Using privileged account workflow

 

As a member of the System Administrator role or a role with the Role Management administrative right, you can enable workflow for all other users. Initially, only the members of the System Administrator role have the ability to enable a request and approval workflow. This also includes specifying the users or roles with authority to approve access requests. The workflow and approval authority can be configured to apply globally for all accounts or apply only for selected account and system combinations, or apply globally except where there are account-specific restrictions.

After you enable workflow for privileged account access requests, users can request access to the privileged local, domain, database, or service accounts that you specify. If the request is approved, the user can then check out the account password or use the account to log on to a system, domain, or database remotely.

Users requesting access must still be assigned to a role with Privileged Access Service Administrator or Privileged Access Service Power User administrative rights and have View permission to see the systems and accounts that are available in the Privileged Access Service. If a user is a member of a role with one of these rights, however, they can search or browse for systems and accounts, then submit a request to a designated approver for login access or for password checkout. The approver might be a specific user or any member of a specific role. If you configure a role as the approver, the first member to respond to the request is given the authority to approve or reject the request.

The steps involved in configuring a workflow include:

  • Create one or more roles that can enable a request and approval workflow.

    Members of the System Administrator role can enable workflow globally for all accounts. Users with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right can enable workflow and select an approver for specific accounts where they have the Grant and Edit permissions.

  • Create one or more roles that can approve access requests for accounts.

  • Create one or more roles that can request access to privileged accounts.

    Any member of a role with the Privileged Access Service Administrator or Privileged Access Service Power User right can request access to any account where workflow is enabled. The appropriate permissions are granted if the request is approved.

  • Determine whether to enable the workflow globally for all accounts, individually for specific accounts, or a combination of both.

  • Enable the workflow option where appropriate and select the user or role with authority to approve requests.

The following topics describe how to configure request and approval workflow for account access requests, how to use a workflow to request account access, how to approve or reject a request, and how to view and manage requests that are being processed: