Cloud Client Features

This section provides some overviews of some of the main capabilities that Delinea PAS and Cloud Clients provide.

About Directory Sources and Identity Brokering

You can connect user and group identities from multiple directory sources, such as the following types of directories:

• Active Directory
• Delinea Directory (users defined in Delinea PAS)
• LDAP
• Google

You can also federate with other directories by way of SAML, such as Azure AD, Okta, and so forth. For details, see How to Set Up Business Partner Federation.

For directory sources other than Delinea Directory, you install Delinea PAS software on a system where the directory source is and then you can make sure that those users and groups have access to your resources that are defined in Delinea PAS. This way, you can set up Delinea PAS as an identity broker for multiple directory sources.

For example, by installing Delinea PAS software in AWS, Azure, Google Cloud or a DMZ, you can provide secure access to those systems for your users and groups across various directory sources without having to extend your network. This approach provides decreased exposure, better security, and more flexibility.

For details, see Directory Service Users and Roles.

About MFA Options for Use with PAS and Server Suite

Delinea PAS and Server Suite can support identity assurance by way of multi-factor authentication authentication using the following mechanisms:

Mechanism	NIST 800-53 Assurance	Portal	Client	Notes	Help
FIDO2 Authenticator	High	Supported	Partially Supported	Provides support for YubiKey, Windows Hello, and other password-less mechanisms	How to enable FIDO2 authentication
3rd Party RADIUS Authentication	High	Supported	Supported	Provides MFA brokering for legacy or RADIUS-enabled mechanisms like SecurID, Symantec VIP, Okta RADIUS, Microsoft MFA RADIUS, and so forth.	For use with the Connector: How to configure Privileged Access Service for RADIUS
Delinea Mobile Authenticator	High	Supported	Supported	Provides Support for the Delinea Mobile Authenticator that includes Push MFA and Conditional Access	Using Mobile Authenticator
OATH OTP Client	Medium	Supported	Supported	Provides support for any OATH-compatible authenticator such as Google Authenticator, Red Hat Authenticator, Yubico Authenticator, and so forth.	How to configure OATH OTP
Text message (SMS) confirmation code	Medium	Supported	Supported	Provides SMS-OTP or SMS-Push (if allowed by carrier) for users that have a mobile number in their profile.	Authentication mechanisms
Security Question	Low	Supported	Supported	Provides support for additional secrets in the form of Security Questions.	Authentication mechanisms
Password	Low	Supported	Supported	Provides support for "what you know" secret password. The password policy (such as length, complexity and expiration) are enforceable in the source directory.	Authentication mechanisms

You can use a combination of authentication mechanisms by creating different authentication profiles. Within each authentication profile, you define which mechanisms to use and which users they're for.

You can stack authentication mechanisms with these authentication profiles; you can apply authentication profiles to different user populations by way of policies (for example, employees can use a password + mobile authenticator compared to how contractors use a password + OATH OTP).

You can also configure your authentication profile with a grace period, where under certain conditions if a user needs to re-authenticate during a specified time frame then they don't have to supply credentials again. The MFA grace period applies only to Active Directory users logging in to a Windows system that is joined to Active Directory. For details about how to set up an authentication profile with a MFA grace period, see To create an authentication profile.

For details about the following topics, see the links below:

• Directory Service Users and Roles
• Policy Assignments
• For additional information about Authentication Assurance Levels, review the latest NIST 800-53 publication such as https://pages.nist.gov/800-63-3/sp800-63b.html.

About Access Control Using Roles and Conditions

After you've installed the Cloud Client on a system, you can use both roles and conditional access rules to control access to that system.

By default, users aren't authorized for access to a system where the client is installed. You explicitly grant the permission to log in to a system by granting the AgentAuth permission for a user or role. You can set up roles to leverage the groups that you've already defined in your directory sources. Also, you use the system's Permissions tab to create, modify, and review the permissions for a specific system. The built-in reports can show you who has access to which systems.

You can also define conditional access rules to grant access based on a variety of factors, such as day of the week, time of day, and so forth.

By using role-based access control and conditional access rules, you can set up a robust set of rules for access control.

For details about the following topics, see the links below:

• Users and Roles
• Setting System-Specific Permissions
• Managing Reports
• Creating Authentication Rules

About Policy Enforcement

Cloud Clients can enforce a variety of policies, such as required multi-factor authentication mechanisms for users to log in. In addition to MFA, clients can enforce conditional access policies and system policy rules. For example, clients can initiate password reconciliation operations on behalf of the shared account password management capability in Delinea PAS.

For details, see Creating Policy Sets and Policy Assignments.

About Privilege Elevation

Privilege elevation provides a way for users to log in as themselves with limited privilege and then request to elevate their access in order to perform privileged operations. Users can then provide additional MFA credentials to continue and run the privileged commands or applications.

By using privilege elevation, you grant access based on Zero Trust principles and then grant privileged access only when needed for a specific operation.

You can grant privileged access to specific commands or all commands. For more information, see Working with Privilege Elevation and Specifying Privilege Elevation Commands and Applications.

About Linux Group Mapping

With the Cloud Client for Linux, you can map roles to local Linux groups. You can map a role to either an existing local group or a new local group. If the local group doesn’t already exist on the systems, the members of the role will show up as members of the group with the details you specify on the role’s Unix Profile page.

When you're either creating a new role or editing an existing role, you specify the Linux local group details on the Role > Unix Profile page.

• New local Linux groups: Enter the Unix name (required) and the GID (optional).

• Existing local Linux groups: Enter the existing Unix name of the local group and the correct GID for the local group.

In the Unix profile you can specify which set(s) of systems to have your role map to.

A previous version of this feature involved setting roles so that they're visible as groups on Linux systems. For details, see Setting Group Visibility for Clients.

About Windows Local Group Mapping

With the Cloud Client for Windows, you can map local groups in Windows to roles in Delinea PAS.

For example, say you have two security groups:

• groupA@corp.acme.com
• groupB@widgets.com

You can configure those security groups to be members of a role in Delinea PAS, let's call it pas-winadmin.

groupA & groupB _groups = pas-winadmin role

You can then map the Delinea PAS role to a local Windows administrator group to grant Windows administrator privileges.

The benefits of mapping Windows groups to Delinea PAS roles are:

• On-demand group membership provisioning

  Your Windows credential provider automatically takes care of the group membership.

• Ease of integration

  Use Delinea PAS as the central, corporate tool and workflow utility to manage group memberships, such as adds, moves, and other changes.

Also, if you have mapped any Delinea Directory accounts or federated accounts to the local "Administrators" group, your users can use those accounts to elevate privileges in a User Account Control credential prompt.

For details, see Mapping Local Groups.

About Shared Account Password Management Utilities

Delinea PAS provides shared account password management capabilities for accounts in supported systems, databases and directories. The key benefit is that if a system, container or program needs to provision (set) retrieve (get) or delete (del) types of shared credentials in the Delinea PAS vault, the client provides the csetaccount, cgetaccount and cdelaccount binaries that facilitate these transactions.

In cases of automation, system-to-system authentication, and elimination of static shared credentials (or passwords) from scripts, the Cloud Clients can facilitate these operations while providing the assurance of a strong root of trust.

For details, see the links below:

• Retrieving Privileged Account Passwords
• Using Cloud Client Commands

About Automation

Cloud Clients have been designed to take advantage of many of the elements of the Delinea PAS, these include:

• OAUTH2 limited scopes for the service users.
• PAS Service Users
• Enrollment Codes
• CLI Tooling
• REST APIs
• Sets

These tools allow for automation in several scenarios.

For details, see the links below:

• Automating password rotation
• Automating Registration