Enabling workflow for privileged accounts

The first few steps in configuring the request and approval workflow are optional and involve creating one or more roles for users who are allowed to define the request and approval workflow and the roles that can approve access requests. These steps are optional because you can choose to only allow members of the System Administrator role to be the users permitted to configure a workflow and members of the System Administrator role can assign approval authority to individual users without creating any approval roles. In most cases, however, creating roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval.

Note:   If you don’t create any intermediary roles with the appropriate administrative rights to enable a workflow, only members of the System Administrator role will be able to configure any request and approval workflow you might want to implement.

If you are configuring a request and approval workflow for privileged accounts, you must create at least one role for users who are allowed to view systems and accounts. Only the members of a role with access to the Privileged Access Service and View permission can request login and password checkout access. Only members of the System Administrator role or a role with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right can enable a request and approval workflow for stored accounts where they have the Grant and Edit permissions.

To configure roles that can enable a workflow:

  1. Click Access > Roles.
  2. Click Add Role or select an existing role to display the role details.
  3. If you are creating a new role, you must provide at least a unique name for the role.
  4. Click Members, then click Add.
  5. Type a search string to search for and select users and groups for this role.
  6. Click Administrative Rights, then click Add.
  7. Select the appropriate rights, then click Add.
  8. Click Save to save the role.

    For example, if you are creating a role with permission to enable a workflow for access to systems and accounts, select Privilege Service Administrator or Privilege Service Power User. You can select any additional rights you want included in this role, but you must select at least one of the required administrative rights.

    Only members of the System Administrator role can enable workflow globally for all accounts. Members of a role with the Privileged Access Service Administrator or Privileged Access Service Power User right can enable workflow for accounts where they have the Grant and Edit permissions.

Creating roles for approvers

You can assign approval authority to individual users. However, in most cases, creating “approver” roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval. If you don’t create any intermediary roles with the appropriate administrative rights to approve access requests, only members of the System Administrator role will be able to approve access requests. You can follow the same steps described in Enabling workflow for privileged accounts to create roles for approvers.

Keep in mind that if you are creating a role with permission to approve access requests to stored accounts with managed or unmanaged passwords, you must include an appropriate administrative right with access to the Privileged Access Service in the role. You can select any additional rights you want included in this role, but you must select at least one of the required administrative rights.

Creating a role with access to stored accounts

In addition to the role that allows selected users to configure a workflow, you might want to create one or more roles for the users who will be requesting login and password checkout access to the systems and accounts stored in the Privileged Access Service. For those users to be able to search for or browse accounts and systems, they must be assigned to a role that includes the Privilege Service Administrator or Privileged Access Service Power User administrative right. You can follow the same steps described in Enabling workflow for privileged accounts to create the role. In most cases, you would add users who might need temporary administrative access as members of this role and give the role the Privileged Access Service Power User administrative right.

Configuring workflow for stored accounts

As a member of the System Administrator role, you can configure a request and approval workflow globally for all accounts, for specific accounts, or using a combination of global and account and system-specific settings. As a member of a role with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right, you can configure a request and approval workflow for specific accounts where you have Grant and Edit permissions.

For more information, see the following topics:

Configuring workflow globally for all accounts

To simplify the process of configuring a request and approval workflow for privileged accounts, you can enable workflow as a feature that applies to all accounts stored in the Privileged Access Service. You can then select a single user or role to approve all login and password checkout requests. You can also use this global setting in conjunction with account-specific settings to selectively restrict access requests for some accounts or modify the user or role with approval authority. In other words, you can configure the approval workflow globally so that it applies for all resources and accounts, or on a per-resource and account basis, or using a combination of the two. If you use a combination of global-and account-specific approval settings, the account-specific approval settings take precedence over the global approval settings. For example, you might give members of the IT Outsource role global authority to approve login and password checkout requests for all resources and accounts, then identify specific system and account combinations where only members of the IT Supervisors role can approve access requests.

To configure workflow for all accounts:

  1. Click Settings > Resources > Global Account Workflow.
  2. Select Enable Workflow for all accounts.
  3. Click Select and type a search string to search for and select a user or role with authority to approve login and password checkout requests, then click Add.
  4. Click Save.

After you have configured the workflow for all accounts, users with Privileged Access Service Administrator or Privileged Access Service Power User rights can request login and password checkout access for the accounts stored in the Privileged Access Service.

Configuring workflow for specific accounts

If you are a member of the System Administrator role or a member of a role with Privileged Access Service Administrator or Privileged Access Service Power User rights and have the Grant and Edit permissions, you can configure a request and approval workflow for specific accounts or use account-specific settings to override global workflow settings. If you enable or disable workflow for individual account and system combinations, the account-specific settings take precedence over the global settings. For example, you can use account-specific settings to prevent access requests for some accounts or to modify the user or role with approval authority.

To configure workflow for specific accounts:

  1. Click Resources > Accounts, then select an account to display the account details.
  2. Click Workflow.
  3. Set the Enable Account Workflow to Yes if you want to select a user or role with authority to approve access requests.

    If you enabled workflow for all accounts, selecting Yes allows you to select a different user or role with approval authority. If you are not enabling workflow for all accounts, selecting Yes makes this specific account available for users requesting login or password checkout access.

    If you disabled workflow for all accounts, selecting No prevents users from requesting login or password checkout access.

  4. Click Save.

After you have configured the workflow for an account, users can request login or checkout access to the account through the Privilege Manager portal.