dual authorization enabled.

    How can I work and configure these scenarios in PAM?


  • 2.  RE: PAM 3.3.1 scenarios of PVP
    Best Answer

    Broadcom Employee
    Posted Feb 27, 2020 12:52 PM
    Hello Julian, PAM doesn't support either scenario at this time. There is only one PVP per target account, and dual authorization is either on or off. For this option there is no separate setting for view vs auto-connect. Check the community ideation page to see if there are ideas open for what you are trying to achieve, and feel free to add one if not found.
    Original Message


  • 3.  RE: PAM 3.3.1 scenarios of PVP

    Broadcom Employee
    Posted Feb 28, 2020 12:44 AM

    Hello Julian,

     

    PVP is specific to the target account.

    If you require different policies for different PAM users you need to basically create a duplicate of that target account but with a different PVP.

    As this is not possible as such, you first need to create a duplicate of the underlying Target Application – but with a different name – then you can create the other Target Account with a different PVP – and finally the relevant Policy for the administrative PAM users.

     

    Regards,

    Andreas

     




    Original Message


  • 4.  RE: PAM 3.3.1 scenarios of PVP

    Broadcom Employee
    Posted Feb 28, 2020 09:10 AM
    Be careful with duplicate target accounts. You'd have to make sure that they stay in sync, which would exclude e.g. use of any PVP that changes the password after use. You'd have to make sure to keep the accounts in sync manually, or use API calls to update the second target account with the password of the first one whenever that is found to have changed. Not really desirable.
    Original Message


  • 5.  RE: PAM 3.3.1 scenarios of PVP

    Broadcom Employee
    Posted Feb 28, 2020 09:41 AM

    Good point, Ralf,

     

    I think one can meet this by using a Compound

     

    Regards,

    Andreas

     




    Original Message


  • 6.  RE: PAM 3.3.1 scenarios of PVP

    Broadcom Employee
    Posted Feb 28, 2020 09:53 AM
    Compound accounts are meant for the case where you have the same account name configured on multiple target devices, and you want the account to have the same password on all of those devices. Here we are talking about a single credential on one device. Each target account would try to update the same credential, but store it only in its own record, at which point the other target account would go out of sync.
    Original Message


  • 7.  RE: PAM 3.3.1 scenarios of PVP

    Posted Feb 28, 2020 09:50 AM
    Hi Ralf

    You have the reason, the sync proccess will very confused and complicated or not possible.

    I think that the PVP could have two options for the dual authorization configuration tab

    • Enabled for view
    • Enabled for access


    This will enabled according at need and woll work very well and give solution to these scenarios.


    I will created a new idea with this item, do I have your support for this idea?
    Original Message